diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-05-06 10:20:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-06 10:20:07 +0200 |
| commit | e31ef00715581c56d429d7a0ea849db74a1fa956 (patch) | |
| tree | 7814fcd9d38cb304e904029f76aca9f3e10cd4aa /src | |
| parent | 266af0275241b96346372bbae936cd3dd1a35159 (diff) | |
TLS: avoid setting `NDPI_TLS_SELFSIGNED_CERTIFICATE` for webrtc traffic (#2417)
See RFC8122: it is quite likely that STUN/DTLS/SRTP flows use
self-signed certificates
Follow-up of b287d6ec8
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 12 |
2 files changed, 8 insertions, 6 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 0f01a4a87..aa59c5081 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1336,7 +1336,7 @@ struct ndpi_flow_struct { char ja3_client[33], ja3_server[33], ja4_client[37]; u_int16_t server_cipher; u_int8_t sha1_certificate_fingerprint[20]; - u_int8_t hello_processed:1, ch_direction:1, subprotocol_detected:1, fingerprint_set:1, _pad:4; + u_int8_t hello_processed:1, ch_direction:1, subprotocol_detected:1, fingerprint_set:1, webrtc:1, _pad:3; #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS /* Under #ifdef to save memory for those who do not need them */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 975d7a8c6..0a3dda4ec 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -755,7 +755,8 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_check_issuerdn_risk_exception(ndpi_struct, flow->protos.tls_quic.issuerDN)) return; /* This is a trusted DN */ - ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); + if(!flow->protos.tls_quic.webrtc) + ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); } #if DEBUG_TLS @@ -1795,7 +1796,6 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t handshake_type; bool is_quic = (quic_version != 0); bool is_dtls = packet->udp && (!is_quic); - bool use_srtp = 0; #ifdef DEBUG_TLS printf("TLS %s() called\n", __FUNCTION__); @@ -2539,7 +2539,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("Client TLS [SIGNATURE_ALGORITHMS: %s]\n", ja.client.signature_algorithms_str); #endif } else if(extension_id == 14 /* use_srtp */) { - use_srtp = 1; + /* This is likely a werbrtc flow */ + if(flow->stun.maybe_dtls || flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DTLS) + flow->protos.tls_quic.webrtc = 1; #ifdef DEBUG_TLS printf("Client TLS: use_srtp\n"); #endif @@ -2867,7 +2869,7 @@ compute_ja3c: /* Before returning to the caller we need to make a final check */ if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */ - && !(flow->stun.maybe_dtls == 1 && is_dtls && use_srtp) /* Webrtc traffic */ + && !flow->protos.tls_quic.webrtc && (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) { ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); } @@ -2882,7 +2884,7 @@ compute_ja3c: /* Add check for missing SNI */ if(flow->host_server_name[0] == '\0' && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */ - && !(flow->stun.maybe_dtls == 1 && is_dtls && use_srtp) /* Webrtc traffic */ + && !flow->protos.tls_quic.webrtc && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */ ) { /* This is a bit suspicious */ |