diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-10 21:55:35 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-10 21:55:35 +0200 |
| commit | ee15c6149db30b64c63a9009a3c4ef24280495a6 (patch) | |
| tree | a27b344555ac7fabb208cdc02c2d64842d71fc2c /src | |
| parent | ae803c8b51dec9e31e99cb37cd64bd968b314669 (diff) | |
Added TLS weak cipher and obsolete protocol version detection
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 8 |
3 files changed, 15 insertions, 3 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 4751c37ac..54e08ea11 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -58,6 +58,8 @@ typedef enum { NDPI_BINARY_APPLICATION_TRANSFER, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, NDPI_TLS_SELFSIGNED_CERTIFICATE, + NDPI_TLS_OBSOLETE_VERSION, + NDPI_TLS_WEAK_CIPHER, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 2fa21e220..bcdcbb9c6 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1425,7 +1425,13 @@ const char* ndpi_risk2str(ndpi_risk risk) { case NDPI_TLS_SELFSIGNED_CERTIFICATE: return("Self-signed Certificate"); - + + case NDPI_TLS_OBSOLETE_VERSION: + return("Obsolete TLS version (< 1.1)"); + + case NDPI_TLS_WEAK_CIPHER: + return("Weak TLS cipher"); + default: return(""); } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 655d61ed6..3de9bbb83 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -839,7 +839,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; - + if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */ + NDPI_SET_BIT_16(flow->risk, NDPI_TLS_OBSOLETE_VERSION); + if(handshake_type == 0x02 /* Server Hello */) { int i, rc; @@ -862,7 +864,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, return(0); /* Not found */ ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); - flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); + if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) + NDPI_SET_BIT_16(flow->risk, NDPI_TLS_WEAK_CIPHER); + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; #ifdef DEBUG_TLS |