5 files changed, 18 insertions, 2 deletions

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index c9b2d0ee2..007931e19 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -818,14 +818,14 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
 /* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */
 
 #define JA3_STR_LEN 1024
-#define MAX_NUM_JA3  128
+#define MAX_NUM_JA3  512
 
 struct ja3_info {
   u_int16_t tls_handshake_version;
   u_int16_t num_cipher, cipher[MAX_NUM_JA3];
   u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3];
   u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3];
-  u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
+  u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
 };
 
 /* **************************************** */
diff --git a/tests/pcap/ja3_lots_of_cipher_suites.pcap b/tests/pcap/ja3_lots_of_cipher_suites.pcap
new file mode 100644
index 000000000..86fc74712
--- /dev/null
+++ b/tests/pcap/ja3_lots_of_cipher_suites.pcap
diff --git a/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap b/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap
new file mode 100644
index 000000000..7286f3a73
--- /dev/null
+++ b/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap
diff --git a/tests/result/ja3_lots_of_cipher_suites.pcap.out b/tests/result/ja3_lots_of_cipher_suites.pcap.out
new file mode 100644
index 000000000..46d0c9b8b
--- /dev/null
+++ b/tests/result/ja3_lots_of_cipher_suites.pcap.out
@@ -0,0 +1,8 @@
+TLS	11	5132	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.206.131.18            	 1      
+
+
+	1	TCP 10.206.131.18:58657 <-> 10.206.65.249:443 [VLAN: 258][proto: 91/TLS][cat: Web/5][5 pkts/1144 bytes <-> 6 pkts/3988 bytes][Goodput ratio: 70/90][0.22 sec][bytes ratio: -0.554 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 64/39 164/136 72/50][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 229/665 866/1522 319/650][Risk: ** TLS Certificate Mismatch **][TLSv1.2][JA3C: 0463681bfef175d3d61ec414c65e482c][JA3S: 9d456958a9e86bb0d503543beaf1a65b][Issuer: C=US, ST=New York, L=Rochester, O=Xerox Corporation, OU=Generic Root Certificate Authority, CN=Xerox Generic Root Certificate Authority][Subject: C=US, ST=Connecticut, L=Norwalk, O=Xerox Corporation, OU=Global Product Delivery Group, CN=XRX9C934E949FEF, C=US, ST=Connecticut, L=Norwalk, O=Xerox Corporation, OU=Global Product Delivery Group, CN=XRX9C934E949FEF][Certificate SHA-1: 3B:2B:5E:58:6E:3E:30:1F:52:BF:9B:81:20:47:DE:10:A0:67:8E:FA][Validity: 2018-11-29 18:57:22 - 2023-11-29 18:57:22][Cipher: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA]
diff --git a/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out
new file mode 100644
index 000000000..3f789f4cd
--- /dev/null
+++ b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out
@@ -0,0 +1,8 @@
+TLS	27	6966	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.147.177          	 1      
+
+
+	1	TCP 192.168.147.177:58496 <-> 151.121.193.160:443 [proto: GTP:91/TLS][cat: Web/5][13 pkts/3520 bytes <-> 14 pkts/3446 bytes][Goodput ratio: 60/59][5.96 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 479/256 1619/1072 582/419][Pkt Len c2s/s2c min/avg/max/stddev: 106/90 271/246 1202/1490 315/354][Risk: ** Self-signed Certificate **** Weak TLS cipher **][TLSv1.2][Client: 192.69.136.179][JA3C: 50221ef5bde0fcee8864bbcea5211d51][JA3S: 7c02dbae662670040c7af9bd15fb7e2f (WEAK)][Issuer: C=DE, ST=Munich, L=Grenoble, O=Munniccan Establishment GmBH, OU=Munnican Workforce, CN=munniccan.de][Subject: C=DE, ST=Munich, L=Grenoble, O=Munniccan Establishment GmBH, OU=Munnican Workforce, CN=munniccan.de][Certificate SHA-1: 91:0C:1D:82:6B:28:01:8F:55:03:28:5B:90:A9:18:B9:ED:72:01:37][Validity: 2016-12-21 19:19:24 - 2019-09-16 19:19:24][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384]