8 files changed, 41 insertions, 8 deletions

diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst
index 417426e48..52e19212c 100644
--- a/doc/flow_risks.rst
+++ b/doc/flow_risks.rst
@@ -246,4 +246,10 @@ Additionally, some TLS protocol fields are checked for printable characters as w
 
 NDPI_POSSIBLE_EXPLOIT
 =====================
-The risk is set whenever a a possible exploit (e.g. Log4J/Log4Shell) is detected.
+The risk is set whenever a possible exploit (e.g. Log4J/Log4Shell) is detected.
+
+.. _Risk 041:
+
+NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE
+===================================
+The risk is set whenever a TLS certificate is close to the expiration date.
diff --git a/python/ndpi.py b/python/ndpi.py
index 65821a341..8b90c912e 100644
--- a/python/ndpi.py
+++ b/python/ndpi.py
@@ -332,6 +332,7 @@ typedef enum {
   NDPI_DNS_FRAGMENTED,
   NDPI_INVALID_CHARACTERS,
   NDPI_POSSIBLE_EXPLOIT,
+  NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE,
 
   /* Leave this as last member */
   NDPI_MAX_RISK
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 271b73194..e0b813597 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -964,6 +964,18 @@ extern "C" {
 				    ndpi_protocol_category_t *category,
 				    ndpi_protocol_breed_t *breed);
 
+  /**
+   * Specifies the threshold used to trigger the NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE
+   * flow risk that by default is set to 30 days
+   *
+   * @par    ndpi_struct  = the struct created for the protocol detection
+   * @par    days         = the number of days threshold for emitting the alert
+   *                        
+   */
+  void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str,
+				     u_int8_t days);
+
+  
   /* Utility functions to set ndpi malloc/free/print wrappers */
   void set_ndpi_malloc(void* (*__ndpi_malloc)(size_t size));
   void set_ndpi_free(void  (*__ndpi_free)(void *ptr));
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 17924b241..bdbc622d5 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -61,7 +61,6 @@ typedef enum {
   - nDPI/wireshark/ndpi.lua
   - ndpi_risk2str (in ndpi_utils.c)
   - doc/flow_risks.rst
-  - https://github.com/ntop/ntopng/blob/dev/scripts/lua/modules/flow_risk_utils.lua
   - ndpi_risk_enum (in python/ndpi.py)
   - ndpi_known_risks (ndpi_main.c)
 
@@ -116,7 +115,8 @@ typedef enum {
   NDPI_DNS_FRAGMENTED,
   NDPI_INVALID_CHARACTERS,
   NDPI_POSSIBLE_EXPLOIT, /* Log4J and other exploits */
-  
+  NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE,
+
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
 } ndpi_risk_enum;
@@ -1029,7 +1029,8 @@ struct ndpi_detection_module_struct {
   u_int32_t ticks_per_second;
   u_int16_t num_tls_blocks_to_follow;
   u_int8_t skip_tls_blocks_until_change_cipher:1, enable_ja3_plus:1, _notused:6;
-
+  u_int8_t tls_certificate_expire_in_x_days;
+  
 #ifdef NDPI_ENABLE_DEBUG_MESSAGES
   void *user_data;
 #endif
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 2e528b6a4..e4106d58d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -109,6 +109,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_DNS_FRAGMENTED,                        NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
   { NDPI_INVALID_CHARACTERS,                    NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
   { NDPI_POSSIBLE_EXPLOIT,                      NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE,       NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE  },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
@@ -2398,7 +2399,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   ndpi_str->tcp_max_retransmission_window_size = NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE;
   ndpi_str->directconnect_connection_ip_tick_timeout =
     NDPI_DIRECTCONNECT_CONNECTION_IP_TICK_TIMEOUT * ndpi_str->ticks_per_second;
-
+  ndpi_str->tls_certificate_expire_in_x_days = 30; /* NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow risk */
   ndpi_str->irc_timeout = NDPI_IRC_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second;
   ndpi_str->gnutella_timeout = NDPI_GNUTELLA_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second;
   ndpi_str->jabber_stun_timeout = NDPI_JABBER_STUN_TIMEOUT * ndpi_str->ticks_per_second;
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 1cc666f2c..4b1bd496c 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1837,6 +1837,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     return("Possible exploit detected");
     break;
     
+  case NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE:
+    return("TLS certificate about to expire");
+    break;
+    
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2305,7 +2309,6 @@ u_int8_t ndpi_is_valid_protoId(u_int16_t protoId) {
 
 u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str,
 				 ndpi_protocol proto) {
-
   if(proto.master_protocol == NDPI_PROTOCOL_UNKNOWN && ndpi_is_valid_protoId(proto.app_protocol)) {
     return(!ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto);
   } else if(ndpi_is_valid_protoId(proto.master_protocol) && ndpi_is_valid_protoId(proto.app_protocol)) {
@@ -2319,3 +2322,9 @@ u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str,
     return(0);
 }
 
+/* ******************************************* */
+
+void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str,
+				   u_int8_t num_days) {
+  ndpi_str->tls_certificate_expire_in_x_days = num_days;
+}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 0f12194f0..96ee3e6a2 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -471,9 +471,11 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	      if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD)
 		ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months */
 
-	    if((time_sec < flow->protos.tls_quic.notBefore)
-	       || (time_sec > flow->protos.tls_quic.notAfter))
+	    if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter))
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
+	    else if((time_sec > flow->protos.tls_quic.notBefore)
+		    && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->tls_certificate_expire_in_x_days * 86400))))
+	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE); /* Certificate almost expired */
 	  }
 	}
       }
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index 28e4fce8e..d7cebb969 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -79,6 +79,7 @@ flow_risks[37] = ProtoField.bool("ndpi.flow_risk.dns_large_packet", "DNS large p
 flow_risks[38] = ProtoField.bool("ndpi.flow_risk.dns_fragmented", "DNS fragmented", num_bits_flow_risks, nil, bit(6), "nDPI Flow Risk: DNS message is fragmented")
 flow_risks[39] = ProtoField.bool("ndpi.flow_risk.invalid_characters", "Invalid characters", num_bits_flow_risks, nil, bit(7), "nDPI Flow Risk: Text contains non-printable characters")
 flow_risks[40] = ProtoField.bool("ndpi.flow_risk.possible_exploit", "Possible Exploit", num_bits_flow_risks, nil, bit(8), "nDPI Flow Risk: Possible exploit detected")
+flow_risks[41] = ProtoField.bool("ndpi.flow_risk.cert_about_to_expire", "TLS cert about to expire", num_bits_flow_risks, nil, bit(9), "nDPI Flow Risk: TLS certificate about to expire")
 
 -- Last one: keep in sync the bitmask when adding new risks!!
 flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(8))