1 files changed, 20 insertions, 2 deletions

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index bf26467da..57f71e2fe 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -148,7 +148,19 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_
 #endif
 
   if(flow->extra_packets_func == NULL) {
-    return(0); /* We're good now */
+    /* HTTP stuff completed */
+
+    /* Loook for TLS over websocket */
+    if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP) && /* Feature enabled */
+       (flow->host_server_name[0] != '\0' &&
+        flow->http.response_status_code != 0) && /* Bidirectional HTTP traffic */
+       flow->http.websocket) {
+
+      switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow);
+      return(1);
+    }
+
+    return(0); /* We are good now */
   }
 
   /* Possibly more processing */
@@ -954,6 +966,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     }
   }
 
+  if(packet->upgrade_line.ptr != NULL) {
+    if(flow->http.response_status_code == 101 &&
+       memcmp((char *)packet->upgrade_line.ptr, "websocket", 9) == 0)
+      flow->http.websocket = 1;
+  }
+
   if(packet->server_line.ptr != NULL) {
     if(flow->http.server == NULL) {
       len = packet->server_line.len + 1;
@@ -1577,7 +1595,7 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
   ndpi_check_http_tcp(ndpi_struct, flow);
 
   if((ndpi_struct->cfg.http_parse_response_enabled &&
-      flow->host_server_name[0] != '\0'&&
+      flow->host_server_name[0] != '\0' &&
       flow->http.response_status_code != 0) ||
      (!ndpi_struct->cfg.http_parse_response_enabled &&
       (flow->host_server_name[0] != '\0' ||