5 files changed, 25 insertions, 20 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 1a53a93c6..0c22a02fb 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1032,6 +1032,7 @@ struct ndpi_detection_module_struct {
   u_int32_t current_ts;
   u_int32_t ticks_per_second;
   u_int16_t num_tls_blocks_to_follow;
+  u_int8_t skip_tls_blocks_until_change_cipher:1, _notused:7;
   
 #ifdef NDPI_ENABLE_DEBUG_MESSAGES
   void *user_data;
diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c
index 37e31474f..ddc782fbe 100644
--- a/src/lib/ndpi_analyze.c
+++ b/src/lib/ndpi_analyze.c
@@ -468,6 +468,7 @@ void ndpi_normalize_bin(struct ndpi_bin *b) {
 	b->u.bins8[i] = (b->u.bins8[i]*100) / tot;
     }
     break;
+    
   case ndpi_bin_family16:
     for(i=0; i<b->num_bins; i++) tot += b->u.bins16[i];
 
@@ -476,6 +477,7 @@ void ndpi_normalize_bin(struct ndpi_bin *b) {
 	b->u.bins16[i] = (b->u.bins16[i]*100) / tot;
     }
     break;
+
   case ndpi_bin_family32:
     for(i=0; i<b->num_bins; i++) tot += b->u.bins32[i];
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 9de47e471..65f1db852 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -603,10 +603,11 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str
 
   case ndpi_pref_enable_tls_block_dissection:
     /*
-       If this option is enabled only the TLS Application data blocks past the
-       certificate negotiation are considered
+      If this option is enabled only the TLS Application data blocks past the
+      certificate negotiation are considered
     */
     ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS;
+    ndpi_str->skip_tls_blocks_until_change_cipher = 1;
     break;
 
   default:
diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c
index c97ab25db..b503f1184 100644
--- a/src/lib/protocols/ciscovpn.c
+++ b/src/lib/protocols/ciscovpn.c
@@ -57,7 +57,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
   if((tdport == 10000 && tsport == 10000) ||
      ((tsport == 443 || tdport == 443) &&
       (packet->payload_packet_len >= 4) &&
-      (packet->payload[0] == 0x17 &&
+      (packet->payload[0] == 0x17 /* TLS Application Data */ &&
        packet->payload[1] == 0x01 &&
        packet->payload[2] == 0x00 &&
        packet->payload[3] == 0x00)
@@ -68,28 +68,27 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
     ndpi_int_ciscovpn_add_connection(ndpi_struct, flow);
     return;
   }
+#if 0
+  /* Code disabled as it is too generic and it can lead to false positives */
   else if(((tsport == 443 || tdport == 443) ||
 	   (tsport == 80 || tdport == 80)) &&
           (packet->payload_packet_len >= 5) &&
-          ((packet->payload[0] == 0x17 &&
-	    packet->payload[1] == 0x03 &&
-	    packet->payload[2] == 0x03 &&
-	    packet->payload[3] == 0x00 &&
-	    packet->payload[4] == 0x3A)))
+          ((packet->payload[0] == 0x17 /* TLS Application Data */ &&
+	    packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && /* TLS 1.2 */
+	    packet->payload[3] == 0x00 && packet->payload[4] == 0x3A /* Length */)))
     {
       /* TLS signature of Cisco AnyConnect 0X170303003A */
       NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n");
       ndpi_int_ciscovpn_add_connection(ndpi_struct, flow);
       return;
     }
+#endif
   else if(((tsport == 8009 || tdport == 8009) ||
 	   (tsport == 8008 || tdport == 8008)) &&
           (packet->payload_packet_len >= 5) &&
-          ((packet->payload[0] == 0x17 &&
-	    packet->payload[1] == 0x03 &&
-	    packet->payload[2] == 0x03 &&
-	    packet->payload[3] == 0x00 &&
-	    packet->payload[4] == 0x69)))
+          ((packet->payload[0] == 0x17 /* TLS Application Data */ &&
+	    packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && /* TLS 1.2 */
+	    packet->payload[3] == 0x00 && packet->payload[4] == 0x69 /* Length */)))
     {
       /* TCP signature of Cisco AnyConnect 0X1703030069 */
       NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n");
@@ -116,7 +115,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
 	       (usport == 443 || udport == 443)
 	       &&
 	       (packet->payload_packet_len >= 5) &&
-	       (packet->payload[0] == 0x17 &&
+	       (packet->payload[0] == 0x17 /* TLS Application Data */ &&
 		packet->payload[1] == 0x01 &&
 		packet->payload[2] == 0x00 &&
 		packet->payload[3] == 0x00 &&
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 192625c5c..7f9e8d5c0 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -712,12 +712,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
     p = packet->payload, p_len = packet->payload_packet_len; /* Backup */
 
     if(content_type == 0x14 /* Change Cipher Spec */) {
-      /*
-	Ignore Application Data up until change cipher
-	so in this case we reset the number of observed
-	TLS blocks
-      */
-      flow->l4.tcp.tls.num_tls_blocks = 0;
+      if(ndpi_struct->skip_tls_blocks_until_change_cipher) {
+	/*
+	  Ignore Application Data up until change cipher
+	  so in this case we reset the number of observed
+	  TLS blocks
+	*/
+	flow->l4.tcp.tls.num_tls_blocks = 0;
+      }
     }
 
     if((len > 9)