From ee15c6149db30b64c63a9009a3c4ef24280495a6 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 10 May 2020 21:55:35 +0200 Subject: Added TLS weak cipher and obsolete protocol version detection --- src/lib/protocols/tls.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/lib/protocols/tls.c') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 655d61ed6..3de9bbb83 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -839,7 +839,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; - + if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */ + NDPI_SET_BIT_16(flow->risk, NDPI_TLS_OBSOLETE_VERSION); + if(handshake_type == 0x02 /* Server Hello */) { int i, rc; @@ -862,7 +864,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, return(0); /* Not found */ ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); - flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); + if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) + NDPI_SET_BIT_16(flow->risk, NDPI_TLS_WEAK_CIPHER); + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; #ifdef DEBUG_TLS -- cgit v1.2.3