From b287d6ec855defe8669449df7e9322c8860b9eab Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Tue, 20 Feb 2024 19:54:01 +0100 Subject: TLS: avoid setting some flow risks for webrtc traffic Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP traffic --- src/lib/protocols/tls.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index be9859de0..65037cfb8 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1759,6 +1759,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t handshake_type; bool is_quic = (quic_version != 0); bool is_dtls = packet->udp && (!is_quic); + bool use_srtp = 0; #ifdef DEBUG_TLS printf("TLS %s() called\n", __FUNCTION__); @@ -2500,6 +2501,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Client TLS [SIGNATURE_ALGORITHMS: %s]\n", ja.client.signature_algorithms_str); +#endif + } else if(extension_id == 14 /* use_srtp */) { + use_srtp = 1; +#ifdef DEBUG_TLS + printf("Client TLS: use_srtp\n"); #endif } else if(extension_id == 16 /* application_layer_protocol_negotiation */ && offset+extension_offset+1 < total_len) { @@ -2826,6 +2832,7 @@ compute_ja3c: /* Before returning to the caller we need to make a final check */ if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */ + && !(flow->stun.maybe_dtls == 1 && is_dtls && use_srtp) /* Webrtc traffic */ && (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) { ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); } @@ -2840,6 +2847,7 @@ compute_ja3c: /* Add check for missing SNI */ if(flow->host_server_name[0] == '\0' && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */ + && !(flow->stun.maybe_dtls == 1 && is_dtls && use_srtp) /* Webrtc traffic */ && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */ ) { /* This is a bit suspicious */ -- cgit v1.2.3