From e77ff5ebd8981bf72c3981aeab3899850027973f Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 6 Jan 2025 13:16:57 +0100
Subject: TLS: fix `NDPI_TLS_WEAK_CIPHER` flow risk (#2647)

We should set it also for "obsolete"/"insecure" ciphers, not only for
the "weak" ones.
---
 src/lib/protocols/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index b6fe9d7a6..ae28ab7a8 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -2302,7 +2302,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	return(0); /* Not found */
 
       ja.server.num_ciphers = 1, ja.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
-      if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja.server.cipher[0])) == 1) {
+      if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja.server.cipher[0])) != NDPI_CIPHER_SAFE) {
 	char str[64];
 	char unknown_cipher[8];
 
-- 
cgit v1.2.3