From 2b65a4e05ec5a534dbb700f4e15da0c7ade9ca78 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 22 Nov 2022 16:13:28 +0100
Subject: TLS: be sure to always set `ssl_version` field (#1806)

Useful with asymmetric traffic with (D)TLS <= 1.2
---
 src/lib/protocols/tls.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index fa40070f6..3e8b50c4e 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1656,6 +1656,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	i += 4 + extension_len, offset += 4 + extension_len;
       } /* for */
 
+      /* If the CH is not available and if "supported_versions" extension is not present in the SH
+         (i.e. (D)TLS <= 1.2), use the version field present in the record layer */
+      if(flow->protos.tls_quic.ssl_version == 0)
+        flow->protos.tls_quic.ssl_version = tls_version;
+
       ja3_str_len = ndpi_snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.server.tls_handshake_version);
 
       for(i=0; (i<ja3.server.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) {
-- 
cgit v1.2.3