Merge pull request #592 from droe/droe/fix-ja4-ssl2

Fix wrong SSL 2.0 version and remove SSL 1.0 (bug in older JA4 spec)
phaag · Jan 18, 2025 · a32fbcd · a32fbcd
2 parents 9b2da1f + a4fbb56
commit a32fbcd
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 25 deletions.
diff --git a/src/libnfdump/filter/grammar.y b/src/libnfdump/filter/grammar.y
@@ -1304,7 +1304,7 @@ static int AddPayloadSSL(char *type, char *arg, char *opt) {
 			yyprintf("String %s is not a valid SSL/TLS version", opt);
 			return -1;
 		}
-		// if old SSL 1.0, 2.0 or 3.0
+		// if old SSL 2.0 or 3.0
 		if (major > 1 && minor > 0){
 			yyprintf("String %s is not a valid SSL/TLS version", opt);
 			return -1;

diff --git a/src/libnfdump/ssl/ssl.c b/src/libnfdump/ssl/ssl.c
@@ -250,19 +250,13 @@ static int sslParseClientHandshake(ssl_t *ssl, BytesStream_t sslStream, uint32_t
     0x0302 = TLS 1.1 = “11”
     0x0301 = TLS 1.0 = “10”
     0x0300 = SSL 3.0 = “s3”
-    0x0200 = SSL 2.0 = “s2”
-    0x0100 = SSL 1.0 = “s1”
+    0x0002 = SSL 2.0 = “s2”
 
     Unknown = “00”
     */
     ssl->protocolVersion = version;
     switch (version) {
-        case 0x0100:
-            // SSL 1.0 was never really release!
-            ssl->tlsCharVersion[0] = 's';
-            ssl->tlsCharVersion[1] = '1';
-            break;
-        case 0x0200:  // SSL 2.0
+        case 0x0002:  // SSL 2.0
             ssl->tlsCharVersion[0] = 's';
             ssl->tlsCharVersion[1] = '2';
             break;
@@ -287,8 +281,8 @@ static int sslParseClientHandshake(ssl_t *ssl, BytesStream_t sslStream, uint32_t
             ssl->tlsCharVersion[1] = '3';
             break;
         default:
-            LogError("%s():%d Not an SSL 3.0 - TLS 1.3 protocol", __FUNCTION__, __LINE__);
-            dbg_printf("Client handshake: Not an SSL 3.0 - TLS 1.3 protocol\n");
+            LogError("%s():%d Not an SSL 2.0 - TLS 1.3 protocol", __FUNCTION__, __LINE__);
+            dbg_printf("Client handshake: Not an SSL 2.0 - TLS 1.3 protocol\n");
             return 0;
     }
 
@@ -347,10 +341,7 @@ static int sslParseServerHandshake(ssl_t *ssl, BytesStream_t sslStream, uint32_t
 
     ssl->protocolVersion = version;
     switch (version) {
-        case 0x0100:
-            // SSL 1.0 was never really release!
-            break;
-        case 0x0200:  // SSL 2.0
+        case 0x0002:  // SSL 2.0
             ssl->tlsCharVersion[0] = 's';
             ssl->tlsCharVersion[1] = '2';
             break;
@@ -371,8 +362,8 @@ static int sslParseServerHandshake(ssl_t *ssl, BytesStream_t sslStream, uint32_t
             ssl->tlsCharVersion[1] = '3';
             break;
         default:
-            LogError("%s():%d Not an SSL 3.0 - TLS 1.3 protocol", __FUNCTION__, __LINE__);
-            dbg_printf("Client handshake: Not an SSL 3.0 - TLS 1.3 protocol\n");
+            LogError("%s():%d Not an SSL 2.0 - TLS 1.3 protocol", __FUNCTION__, __LINE__);
+            dbg_printf("Client handshake: Not an SSL 2.0 - TLS 1.3 protocol\n");
             return 0;
     }
 
@@ -516,14 +507,14 @@ ssl_t *sslProcess(const uint8_t *data, size_t len) {
     uint16_t sslVersion;
     ByteStream_GET_u16(sslStream, sslVersion);
     switch (sslVersion) {
-        case 0x0200:  // SSL 2.0
+        case 0x0002:  // SSL 2.0
         case 0x0300:  // SSL 3.0
         case 0x0301:  // TLS 1.1
         case 0x0302:  // TLS 1.2
         case 0x0303:  // TLS 1.3
             break;
         default:
-            dbg_printf("SSL version: 0x%x not SSL 3.0 - TLS 1.3 connection\n", sslVersion);
+            dbg_printf("SSL version: 0x%x not SSL 2.0 - TLS 1.3 connection\n", sslVersion);
             return NULL;
     }
 

diff --git a/src/libnfdump/ssl/ssl.h b/src/libnfdump/ssl/ssl.h
@@ -81,8 +81,7 @@ typedef struct ssl_s {
         0x0302 = TLS 1.1 = “11”
         0x0301 = TLS 1.0 = “10”
         0x0300 = SSL 3.0 = “s3”
-        0x0200 = SSL 2.0 = “s2”
-        0x0100 = SSL 1.0 = “s1”
+        0x0002 = SSL 2.0 = “s2”
         Unknown = “00”
      */
 

diff --git a/src/output/output_csv.c b/src/output/output_csv.c
@@ -1161,8 +1161,7 @@ static char *String_tlsVersion(char *streamPtr, recordHandle_t *recordHandle) {
     0x0302 = TLS 1.1 = “11”
     0x0301 = TLS 1.0 = “10”
     0x0300 = SSL 3.0 = “s3”
-    0x0200 = SSL 2.0 = “s2”
-    0x0100 = SSL 1.0 = “s1”
+    0x0002 = SSL 2.0 = “s2”
     */
 
     // ssl is defined

diff --git a/src/output/output_fmt.c b/src/output/output_fmt.c
@@ -1212,8 +1212,7 @@ static void String_tlsVersion(FILE *stream, recordHandle_t *recordHandle) {
     0x0302 = TLS 1.1 = “11”
     0x0301 = TLS 1.0 = “10”
     0x0300 = SSL 3.0 = “s3”
-    0x0200 = SSL 2.0 = “s2”
-    0x0100 = SSL 1.0 = “s1”
+    0x0002 = SSL 2.0 = “s2”
     */
 
     // ssl is defined