TLS Alerts not skipped #6
Comments
|
The problem with the filter is, it is getting complex already. Could you provide a pcap of such an Alert record packet please? I'd like to look into it to determine what could be done. However, I don't particularly like the idea of implementing a TLS record parser in BPF ;-) We might revert to passing all TLS packets to userland instead and do some more parsing/processing there. |
|
You can test yourself, with the alias https://neskaya.eckenfels.com apache will generate an warning, with https://eckenfels.com you will get a sucessful handshake. A sample trace is here http://bernd.eckenfels.net/view/alert.pcap . The alert record is 15(alert) 0303(tls12) 0002(2bytes) 01(warn) 70(unrecognized name) I am afraid the trace is somewhat before fragmentation (from the server), so the certificate record is corrupt, but the ServerHello is complete. |
|
Okay, so this looks like we need a rule of the kind As we need one level of indirection already to access the payload ( I am not saying this is impossible, just that it is not pretty. I could probably live with a BPF+parser extension to allow for the Hello to be the second TLS record, which should account for your alert use case. |
I had some ServerHello messages missing. Upon closer inspection it was due to Alert records (SNI host_unknown warning) before the actual ServerHello record. Since they are all in the same segment/package I think it would be a usefull addition to be able to skip alerts. This would also mean to change the default packet filter a bit.
The text was updated successfully, but these errors were encountered: