[Oisf-devel] [PATCH] Add TLS handshake decoder v2 0/3

Pierre Chifflier pierre.chifflier at ssi.gouv.fr
Fri Nov 4 17:18:43 UTC 2011


Here is the v2 of the TLS handshake decode patches.

Changes since v1:

- coding style, renaming variables names to lowercase and fixing #ifdef guards
- renaming files for consistency
- remove warnings from the parser
- use strlcpy instead of strncpy
- use SCStrdup instead of strdup


These patches add some support for extracting information from
the TLS handshake. The patches are based on the current master branch.

The goal is to be able to read the certificates and extract a few
keywords. This gives a few opportunities:
- using some kind of hash function, it's possible to test if a known
  certificate for a site changes,
- we can define some keywords on TLS records, for ex. extract the chosen
  cipher for the session. I'm intending to use this to be sure the server
  or the client are not trying to do some kine of downgrade attack with a
  weak cipher
- we can have some keywords on TLS certificates, to match some subjects

See http://article.gmane.org/gmane.comp.security.ids.oisf.devel/775 for

Pierre Chifflier

More information about the Oisf-devel mailing list