Allow sniffer to follow ports using STARTTLS.

This commit is contained in:
John Safranek 2014-11-07 14:37:00 -08:00
parent 4441e3be1a
commit d829b5f93b

View File

@ -2534,18 +2534,32 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
*end = *sslFrame + *sslBytes; *end = *sslFrame + *sslBytes;
} }
#ifdef OLD_HELLO_ALLOWED
if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) { if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) {
int rhSize; /* Sanity check the packet for an old style client hello. */
int rhSize =
((ssl->buffers.inputBuffer.buffer[
ssl->buffers.inputBuffer.idx] & 0x7f) << 8) |
ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 1];
if ((rhSize <= (*sslBytes - 2)) &&
(ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 2]
== OLD_HELLO_ID) &&
(ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 3]
== SSLv3_MAJOR)) {
#ifdef OLD_HELLO_ALLOWED
int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error); int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error);
if (ret < 0) if (ret < 0)
return -1; /* error already set */ return -1; /* error already set */
if (*sslBytes <= 0) if (*sslBytes <= 0)
return 1; return 1;
}
#endif #endif
}
else {
#ifdef STARTTLS_ALLOWED
return 1;
#endif
}
}
return 0; return 0;
} }