Add support to opportunistic TLS

A lot of protocols provide the feature to upgrade their plain text connections to an encrypted one, via some kind of "STARTTLS" command. Add generic code to support this extension, and allow dissection of the entire TLS handshake. As an example, SMTP and FTP dissectors have been updated; similar logic might be applied to IMAP, POP, OPENVPN... Since this feature requires to process more packets per flow, add the possibility to disable it. Fix some log messages. As a side effect, this commit fix also a memory leak found by oss-fuzzer ``` ==108966==ERROR: LeakSanitizer: detected memory leaks Direct leak of 22 byte(s) in 1 object(s) allocated from: #0 0x55f8b367a0be in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x5480be) (BuildId: 94debacb4a6784c30420ab748c8bf3cc59621063) ntop#1 0x55f8b36e1345 in ndpi_malloc_wrapper /home/ivan/svnrepos/nDPI/example/reader_util.c:321:10 ntop#2 0x55f8b379c7d2 in ndpi_malloc /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:212:25 ntop#3 0x55f8b379cb18 in ndpi_strdup /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:279:13 ntop#4 0x55f8b386ce46 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2153:34 ntop#5 0x55f8b385ebf7 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:867:5 ntop#6 0x55f8b39e708c in ndpi_extra_search_mail_smtp_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/mail_smtp.c:422:9 ntop#7 0x55f8b37e636c in ndpi_process_extra_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5884:9 ntop#8 0x55f8b37edc05 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6276:5 ntop#9 0x55f8b3701ffc in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1619:31 ntop#10 0x55f8b36faf14 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2189:10 ntop#11 0x55f8b36b6a50 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:107:7 ``` See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50765
IvanNardi · Aug 30, 2022 · d1b7aa8 · d1b7aa8
1 parent 981a72c
commit d1b7aa8
Show file tree

Hide file tree

Showing 12 changed files with 167 additions and 56 deletions.
diff --git a/example/reader_util.c b/example/reader_util.c
@@ -1214,6 +1214,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
           || is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_SMTPS)
           || is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS)
           || is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_POPS)
+          || is_ndpi_proto(flow, NDPI_PROTOCOL_FTPS)
 	  || ((is_quic = is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC)))
 	  ) {
     flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version;

diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
@@ -1010,6 +1010,12 @@ extern "C" {
 			       lru_cache_type cache_type,
 			       struct ndpi_lru_cache_stats *stats);
 
+  int ndpi_set_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
+				 opportunistic_tls_proto proto,
+				 int value);
+  int ndpi_get_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
+				 opportunistic_tls_proto proto);
+
   /**
    * Find a protocol id associated with a string automata
    *

diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
@@ -339,6 +339,7 @@ typedef enum {
   NDPI_PROTOCOL_TIVOCONNECT           = 308,
   NDPI_PROTOCOL_KISMET                = 309,
   NDPI_PROTOCOL_FASTCGI               = 310,
+  NDPI_PROTOCOL_FTPS                  = 311,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -603,6 +603,13 @@ typedef enum {
   NDPI_PTREE_MAX	/* Last one! */
 } ptree_type;
 
+typedef enum {
+  OPPORTUNISTIC_TLS_SMTP = 1,
+  OPPORTUNISTIC_TLS_FTP,
+
+  OPPORTUNISTIC_TLS_MAX,	/* Last one! */
+} opportunistic_tls_proto;
+
 typedef enum {
   NDPI_AUTOMA_HOST = 0,
   NDPI_AUTOMA_DOMAIN,
@@ -1208,6 +1215,9 @@ struct ndpi_detection_module_struct {
 
   /* *** If you add a new LRU cache, please update lru_cache_type above! *** */
 
+  int opportunistic_tls_smtp_enabled;
+  int opportunistic_tls_ftp_enabled;
+
   ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS];
 
   u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ _pad:7;
@@ -1395,7 +1405,7 @@ struct ndpi_flow_struct {
         char *esni;
       } encrypted_sni;
       ndpi_cipher_weakness server_unsafe_cipher;
-    } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS */
+    } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS/FTPS */
 
     struct {
       char client_signature[48], server_signature[48];

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -1974,6 +1974,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
                           "FastCGI", NDPI_PROTOCOL_CATEGORY_NETWORK,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_FTPS,
+			  "FTPS", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -2759,6 +2763,9 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
     return(NULL);
   }
 
+  ndpi_str->opportunistic_tls_smtp_enabled = 1;
+  ndpi_str->opportunistic_tls_ftp_enabled = 1;
+
   ndpi_init_protocol_defaults(ndpi_str);
 
   if(ndpi_callback_init(ndpi_str)) {
@@ -4924,7 +4931,8 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
        flow_is_proto(flow, NDPI_PROTOCOL_DTLS) ||
        flow_is_proto(flow, NDPI_PROTOCOL_MAIL_SMTPS) ||
        flow_is_proto(flow, NDPI_PROTOCOL_MAIL_POPS) ||
-       flow_is_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS)) {
+       flow_is_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS) ||
+       flow_is_proto(flow, NDPI_PROTOCOL_FTPS)) {
       if(flow->protos.tls_quic.server_names)
 	ndpi_free(flow->protos.tls_quic.server_names);
 
@@ -6246,9 +6254,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   u_int32_t num_calls = 0;
   ndpi_protocol ret = { flow->detected_protocol_stack[1], flow->detected_protocol_stack[0], flow->category, NULL };
 
-  if(ndpi_str->ndpi_log_level >= NDPI_LOG_TRACE)
-    NDPI_LOG(flow ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN, ndpi_str, NDPI_LOG_TRACE,
-	     "START packet processing\n");
+  NDPI_LOG_DBG(ndpi_str, "[%d/%d] START packet processing\n",
+               flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
 
   if(flow == NULL)
     return(ret);
@@ -8889,3 +8896,42 @@ int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow)
     return 0;
   return 1;
 }
+
+/* ******************************************************************** */
+
+int ndpi_set_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
+			       opportunistic_tls_proto proto,
+			       int value)
+{
+  if(!ndpi_struct || (value != 0 && value != 1))
+    return -1;
+
+  switch(proto) {
+  case OPPORTUNISTIC_TLS_SMTP:
+    ndpi_struct->opportunistic_tls_smtp_enabled = value;
+    return 0;
+  case OPPORTUNISTIC_TLS_FTP:
+    ndpi_struct->opportunistic_tls_ftp_enabled = value;
+    return 0;
+  default:
+    return -1;
+  }
+}
+
+/* ******************************************************************** */
+
+int ndpi_get_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
+			       opportunistic_tls_proto proto)
+{
+  if(!ndpi_struct)
+    return -1;
+
+  switch(proto) {
+  case OPPORTUNISTIC_TLS_SMTP:
+    return ndpi_struct->opportunistic_tls_smtp_enabled;
+  case OPPORTUNISTIC_TLS_FTP:
+    return ndpi_struct->opportunistic_tls_ftp_enabled;
+  default:
+    return -1;
+  }
+}
diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
@@ -29,6 +29,9 @@
 
 // #define FTP_DEBUG
 
+extern void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
+					   struct ndpi_flow_struct *flow);
+
 /* *************************************************************** */
 
 static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
@@ -643,10 +646,21 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str
 
 	if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0' &&
 	   flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0 &&
-	   flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */
+	   flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0) {
 	  flow->ftp_control_stage = 0;
-	else
+	} else if (flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1 &&
+		   ndpi_struct->opportunistic_tls_ftp_enabled) {
+	  flow->host_server_name[0] = '\0'; /* Remove any data set by other dissectors (eg. SMTP) */
+	  /* Switch classification to FTPS */
+	  ndpi_set_detected_protocol(ndpi_struct, flow,
+				     NDPI_PROTOCOL_FTPS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+	  NDPI_LOG_DBG(ndpi_struct, "Switching to [%d/%d]\n",
+		       flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
+	  /* We are done (in FTP dissector): delegating TLS... */
+	  switch_extra_dissection_to_tls(ndpi_struct, flow);
+	} else {
 	  ndpi_int_ftp_control_add_connection(ndpi_struct, flow);
+	}
       } else {
 	NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to FTP_CONTROL, "
 		      "resetting the stage to 0\n");

diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
@@ -48,8 +48,8 @@
 
 /* #define SMTP_DEBUG 1 */
 
-extern int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
-                           struct ndpi_flow_struct *flow);
+extern void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
+					   struct ndpi_flow_struct *flow);
 
 static void ndpi_int_mail_smtp_add_connection(struct ndpi_detection_module_struct
 					      *ndpi_struct, struct ndpi_flow_struct *flow) {
@@ -153,6 +153,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 		  len = i-4;
 		  /* Copy result for nDPI apps */
 		  ndpi_hostname_sni_set(flow, &packet->line[a].ptr[4], len);
+		  NDPI_LOG_DBG(ndpi_struct, "SMTP: hostname [%s]\n", flow->host_server_name);
 
 		  if (ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP,
 						   flow->host_server_name,
@@ -406,38 +407,40 @@ int ndpi_extra_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_st
 				    struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
-  int rc = 0;
+  int rc;
 
-  if (flow->l4.tcp.smtp_command_bitmask & SMTP_BIT_STARTTLS &&
-      packet->payload_packet_len > 5)
-  {
-    uint8_t const * const block = &packet->payload[5];
-    uint8_t const * const p = &packet->payload[0];
-    uint16_t const block_len = packet->payload_packet_len - 5;
-    uint16_t const l = packet->payload_packet_len;
+  if(flow->l4.tcp.smtp_command_bitmask & SMTP_BIT_STARTTLS) {
 
-    packet->payload = block;
-    packet->payload_packet_len = block_len;
+    /* RFC 3207:
+       "After the client gives the STARTTLS command, the server responds with
+        one of the following reply codes:
+         220 Ready to start TLS
+         501 Syntax error (no parameters allowed)
+         454 TLS not available due to temporary reason"
+    */
 
-    if (processTLSBlock(ndpi_struct, flow) != 0) {
+    if(ndpi_struct->opportunistic_tls_smtp_enabled &&
+       packet->payload_packet_len > 3 && memcmp(packet->payload, "220", 3) == 0) {
       rc = 1;
-    }
-
-    packet->payload = p;
-    packet->payload_packet_len = l;
-
-    /* STARTTLS may be followed by a 220 - Service ready */
-    if (rc == 0 && memcmp(packet->payload, "220", 3) != 0)
-    {
-      flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1;
-      if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) {
-        ndpi_set_detected_protocol(ndpi_struct, flow,
-                                   NDPI_PROTOCOL_MAIL_SMTPS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+      /* Switch classification to SMTPS, keeping the hostname sub-classification (if any) */
+      if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN &&
+	 flow->detected_protocol_stack[0] != NDPI_PROTOCOL_MAIL_SMTP) {
+	ndpi_set_detected_protocol(ndpi_struct, flow,
+                                   flow->detected_protocol_stack[0], NDPI_PROTOCOL_MAIL_SMTPS, NDPI_CONFIDENCE_DPI);
+	/* Now it is safe to write to `flow->protos.tls_quic` union */
+	flow->protos.tls_quic.subprotocol_detected = 1;
       } else {
         ndpi_set_detected_protocol(ndpi_struct, flow,
-                                   flow->guessed_host_protocol_id, NDPI_PROTOCOL_MAIL_SMTPS, NDPI_CONFIDENCE_DPI);
+                                   NDPI_PROTOCOL_MAIL_SMTPS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
       }
+      NDPI_LOG_DBG(ndpi_struct, "Switching to [%d/%d]\n",
+                   flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
+      /* We are done (in SMTP dissector): delegating TLS... */
+      switch_extra_dissection_to_tls(ndpi_struct, flow);
+    } else {
+      rc = 0; /* Something went wrong. Stop extra dissection */
     }
+
   } else {
     ndpi_search_mail_smtp_tcp(ndpi_struct, flow);
     rc = ((flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') &&

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -28,8 +28,6 @@
 #include "ndpi_encryption.h"
 
 extern char *strptime(const char *s, const char *format, struct tm *tm);
-extern int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
-                           struct ndpi_flow_struct *flow);
 extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow, uint32_t quic_version);
 extern int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct,
@@ -221,7 +219,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
 	     message->buffer_len,
 	     packet->packet_direction,
 	     ntohl(packet->tcp->seq),
-	     ntohl(packet->tcp->seq)+packet->payload_packet_len);
+	     message->next_seq);
 #endif
     }
   }
@@ -852,8 +850,8 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* **************************************** */
 
-int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
-                    struct ndpi_flow_struct *flow) {
+static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
+                           struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   int ret;
 
@@ -924,8 +922,12 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	 packet->payload_packet_len);
 #endif
 
-  if(packet->payload_packet_len == 0)
-    return(1); /* Keep working */
+  /* This function is also called by "extra dissection" data path. Unfortunately,
+     generic "extra function" code doesn't honour protocol bitmask.
+     TODO: handle that in ndpi_main.c for all the protocols */
+  if(packet->payload_packet_len == 0 ||
+     packet->tcp_retransmission)
+    return 1; /* Keep working */
 
   ndpi_search_tls_tcp_memory(ndpi_struct, flow);
   message = &flow->l4.tcp.tls.message[packet->packet_direction];
@@ -1224,6 +1226,26 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd
 
 /* **************************************** */
 
+void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
+				    struct ndpi_flow_struct *flow)
+{
+#ifdef DEBUG_TLS
+  printf("Switching to TLS extra dissection\n");
+#endif
+
+  /* Reset reassemblers */
+  if(flow->l4.tcp.tls.message[0].buffer)
+    ndpi_free(flow->l4.tcp.tls.message[0].buffer);
+  memset(&flow->l4.tcp.tls.message[0], '\0', sizeof(flow->l4.tcp.tls.message[0]));
+  if(flow->l4.tcp.tls.message[1].buffer)
+    ndpi_free(flow->l4.tcp.tls.message[1].buffer);
+  memset(&flow->l4.tcp.tls.message[1], '\0', sizeof(flow->l4.tcp.tls.message[1]));
+
+  tlsInitExtraPacketProcessing(ndpi_struct, flow);
+}
+
+/* **************************************** */
+
 static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow) {
   char * alpn_start = flow->protos.tls_quic.alpn;

diff --git a/tests/pcap/smtp-starttls.pcap b/tests/pcap/smtp-starttls.pcap
diff --git a/tests/result/ftp-start-tls.pcap.out b/tests/result/ftp-start-tls.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	0
 
-DPI Packets (TCP):	10	(10.00 pkts/flow)
+DPI Packets (TCP):	17	(17.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 Num dissector calls: 154 (154.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
@@ -10,15 +10,20 @@ LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-Automa host:          1/0 (search/found)
-Automa domain:        1/0 (search/found)
-Automa tls cert:      0/0 (search/found)
+Automa host:          2/0 (search/found)
+Automa domain:        2/0 (search/found)
+Automa tls cert:      1/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
 Patricia risk mask:   2/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia protocols:   6/0 (search/found)
 
-FTP_CONTROL	51	7510	1
+FTPS	51	7510	1
 
-	1	TCP 10.238.26.36:62092 <-> 10.220.50.76:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: DPI][cat: Download/7][16 pkts/1744 bytes <-> 35 pkts/5766 bytes][Goodput ratio: 49/66][0.33 sec][bytes ratio: -0.536 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 13/4 34/34 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 109/165 384/566 80/152][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (Authorized users only. All acti)][Plen Bins: 22,25,32,0,2,0,5,0,0,0,2,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.238.26.36             	 1      
+
+
+	1	TCP 10.238.26.36:62092 <-> 10.220.50.76:21 [proto: 311/FTPS][Encrypted][Confidence: DPI][cat: Download/7][16 pkts/1744 bytes <-> 35 pkts/5766 bytes][Goodput ratio: 49/66][0.33 sec][bytes ratio: -0.536 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 13/4 34/34 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 109/165 384/566 80/152][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Unsafe Protocol **** Missing SNI TLS Extn **][Risk Score: 170][Risk Info: No ALPN / Cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA][TLSv1.2][JA3C: 398076b7fcad56308a762b3c79fe1f44][ServerNames: oss.huawei.com][JA3S: 5cd6efb8d804faf03e1462073b729151 (WEAK)][Issuer: C=CN, O=Huawei, OU=Wireless Network Product Line, CN=Huawei Wireless Network Product CA][Subject: C=CN, O=Huawei, OU=Huawei Network Product Line, CN=OSS Certificate][Certificate SHA-1: 0A:14:3A:AB:E1:3A:5B:1C:A7:BD:C7:82:45:8C:FA:37:D7:87:29:D2][Validity: 2012-03-12 08:54:33 - 2027-03-09 08:54:33][Cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA][PLAIN TEXT (Authorized users only. All acti)][Plen Bins: 22,25,32,0,2,0,5,0,0,0,2,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]