Open leehinman opened 7 months ago
This issue doesn't have a Team:<team>
label.
Hi @leehinman, I would like to try to solve this issue. Do you mind assigning it to me? Honestly, this is my first attempt to contribute to open source. I will be appreciate for any advice.
Describe the enhancement:
A fairly common misconfiguration is to start the tcp input without any TLS configuration but the client is attempting negotiate a TLS connection. The result is that you get events that contain the TLS client hello, but no error. It isn't obvious what is wrong or how to fix.
For the enhancement, we should be able to detect a TLS client hello here. We could then either return an error or add a field to the event that signals that TLS client hello was detected. Either way it should be much easier to see what went wrong and how to fix.
For example to detect TLS 1.2, the first byte should be 0x16, then the length of the data received should equal the value stored in bytes 4 & 5. https://tls12.xargs.org/#client-hello/annotated has a nice annotation of the Client hello for TLS 1.2.
Describe a specific use case for the enhancement or feature:
Detect misconfiguration.