Tag packet based on TLS session

Follow

Gonçalo Pestana

• October 25, 2019 09:23

Hi, I'd like to tag all requests by TLS session, including the ClientHello and handshake packets. The main goal is to be able to log and correlate all packets coming from the same TLS session, in order to be able to perform TLS fingerprinting based on the tls.client.* variables.

 

Any idea how to do this? Thanks!

0

• 

  Justin

  • October 28, 2019 07:01

  Hi Gonçalo

  I don't think you'll be able to achieve what you're looking for. There are a few reasons for this:

  1. The HTTP portion of the request happens after the TLS handshake. This means you can't log those variables unless you have access to log via the actual TLS termination software, which you don't have here.
  2. There aren't available variables for logging the different portions of the TLS handshake.
  3. There isn't any available variable or header that captures a TLS session identifier. As you've already seen, the list of TLS variables is available [here](https://docs.fastly.com/vcl/tls-and-http2/#variables).

  Let me know if you need clarification on any of this.

   

   

  0

  Comment actions Permalink
• 

  Gonçalo Pestana

  • October 29, 2019 15:53

  Hey Justin, thanks for the answer!

  Maybe I don't need to identify the TLS session. I would like to create a TLS fingerprinting service based on the TLS handshake for each client. For achieving that, I am thinking of tagging requests with TLS variables available (https://docs.fastly.com/vcl/tls-and-http2/#variables). Then I'd like to have a service ingesting and perform heuristics calculation on the contents of the HTTP request and the TLS variables. Would that be possible?

   

  Thanks!

  0

  Comment actions Permalink
• 

  Justin

  • October 31, 2019 12:51

  OK, it sounds like that would be possible. Feel free to try the logging and see what is available before building the backend application.

  0

  Comment actions Permalink

Please sign in to leave a comment.