JA4: Fix SSL 2 version and remove fictional SSL 1 version along with …

…mis-mapping to s3 (ntop#2684)

* JA4: Fix SSL 2 version constant to 0x0002

SSL 2 uses a version field of 0x0002, not 0x0200.  This is confirmed not
only in the original Netscape spec [1] and RFC draft of the time [2],
but also in major implementations such as OpenSSL [3] and Wireshark [4].

An earlier version of the JA4 spec [5] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1.  This was fixed in [6] in August 2024.

[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[6] FoxIO-LLC/ja4#150

* JA4: Remove fictional (and mis-mapped to "s3") SSL 1

SSL 1 was never actually deployed, the design was iterated upon to
become SSL 2 before it was released by Netscape [1] [2] [3] [4].  I
don't think it's public knowledge what the version field for SSL 1 would
have looked like, or if it even was two bytes large or at the same
offset on the wire; given that SSL 2 used 0x0002 it seems more likely to
have been 0x0001 than 0x0100.

Version field 0x0100, that is currently misattributed to SSL 1, was used
by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f
[5], when OpenSSL switched to the version field specified by RFC4347.
This use of 0x0100 is also reflected in Wireshark's TLS dissector [4]
(`DTLSV1DOT0_OPENSSL_VERSION`).

For these reasons, it seems to make sense to remove the fictional SSL 1
code entirely.

This also removes an issue where the resulting JA4 string would be "s3"
instead of the intended "s1".

An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for
SSL 2 and 0x0100 for SSL 1.  This was fixed in [7] in August 2024.

[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
[5] openssl/openssl@OpenSSL_0_9_8e...OpenSSL_0_9_8f
[6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version
[7] FoxIO-LLC/ja4#150

* Fix tests where old DTLS (0x0100) was mis-identified as SSL 3.0

These two tests contain DTLS flows using a version field of 0x0100 as
used by OpenSSL pre 0.9.8f, before OpenSSL switched to the standardised
version code points for its DTLS implementation.  The correct JA4
mapping is "d00", not "ds3".

src/lib/protocols/tls.c

@@ -2093,16 +2093,11 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct,
     ja_str[2] = '3';
     break;
 
-  case 0x0200: /* SSL 2.0 = “s2” */
+  case 0x0002: /* SSL 2.0 = “s2” */
     ja_str[1] = 's';
     ja_str[2] = '2';
     break;
 
-  case 0x0100: /* SSL 1.0 = “s1” */
-    ja_str[1] = 's';
-    ja_str[2] = '3';
-    break;
-
   case 0xFEFF: /* DTLS 1.0 = “d1” */
     ja_str[1] = 'd';
     ja_str[2] = '1';

tests/cfgs/default/result/anyconnect-vpn.pcap.out

@@ -57,7 +57,7 @@ JA Host Stats:
 	2	TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 80/90][23.14 sec][(Advertised) ALPNs: http/1.1][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1048/487 11570/9008 2987/2009][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 325/652 1514/1514 494/646][Risk: ** Weak TLS Cipher **** Missing SNI TLS Extn **** ALPN/SNI Mismatch **][Risk Score: 200][Risk Info: SNI should always be present / http/1.1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d2204ht_95b9206a23eb_1ea9011b3dfa][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,12,4,0,0,4,0,0,0,8,0,0,0,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,8,4,0,0,0,4,0,4,0,16,0,25,0,0]
 	3	TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Cert About To Expire **][Risk Score: 160][Risk Info: No ALPN / SNI should always be present / Expected on port 443 / 29/Aug/2019 00:12:40 - 08/Oct/2019 00:12:40][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d070500_c20ebc0cf62a_ed727256b201][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Firefox][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,44,3,3,3,3,3,0,3,3,3,0,3,7,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,3,0,3,0,0,0,0,0]
 	4	TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61/87][0.35 sec][(Advertised) ALPNs: http/1.1][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/26 48/88 21/29][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/522 1175/1514 274/624][Risk: ** Weak TLS Cipher **** Missing SNI TLS Extn **** ALPN/SNI Mismatch **][Risk Score: 200][Risk Info: SNI should always be present / http/1.1 / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d2204ht_95b9206a23eb_1ea9011b3dfa][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Firefox][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,16,8,0,0,8,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,8,0,25,0,0]
-	5	UDP 10.0.0.227:54107 <-> 8.37.102.91:443 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 30/DTLS, Confidence: DPI][DPI packets: 4][cat: Web/5][14 pkts/2322 bytes <-> 15 pkts/3787 bytes][Goodput ratio: 75/83][0.24 sec][bytes ratio: -0.240 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/16 47/46 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 135/90 166/252 199/407 17/74][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLS (0100)][TLS (0100)][JA4: ds3d010000_2cfe23c976cf_e3b0c44298fc][JA3S: cee68a158056f16c2d1b274dde4e2ec3][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,3,3,39,13,18,3,6,6,3,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 10.0.0.227:54107 <-> 8.37.102.91:443 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 30/DTLS, Confidence: DPI][DPI packets: 4][cat: Web/5][14 pkts/2322 bytes <-> 15 pkts/3787 bytes][Goodput ratio: 75/83][0.24 sec][bytes ratio: -0.240 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/16 47/46 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 135/90 166/252 199/407 17/74][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][Risk Info: TLS (0100)][TLS (0100)][JA4: d00d010000_2cfe23c976cf_e3b0c44298fc][JA3S: cee68a158056f16c2d1b274dde4e2ec3][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,3,3,39,13,18,3,6,6,3,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 118/Slack, Confidence: DNS][DPI packets: 6][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 64/61][11.47 sec][Hostname/SNI: slack.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866/28 11074/80 2947/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184/171 853/487 228/155][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][TLSv1.2][JA4: t12d1313h2_8b80da21ef18_e48c60694ef0][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,34,16,0,8,0,0,0,0,0,0,0,8,16,0,0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: ConnCheck/30][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Hostname/SNI: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][Content-Type: text/plain][Server: AmazonS3][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 2][cat: Web/5][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][Goodput ratio: 45/62][45.04 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648/5004 5001/5006 2495/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121/176 176/176 55/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 443][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

tests/cfgs/default/result/dtls_old_version.pcapng.out

@@ -29,4 +29,4 @@ JA Host Stats:
 	1	 37.188.4.115             	 1      
 
 
-	1	UDP 37.188.4.115:56453 <-> 70.66.6.128:443 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 30/DTLS, Confidence: DPI][DPI packets: 7][cat: Web/5][4 pkts/584 bytes <-> 3 pkts/410 bytes][Goodput ratio: 71/69][7.22 sec][bytes ratio: 0.175 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1003/2008 2377/3064 4119/4119 1298/1055][Pkt Len c2s/s2c min/avg/max/stddev: 141/90 146/137 161/230 9/66][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLS (0100) / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLS (0100)][JA4: ds3d010000_692296a295db_e3b0c44298fc][JA3S: 8f48e117ae3543615168a2b087cda528][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,28,0,57,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 37.188.4.115:56453 <-> 70.66.6.128:443 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 30/DTLS, Confidence: DPI][DPI packets: 7][cat: Web/5][4 pkts/584 bytes <-> 3 pkts/410 bytes][Goodput ratio: 71/69][7.22 sec][bytes ratio: 0.175 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1003/2008 2377/3064 4119/4119 1298/1055][Pkt Len c2s/s2c min/avg/max/stddev: 141/90 146/137 161/230 9/66][Risk: ** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 200][Risk Info: TLS (0100) / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][TLS (0100)][JA4: d00d010000_692296a295db_e3b0c44298fc][JA3S: 8f48e117ae3543615168a2b087cda528][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 0,28,0,57,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]