mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-05 22:56:57 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: config: Deprecate tune.ssl.capture-cipherlist-size

Browse Source 
Deprecate tune.ssl.capture-cipherlist-size in favor of
tune.ssl.capture-buffer-size which better describes the purpose of the
setting.
This commit is contained in:
Marcin Deranek 2021-07-13 19:04:24 +02:00 committed by Willy Tarreau
parent da0264a968
commit 310a260e4a
22 changed files with 55 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/h2spec.config vendored
View File

@ -1,7 +1,7 @@
global global
log stdout local0 log stdout local0
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
defaults defaults
mode http mode http

29
doc/configuration.txt
View File

@ -1110,7 +1110,8 @@ The following keywords are supported in the "global" section :
- tune.ssl.maxrecord - tune.ssl.maxrecord
- tune.ssl.default-dh-param - tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size - tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size - tune.ssl.capture-buffer-size
- tune.ssl.capture-cipherlist-size (deprecated)
- tune.vars.global-max-size - tune.vars.global-max-size
- tune.vars.proc-max-size - tune.vars.proc-max-size
- tune.vars.reqres-max-size - tune.vars.reqres-max-size
@ -2805,7 +2806,8 @@ tune.ssl.ssl-ctx-cache-size <number>
dynamically is expensive, they are cached. The default cache size is set to dynamically is expensive, they are cached. The default cache size is set to
1000 entries. 1000 entries.
tune.ssl.capture-cipherlist-size <number> tune.ssl.capture-buffer-size <number>
tune.ssl.capture-cipherlist-size <number> (deprecated)
Sets the maximum size of the buffer used for capturing client hello cipher Sets the maximum size of the buffer used for capturing client hello cipher
list, extensions list, elliptic curves list and elliptic curve point list, extensions list, elliptic curves list and elliptic curve point
formats. If the value is 0 (default value) the capture is disabled, formats. If the value is 0 (default value) the capture is disabled,
@ -18905,7 +18907,7 @@ ssl_fc_cipher : string
ssl_fc_cipherlist_bin([<filter_option>]) : binary ssl_fc_cipherlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello cipher list. The maximum Returns the binary form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values: <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default) 0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output 1 : exclude GREASE (RFC8701) values from the output
@ -18924,16 +18926,15 @@ ssl_fc_cipherlist_bin([<filter_option>]) : binary
ssl_fc_cipherlist_hex([<filter_option>]) : string ssl_fc_cipherlist_hex([<filter_option>]) : string
Returns the binary form of the client hello cipher list encoded as Returns the binary form of the client hello cipher list encoded as
hexadecimal. The maximum returned value length is limited by the shared hexadecimal. The maximum returned value length is limited by the shared
capture buffer size controlled by "tune.ssl.capture-cipherlist-size" capture buffer size controlled by "tune.ssl.capture-buffer-size" setting.
setting. Setting <filter_option> allows to filter returned data. Accepted Setting <filter_option> allows to filter returned data. Accepted values:
values:
0 : return the full list of ciphers (default) 0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output 1 : exclude GREASE (RFC8701) values from the output
ssl_fc_cipherlist_str([<filter_option>]) : string ssl_fc_cipherlist_str([<filter_option>]) : string
Returns the decoded text form of the client hello cipher list. The maximum Returns the decoded text form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values: <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default) 0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output 1 : exclude GREASE (RFC8701) values from the output
@ -18943,13 +18944,13 @@ ssl_fc_cipherlist_str([<filter_option>]) : string
ssl_fc_cipherlist_xxh : integer ssl_fc_cipherlist_xxh : integer
Returns a xxh64 of the cipher list. This hash can return only if the value Returns a xxh64 of the cipher list. This hash can return only if the value
"tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash "tune.ssl.capture-buffer-size" is set greater than 0, however the hash take
take into account all the data of the cipher list. into account all the data of the cipher list.
ssl_fc_ecformats_bin : binary ssl_fc_ecformats_bin : binary
Return the binary form of the client hello supported elliptic curve point Return the binary form of the client hello supported elliptic curve point
formats. The maximum returned value length is limited by the shared capture formats. The maximum returned value length is limited by the shared capture
buffer size controlled by "tune.ssl.capture-cipherlist-size" setting. buffer size controlled by "tune.ssl.capture-buffer-size" setting.
Example: Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
@ -18965,7 +18966,7 @@ ssl_fc_ecformats_bin : binary
ssl_fc_eclist_bin([<filter_option>]) : binary ssl_fc_eclist_bin([<filter_option>]) : binary
Returns the binary form of the client hello supported elliptic curves. The Returns the binary form of the client hello supported elliptic curves. The
maximum returned value length is limited by the shared capture buffer size maximum returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values: <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of supported elliptic curves (default) 0 : return the full list of supported elliptic curves (default)
1 : exclude GREASE (RFC8701) values from the output 1 : exclude GREASE (RFC8701) values from the output
@ -18984,7 +18985,7 @@ ssl_fc_eclist_bin([<filter_option>]) : binary
ssl_fc_extlist_bin([<filter_option>]) : binary ssl_fc_extlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello extension list. The maximum Returns the binary form of the client hello extension list. The maximum
returned value length is limited by the shared capture buffer size returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values: <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of extensions (default) 0 : return the full list of extensions (default)
1 : exclude GREASE (RFC8701) values from the output 1 : exclude GREASE (RFC8701) values from the output
@ -19111,8 +19112,8 @@ ssl_fc_protocol : string
ssl_fc_protocol_hello_id : integer ssl_fc_protocol_hello_id : integer
The version of the TLS protocol by which the client wishes to communicate The version of the TLS protocol by which the client wishes to communicate
during the session as indicated in client hello message. This value can during the session as indicated in client hello message. This value can
return only if the value "tune.ssl.capture-cipherlist-size" is set greater return only if the value "tune.ssl.capture-buffer-size" is set greater than
than 0. 0.
Example: Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\

2
include/haproxy/ssl_sock-t.h
View File

@ -276,7 +276,7 @@ struct global_ssl {
unsigned int max_record; /* SSL max record size */ unsigned int max_record; /* SSL max record size */
unsigned int default_dh_param; /* SSL maximum DH parameter size */ unsigned int default_dh_param; /* SSL maximum DH parameter size */
int ctx_cache; /* max number of entries in the ssl_ctx cache. */ int ctx_cache; /* max number of entries in the ssl_ctx cache. */
int capture_cipherlist; /* Size of the cipherlist buffer. */ int capture_buffer_size; /* Size of the capture buffer. */
int keylog; /* activate keylog */ int keylog; /* activate keylog */
int extra_files; /* which files not defined in the configuration file are we looking for */ int extra_files; /* which files not defined in the configuration file are we looking for */
int extra_files_noext; /* whether we remove the extension when looking up a extra file */ int extra_files_noext; /* whether we remove the extension when looking up a extra file */

2
reg-tests/ssl/add_ssl_crt-list.vtc
View File

@ -24,7 +24,7 @@ server s1 -repeat 2 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
crt-base ${testdir} crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/del_ssl_crt-list.vtc
View File

@ -22,7 +22,7 @@ server s1 -repeat 2 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
crt-base ${testdir} crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/new_del_ssl_cafile.vtc
View File

@ -22,7 +22,7 @@ server s1 -repeat 2 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir} crt-base ${testdir}

2
reg-tests/ssl/new_del_ssl_crlfile.vtc
View File

@ -22,7 +22,7 @@ server s1 -repeat 3 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir} crt-base ${testdir}

2
reg-tests/ssl/set_ssl_cafile.vtc
View File

@ -28,7 +28,7 @@ server s1 -repeat 4 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
defaults defaults

2
reg-tests/ssl/set_ssl_cert.vtc
View File

@ -33,7 +33,7 @@ server s1 -repeat 9 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir} crt-base ${testdir}

2
reg-tests/ssl/set_ssl_cert_bundle.vtc
View File

@ -28,7 +28,7 @@ server s1 -repeat 9 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir} crt-base ${testdir}

2
reg-tests/ssl/set_ssl_cert_noext.vtc
View File

@ -25,7 +25,7 @@ server s1 -repeat 3 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
ssl-load-extra-del-ext ssl-load-extra-del-ext
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/set_ssl_crlfile.vtc
View File

@ -31,7 +31,7 @@ server s1 -repeat 4 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
defaults defaults

2
reg-tests/ssl/set_ssl_server_cert.vtc
View File

@ -17,7 +17,7 @@ server s1 -repeat 4 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
nbthread 1 nbthread 1

2
reg-tests/ssl/show_ssl_ocspresponse.vtc
View File

@ -27,7 +27,7 @@ feature ignore_unknown_macro
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
defaults defaults

2
reg-tests/ssl/ssl_client_samples.vtc
View File

@ -13,7 +13,7 @@ server s1 -repeat 3 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
crt-base ${testdir} crt-base ${testdir}
defaults defaults

2
reg-tests/ssl/ssl_default_server.vtc
View File

@ -23,7 +23,7 @@ server s1 -repeat 7 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir} crt-base ${testdir}
ca-base ${testdir} ca-base ${testdir}

2
reg-tests/ssl/ssl_errors.vtc
View File

@ -106,7 +106,7 @@ syslog Slg_logconnerror -level info {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
defaults defaults

2
reg-tests/ssl/ssl_frontend_samples.vtc
View File

@ -12,7 +12,7 @@ server s1 -repeat 3 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
crt-base ${testdir} crt-base ${testdir}
defaults defaults

2
reg-tests/ssl/ssl_server_samples.vtc
View File

@ -13,7 +13,7 @@ server s1 -repeat 3 {
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
crt-base ${testdir} crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/wrong_ctx_storage.vtc
View File

@ -25,7 +25,7 @@ feature ignore_unknown_macro
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-buffer-size 1
listen frt listen frt
mode http mode http

20
src/cfgparse-ssl.c
View File

@ -272,8 +272,13 @@ static int ssl_parse_global_int(char **args, int section_type, struct proxy *cur
target = &global_ssl.ctx_cache; target = &global_ssl.ctx_cache;
else if (strcmp(args[0], "maxsslconn") == 0) else if (strcmp(args[0], "maxsslconn") == 0)
target = &global.maxsslconn; target = &global.maxsslconn;
else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) else if (strcmp(args[0], "tune.ssl.capture-buffer-size") == 0)
target = &global_ssl.capture_cipherlist; target = &global_ssl.capture_buffer_size;
else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) {
target = &global_ssl.capture_buffer_size;
ha_warning("parsing [%s:%d]: '%s' is deprecated and will be removed in version 2.7. Please use 'tune.ssl.capture-buffer-size' instead.\n",
file, line, args[0]);
}
else { else {
memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]); memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]);
return -1; return -1;
@ -295,9 +300,9 @@ static int ssl_parse_global_int(char **args, int section_type, struct proxy *cur
return 0; return 0;
} }
static int ssl_parse_global_capture_cipherlist(char **args, int section_type, struct proxy *curpx, static int ssl_parse_global_capture_buffer(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line, const struct proxy *defpx, const char *file, int line,
char **err) char **err)
{ {
int ret; int ret;
@ -310,7 +315,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st
return -1; return -1;
} }
pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_cipherlist, MEM_F_SHARED); pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_buffer_size, MEM_F_SHARED);
if (!pool_head_ssl_capture) { if (!pool_head_ssl_capture) {
memprintf(err, "Out of memory error."); memprintf(err, "Out of memory error.");
return -1; return -1;
@ -1946,7 +1951,8 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime }, { CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime },
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_buffer },
{ CFG_GLOBAL, "tune.ssl.capture-buffer-size", ssl_parse_global_capture_buffer },
{ CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog }, { CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },

16
src/ssl_sock.c
View File

@ -124,7 +124,7 @@ struct global_ssl global_ssl = {
#endif #endif
.default_dh_param = SSL_DEFAULT_DH_PARAM, .default_dh_param = SSL_DEFAULT_DH_PARAM,
.ctx_cache = DEFAULT_SSL_CTX_CACHE, .ctx_cache = DEFAULT_SSL_CTX_CACHE,
.capture_cipherlist = 0, .capture_buffer_size = 0,
.extra_files = SSL_GF_ALL, .extra_files = SSL_GF_ALL,
.extra_files_noext = 0, .extra_files_noext = 0,
#ifdef HAVE_SSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
@ -556,7 +556,7 @@ static int ssl_sock_register_msg_callbacks(void)
if (!ssl_sock_register_msg_callback(ssl_sock_parse_heartbeat)) if (!ssl_sock_register_msg_callback(ssl_sock_parse_heartbeat))
return ERR_ABORT; return ERR_ABORT;
#endif #endif
if (global_ssl.capture_cipherlist > 0) { if (global_ssl.capture_buffer_size > 0) {
if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello)) if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
return ERR_ABORT; return ERR_ABORT;
} }
@ -1795,7 +1795,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
capture->xxh64 = XXH64(msg, rec_len, 0); capture->xxh64 = XXH64(msg, rec_len, 0);
/* Capture the ciphersuite. */ /* Capture the ciphersuite. */
capture->ciphersuite_len = MIN(global_ssl.capture_cipherlist, rec_len); capture->ciphersuite_len = MIN(global_ssl.capture_buffer_size, rec_len);
capture->ciphersuite_offset = 0; capture->ciphersuite_offset = 0;
memcpy(capture->data, msg, capture->ciphersuite_len); memcpy(capture->data, msg, capture->ciphersuite_len);
msg += rec_len; msg += rec_len;
@ -1827,7 +1827,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
/* Parse each extension */ /* Parse each extension */
while (msg + 4 < extensions_end) { while (msg + 4 < extensions_end) {
/* Add 2 bytes of extension_id */ /* Add 2 bytes of extension_id */
if (global_ssl.capture_cipherlist >= offset + 2) { if (global_ssl.capture_buffer_size >= offset + 2) {
capture->data[offset++] = msg[0]; capture->data[offset++] = msg[0];
capture->data[offset++] = msg[1]; capture->data[offset++] = msg[1];
capture->extensions_len += 2; capture->extensions_len += 2;
@ -1880,8 +1880,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
if (ec_start) { if (ec_start) {
rec_len = ec_len; rec_len = ec_len;
if (offset + rec_len > global_ssl.capture_cipherlist) if (offset + rec_len > global_ssl.capture_buffer_size)
rec_len = global_ssl.capture_cipherlist - offset; rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_start, rec_len); memcpy(capture->data + offset, ec_start, rec_len);
capture->ec_offset = offset; capture->ec_offset = offset;
capture->ec_len = rec_len; capture->ec_len = rec_len;
@ -1889,8 +1889,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
} }
if (ec_formats_start) { if (ec_formats_start) {
rec_len = ec_formats_len; rec_len = ec_formats_len;
if (offset + rec_len > global_ssl.capture_cipherlist) if (offset + rec_len > global_ssl.capture_buffer_size)
rec_len = global_ssl.capture_cipherlist - offset; rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_formats_start, rec_len); memcpy(capture->data + offset, ec_formats_start, rec_len);
capture->ec_formats_offset = offset; capture->ec_formats_offset = offset;
capture->ec_formats_len = rec_len; capture->ec_formats_len = rec_len;