From 814e1624c2db4e4f4d526575d14d0f8477f13bf9 Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 21 Sep 2018 07:57:34 +0200
Subject: [PATCH] output-json-tls: don't log as "resumed" without ServerHello

Don't log a session as "resumed" if a ServerHello record has not been
seen. This makes sure that incomplete TLS sessions where the ClientHello
contains a session ticket, is not logged as a session resumption.
---
 src/output-json-tls.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 1f7f909b96..68f87dcad8 100644
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -135,6 +135,7 @@ static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
            been seen, and the session is not TLSv1.3 or later. */
         if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
                ssl_state->server_connp.cert0_subject == NULL) &&
+               (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
                ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
             json_object_set_new(js, "session_resumed", json_boolean(true));
         }