From b789d2ae3d13cdb0d0bf6a5e40eafa96b82ced04 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 12 Oct 2016 11:21:28 +0200
Subject: [PATCH] tls: change 'no-reassemble' option to default off

This option was broken so there should be no visible change to
actual deployments.
---
 src/app-layer-ssl.c | 12 +++++-------
 suricata.yaml.in    |  4 ++++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 5980efd34a..6fcfb29979 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -79,6 +79,9 @@ SCEnumCharMap tls_decoder_event_table[ ] = {
     { NULL,                          -1 },
 };
 
+/* by default we keep tracking */
+#define SSL_CONFIG_DEFAULT_NOREASSEMBLE 0
+
 typedef struct SslConfig_ {
     int no_reassemble;
 } SslConfig;
@@ -1807,10 +1810,10 @@ void RegisterSSLParsers(void)
         /* Get the value of no reassembly option from the config file */
         if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) {
             if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
-                ssl_config.no_reassemble = 1;
+                ssl_config.no_reassemble = SSL_CONFIG_DEFAULT_NOREASSEMBLE;
         } else {
             if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &ssl_config.no_reassemble) != 1)
-                ssl_config.no_reassemble = 1;
+                ssl_config.no_reassemble = SSL_CONFIG_DEFAULT_NOREASSEMBLE;
         }
     } else {
         SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
@@ -1820,11 +1823,6 @@ void RegisterSSLParsers(void)
 #ifdef UNITTESTS
     AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_TLS, SSLParserRegisterTests);
 #endif
-
-    /* Get the value of no reassembly option from the config file */
-    if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
-        ssl_config.no_reassemble = 1;
-
     return;
 }
 
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 74b73d7f1d..6fa50fea23 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -654,6 +654,10 @@ app-layer:
       detection-ports:
         dp: 443
 
+      # Completely stop processing TLS/SSL session after the handshake
+      # completed. If bypass is enabled this will also trigger flow
+      # bypass. If disabled (the default), TLS/SSL session is still
+      # tracked for Heartbleed and other anomalies.
       #no-reassemble: yes
     dcerpc:
       enabled: yes