From 1f4725fcaba4ecd2e68f032a5056377d538a0519 Mon Sep 17 00:00:00 2001
From: Jason Ish <ish@unx.ca>
Date: Tue, 27 Sep 2016 09:38:42 -0600
Subject: [PATCH] detect-tls: make check on fingerprint directional

---
 src/detect-tls.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/detect-tls.c b/src/detect-tls.c
index 6a0830a3de..f61265957a 100644
--- a/src/detect-tls.c
+++ b/src/detect-tls.c
@@ -653,13 +653,20 @@ static int DetectTlsFingerprintMatch (ThreadVars *t, DetectEngineThreadCtx *det_
 
     int ret = 0;
 
-    if (ssl_state->server_connp.cert0_fingerprint != NULL) {
+    SSLStateConnp *connp = NULL;
+    if (flags & STREAM_TOSERVER) {
+        connp = &ssl_state->client_connp;
+    } else {
+        connp = &ssl_state->server_connp;
+    }
+
+    if (connp->cert0_fingerprint != NULL) {
         SCLogDebug("TLS: Fingerprint is [%s], looking for [%s]\n",
-                   ssl_state->server_connp.cert0_fingerprint,
+                   connp->cert0_fingerprint,
                    tls_data->fingerprint);
 
         if (tls_data->fingerprint &&
-            (strstr(ssl_state->server_connp.cert0_fingerprint,
+            (strstr(connp->cert0_fingerprint,
                     tls_data->fingerprint) != NULL)) {
             if (tls_data->flags & DETECT_CONTENT_NEGATED) {
                 ret = 0;