From 8c3f1aa7a5735bd92d410c19ff7898aa05502079 Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 21 Sep 2018 08:03:26 +0200
Subject: [PATCH] tlslog: don't log as "resumed" without ServerHello

Don't log a session as "resumed" if a ServerHello record has not been
seen. This makes sure that incomplete TLS sessions where the ClientHello
contains a session ticket, is not logged as a session resumption.
---
 src/log-tlslog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/log-tlslog.c b/src/log-tlslog.c
index 9ee272611c..b9518aeaf1 100644
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@@ -475,6 +475,7 @@ static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
                been seen. */
             if ((ssl_state->server_connp.cert0_issuerdn == NULL) &&
                     (ssl_state->server_connp.cert0_subject == NULL) &&
+                    (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
                     ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
                 MemBufferWriteString(aft->buffer, " Session='resumed'");
             }