From 009a85ef53555f9fcfdc6d046aa9cc403b2d3363 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 19 Jan 2026 17:33:01 +0000
Subject: [PATCH] TLS: better handling of encrypted/cleartext alert messages
 (#3095)

---
 src/lib/protocols/tls.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 9cdf42449..a6bf74d51 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1509,7 +1509,10 @@ int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
       printf("[TLS] *** TLS ALERT ***\n");
 #endif
 
-      if(len >= 7) {
+      /* Basic heuristic to tell if the alert is encrypted or not */
+      if(len == 7 &&
+         (message->buffer[5] == 1 ||
+          message->buffer[5] == 2)) {
 	u_int8_t alert_level = message->buffer[5];
 
 	if(alert_level == 2 /* Warning (1), Fatal (2) */)