From 76678196870872f8b4716933b215775f3d53090f Mon Sep 17 00:00:00 2001
From: Daniel Lysfjord <lysfjord.daniel@smokepit.net>
Date: Sat, 22 Mar 2025 23:00:27 +0100
Subject: [PATCH] Add Timeout/Connection closed during SSL handshake as a
 hostile action

---
 lib/haproxy_parser.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/haproxy_parser.pm b/lib/haproxy_parser.pm
index 69b4562..ba30441 100644
--- a/lib/haproxy_parser.pm
+++ b/lib/haproxy_parser.pm
@@ -22,6 +22,14 @@ sub parser {
 			m/(\ ($re_host):[0-9]{1,6})/gcix && do {
 				$host	= $2;
 			};
+	} elsif($string =~ m/https\/1: (Timeout|Connection closed) during SSL handshake/) {
+		$_		= $string;
+		$reply		= 'SSL handshake error';
+		$hostile	= 1;
+		PARSE:
+			m/(:\ ($re_host):[0-9]{1,6})/gcix && do {
+				$host	= $2;
+			};
 	} elsif($string =~ m/http(s\~|) http(s|)\/\<NOSRV\>/) {
 		if($string =~ m/-1\/-1\/-1\/-1\/[0-9]{1,20} (400|0) 0/) {
 			#This one seems like someone is doing something bad. Return code 400/0