[Bro] why x509_extensions event never called?
bernhard at ICSI.Berkeley.EDU
Mon Jan 27 09:00:59 PST 2014
On Jan 27, 2014, at 7:02 AM, Seth Hall <seth at icir.org> wrote:
> On Jan 26, 2014, at 1:27 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:
>> event x509_extension(c: connection, is_orig: bool, data: string)
>> print "THERE'S AN EXTENSION!";
> That looks correct. You're going to have to give us more information and ideally a trace file. Also, consider that if you aren't seeing certificates that have extensions you won't see this event fire.
Sorry, this one is our fault. At the moment, the x509_extension event never fires due to
a bug in the SSL analyzer.
I have this fixed in a branch — however the fix never made it back into the Bro master
(because the branch also changes a number of other things about x509 certificate
handling; some of them are not quite working yet).
I will backport that little part and post a patch in a bit.
More information about the Bro