[Bro] why x509_extensions event never called?

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Mon Jan 27 09:00:59 PST 2014

On Jan 27, 2014, at 7:02 AM, Seth Hall <seth at icir.org> wrote:
> On Jan 26, 2014, at 1:27 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:
>> event x509_extension(c: connection, is_orig: bool, data: string) 
>> {
>> 	print "THERE'S AN EXTENSION!";
>> }
> That looks correct.  You're going to have to give us more information and ideally a trace file.  Also, consider that if you aren't seeing certificates that have extensions you won't see this event fire.

Sorry, this one is our fault. At the moment, the x509_extension event never fires due to
a bug in the SSL analyzer.

I have this fixed in a branch — however the fix never made it back into the Bro master
(because the branch also changes a number of other things about x509 certificate 
handling; some of them are not quite working yet).

I will backport that little part and post a patch in a bit.


More information about the Bro mailing list