[Bro] (no subject)

Zach Holt zholt at andrew.cmu.edu
Tue Nov 25 10:33:32 PST 2014

Hi Michał,

The standard set by the Certification Authority/Browser (CA/B) Forum required that SSL certificates issued after January 1, 2014 must have a key length of at least 2048-bits. So while some 1024-bit SSL certs may still be valid if they were issued before that date, they are not up to current standards and are quickly becoming deprecated. Additionally, the overlap with SHA-1 phaseout and browser security warnings in the upcoming months, I expect most 1024-bit SSL certs will be killed off quickly.

Hope this helps,

Zachary Holt
Information Security Office
Carnegie Mellon University

On Nov 25, 2014, at 12:58 PM, Michał Purzyński <michalpurzynski1 at gmail.com<mailto:michalpurzynski1 at gmail.com>> wrote:


A script that is a slightly modified version of what's shipped with Bro, gives me interesting results

The script source


Take a look at lines

local key_length = cert$key_length;

        if ( key_length < notify_minimal_key_length )

I can see (in notice.log) warnings about host using 1024 bit certificate. Well, the minimal acceptable length is set to 1024 so I should not get any warnings.


1416937779.196106 CoZK6Z1Y61rsevYSCd 34715 13000 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 13000 - nsm7-eth4-6 Notice::ACTION_LOG 86400.000000 F

The ssl.log and x509.log show that the connection was over SSL, and the certificate is 1024 bit.
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141125/c1bcc07e/attachment.html 

More information about the Bro mailing list