[Bro] (no subject)
zholt at andrew.cmu.edu
Tue Nov 25 10:33:32 PST 2014
The standard set by the Certification Authority/Browser (CA/B) Forum required that SSL certificates issued after January 1, 2014 must have a key length of at least 2048-bits. So while some 1024-bit SSL certs may still be valid if they were issued before that date, they are not up to current standards and are quickly becoming deprecated. Additionally, the overlap with SHA-1 phaseout and browser security warnings in the upcoming months, I expect most 1024-bit SSL certs will be killed off quickly.
Hope this helps,
Information Security Office
Carnegie Mellon University
On Nov 25, 2014, at 12:58 PM, Michał Purzyński <michalpurzynski1 at gmail.com<mailto:michalpurzynski1 at gmail.com>> wrote:
A script that is a slightly modified version of what's shipped with Bro, gives me interesting results
The script source
Take a look at lines
local key_length = cert$key_length;
if ( key_length < notify_minimal_key_length )
I can see (in notice.log) warnings about host using 1024 bit certificate. Well, the minimal acceptable length is set to 1024 so I should not get any warnings.
1416937779.196106 CoZK6Z1Y61rsevYSCd 188.8.131.52 34715 10.22.72.139 13000 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 184.108.40.206 10.22.72.139 13000 - nsm7-eth4-6 Notice::ACTION_LOG 86400.000000 F
The ssl.log and x509.log show that the connection was over SSL, and the certificate is 1024 bit.
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro