[Bro] (no subject)
michal at rsbac.org
Tue Nov 25 11:49:57 PST 2014
Well that's an interesting story, completely off topic ;-)
Anyway, I found the bug, I had the constant redefined somewhere else.
Const that you can redef are funny sometimes.
On 25/11/14 19:33, Zach Holt wrote:
> Hi Michał,
> The standard set by the Certification Authority/Browser (CA/B) Forum
> required that SSL certificates issued after January 1, 2014 must have
> a key length of at least 2048-bits. So while some 1024-bit SSL certs
> may still be valid if they were issued before that date, they are not
> up to current standards and are quickly becoming deprecated.
> Additionally, the overlap with SHA-1 phaseout and browser security
> warnings in the upcoming months, I expect most 1024-bit SSL certs will
> be killed off quickly.
> Hope this helps,
> Zachary Holt
> Information Security Office
> Carnegie Mellon University
> On Nov 25, 2014, at 12:58 PM, Michał Purzyński
> <michalpurzynski1 at gmail.com <mailto:michalpurzynski1 at gmail.com>> wrote:
>> A script that is a slightly modified version of what's shipped with
>> Bro, gives me interesting results
>> The script source
>> Take a look at lines
>> local key_length = cert$key_length;
>> if ( key_length < notify_minimal_key_length )
>> I can see (in notice.log) warnings about host using 1024 bit
>> certificate. Well, the minimal acceptable length is set to 1024 so I
>> should not get any warnings.
>> uses weak certificate with 1024 bit
>> The ssl.log and x509.log show that the connection was over SSL, and
>> the certificate is 1024 bit.
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro