[Bro-Dev] istate.events-ssl test
Jonathan Siwek
jsiwek at ncsa.illinois.edu
Mon Jun 13 10:31:42 PDT 2011
> No, the SSL communication is actually not working for a reason I
> haven't figured out yet. The same kind of test worked fine with Bro
> 1.5 and the old istate test-suite but seems something broke when I
> rewrote the test for btest. Not sure yet what.
The CA cert that the test is using expired last March. (see output at bottom).
> > 1307736535.043138 %events-send-1 start 141.42.64.125:56730 >
> > 125.190.109.199:80
>
> Note that this is only the sender side; iirc, I didn't see anything
> received on at the other end, and the connection was just aborted.
I tried generating my own keys and replacing what was in the test and the receiver looks like it saw everything (again output below). Let me know if it looks right to you and I can probably follow through and commit a working test unless you want to.
- Jon
$ openssl x509 -in ca_cert.pem -noout -enddate
notAfter=Mar 10 04:13:23 2011 GMT
$ ssldump -i lo0
New TCP connection #1: localhost(51344) <-> localhost(47756)
1 1 0.0011 (0.0011) C>S Handshake
ClientHello
Version 3.0
cipher suites
Unknown value 0x3a
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
Unknown value 0x34
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
unknown value
NULL
1 2 0.0012 (0.0001) S>C Handshake
ServerHello
Version 3.0
session_id[32]=
d7 3d eb 9a c8 d9 f1 e7 de fb 3a 2a 2d c3 4f 64
cc 26 46 d1 e0 41 34 2c 95 a9 8c 37 f9 8c 51 43
cipherSuite Unknown value 0x35
compressionMethod unknown value
1 3 0.0012 (0.0000) S>C Handshake
Certificate
1 4 0.0012 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
ServerHelloDone
1 5 0.0023 (0.0010) C>S Alert
level fatal
value certificate_expired
1 6 0.0025 (0.0001) C>S Alert
level fatal
value certificate_expired
1 7 0.0027 (0.0001) C>S Alert
level fatal
value certificate_expired
1 0.0027 (0.0000) C>S TCP FIN
1 0.0029 (0.0001) S>C TCP FIN
# after replacing keys
$ btest -D istate/events-ssl.bro
istate.events-ssl ... failed
% 'btest-diff sender/http.log' failed unexpectedly (exit code 100)
% cat .diag
== File ===============================
1307985621.588992 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
1307985621.588992 %events-send-1 > USER-AGENT: Wget/1.10
1307985621.588992 %events-send-1 > ACCEPT: */*
1307985621.588992 %events-send-1 > HOST: www.icir.org
1307985621.588992 %events-send-1 > CONNECTION: Keep-Alive
1307985621.773032 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
1307985621.773032 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
1307985621.773032 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
1307985621.773032 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
1307985621.773032 %events-send-1 < ACCEPT-RANGES: bytes
1307985621.773032 %events-send-1 < CONTENT-LENGTH: 9130
1307985621.773032 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
1307985621.773032 %events-send-1 < CONNECTION: Keep-Alive
1307985621.773032 %events-send-1 < CONTENT-TYPE: text/html
1307985621.957521 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
1307985621.957815 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
1307985622.141339 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
1307985622.141339 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
== Error ===============================
test-diff: no baseline found.
=======================================
% cat .stderr
<<< [49737] bro -C -r /Users/jsiwek/Projects/bro/bro/testing/btest/Traces/web.trace --pseudo-realtime ../sender.bro
>>>
<<< [49750] bro ../receiver.bro
1307985617.408817 processing suspended
1307985617.410215 processing continued
1307985623.207681 received termination signal
>>>
% 'btest-diff sender/http.log' failed unexpectedly (exit code 100)
% 'btest-diff receiver/http.log' failed unexpectedly (exit code 100)
% cat .diag
== File ===============================
1307985621.655144 %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
1307985621.655144 %events-rcv-1 > USER-AGENT: Wget/1.10
1307985621.655144 %events-rcv-1 > ACCEPT: */*
1307985621.655144 %events-rcv-1 > HOST: www.icir.org
1307985621.655144 %events-rcv-1 > CONNECTION: Keep-Alive
1307985621.835623 %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
1307985621.835623 %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
1307985621.835623 %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
1307985621.835623 %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
1307985621.835623 %events-rcv-1 < ACCEPT-RANGES: bytes
1307985621.835623 %events-rcv-1 < CONTENT-LENGTH: 9130
1307985621.835623 %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
1307985621.835623 %events-rcv-1 < CONNECTION: Keep-Alive
1307985621.835623 %events-rcv-1 < CONTENT-TYPE: text/html
1307985622.037655 %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
1307985622.037655 %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
1307985622.203271 %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
1307985622.203271 %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
== Error ===============================
test-diff: no baseline found.
=======================================
% cat .stderr
<<< [49737] bro -C -r /Users/jsiwek/Projects/bro/bro/testing/btest/Traces/web.trace --pseudo-realtime ../sender.bro
>>>
<<< [49750] bro ../receiver.bro
1307985617.408817 processing suspended
1307985617.410215 processing continued
1307985623.207681 received termination signal
>>>
1 test failed
More information about the bro-dev
mailing list