[Bro-Dev] [JIRA] (BIT-1214) Updating Root CAs used for ssl.log

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Wed Jul 9 22:32:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17103#comment-17103 ] 

Johanna Amann commented on BIT-1214:

So - this question has two different answers, depending on what exactly is happening in your case.

You mention that Bro does not validate certificates of sites that are actually trusted. In case the root-certificates that those sites chain back to are listed on http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included, this almost certainly means that the server is not sending one of the necessary intermediate certificates needed to verify the chain. Many browsers either cache those intermediate certificates or download them on-the-fly, so this kind of server configuration can go unnoticed for quite a while. You can use sites like https://www.ssllabs.com/ssltest/ to check your servers for this.

In case the server is using a root certificate that is not included in the Mozilla root store (and hence not shipped with Bro), you have to add the extra root certificate to the list of root certificates known to Bro. The steps in the email thread should still be applicable - you can add your extra certificate to SSL::root_certs by adding it to local.bro like suggested in that thread.

> Updating Root CAs used for ssl.log
> ----------------------------------
>                 Key: BIT-1214
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1214
>             Project: Bro Issue Tracker
>          Issue Type: Task
>          Components: Bro
>         Environment: Running on RHEL 6.5
>            Reporter: Robert W
>            Assignee: Johanna Amann
>              Labels: logging
> Need assistance confirming how to update the root CAs that Bro uses for the ssl.log. When list of websites are visited from the logs that have used a self-signed cert but within that list a number of sites are actually trusted. I found some documentation that states you need to take a DER formatted version of your root public key and convert it to Bro's hex string, etc. 
> http://comments.gmane.org/gmane.comp.security.detection.bro/4117
> Could you confirm the steps to take to resolve this specific issue? I am trying to ensure there isn't a specific location in a local config that will allow me to set the path. Please advise if you need any additional information. 

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list