[Bro-Dev] [JIRA] (BIT-953) SSL Analyzer: return the root CA used to validate a cert

Bernhard Amann (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 4 05:47:18 PST 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15702#comment-15702 ] 

Bernhard Amann commented on BIT-953:

Ok, the split of x509 handling into the file-analysis framework is basically ready in the topic/bernhard/file-analysis-x509 branch.

I have a few small loose ends to tie up (mostly: update the test baselines), which I already started to do. But - before investing too much work in this - could someone take a look if the new Interface looks ok?

The big changes basically are:
 * the certificate handling completely moved into a file analysis framework plugin
 * there is a new x509.log, which contains information about any certificate encountered on the wire. This contains more information than the old ssl.log, including a few certificate extensions like the subject alternative name, used ec curve names, etc.
 * the ssl.log has slightly less information about the certificates than before. It includes the certificate file IDs as well as the subject and the issuer of the host (and client) certificates. Validity, etc. was stripped (and not used by any base scripts)
 * the certificate der values are not passed around scriptland anymore. Instead, a opaque of x509 is included into the x509_certificate event, which can be used to access the string form of a certificate using the x509_get_certificate_string function
* the certificate validation function was changed quite a lot. It now returns the full validated certificate chain and takes arguments in a more convenient manner (sorted list of opaque of x509). This also should reduce overhead by quite a bit.

>From a users point of view, the biggest changes probably are the new logfiles. Do these look ok? 

diff-link for the lazy: https://github.com/bro/bro/compare/topic;bernhard;file-analysis-x509

> SSL Analyzer: return the root CA used to validate a cert
> --------------------------------------------------------
>                 Key: BIT-953
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-953
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: liamrandall
>            Assignee: Bernhard Amann
>            Priority: Low
>              Labels: Analyzer,, CA, Root,, SSL
>             Fix For: 2.4
> Since Bro will validate certs can we add a variable that says who the root CA was; would be useful for CA pinning, white listing or black listing.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list