[Bro] Adding SSL certs to Bro 2.0
Stephane Chazelas
stephane.chazelas at gmail.com
Wed Feb 8 09:54:21 PST 2012
2011-11-16 13:16:40 -0500, Seth Hall:
> On Nov 16, 2011, at 12:28 PM, Mathew Binkley wrote:
[...]
> > I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root
> > CA certs. Is there a way to add our own to that or to a separate file?
> > How is that file generated? Thanks.
>
>
> We have a exercise from the workshop that specifically addresses this situation. We will be posting the workshop material really soon too.
>
> Ultimately, you need to take a DER formatted version of your root public key and convert it to Bro's hex string representation and add it to the SSL::root_certs table. Like this....
>
> redef SSL::root_certs += {
> ["your root certificates subject"] = "\x30\x82\x03\x75\x30\x82<snip a lot more of this>";
> };
[...]
In case it may be of some help to anyone, here is a script to
convert a PEM CA cert bundle such as
/etc/ssl/certs/ca-certificates.crt as found on debian based
system to bro's format:
<BEGIN>
#! /usr/bin/perl
use Encode;
use Crypt::OpenSSL::X509;
while (<>) {
if (/BEGIN /) {
$p="";
$inside=1;
}
$p .= $_ if $inside;
if (/END /) {
$c = Crypt::OpenSSL::X509->new_from_string($p);
@s = map { $_->as_string } reverse @{$c->subject_name->entries};
s/[\\,]/\\$&/g for @s;
$s = join ",", @s;
$s = encode("UTF-8", $s);
$s =~ s/[\200-\377]/sprintf("\\%X",ord$&)/ge;
$x = join "", map { "\\x" . uc$_ } unpack("(H2)*", $c->as_string(Crypt::OpenSSL::X509::FORMAT_ASN1));
print "\t[\"$s\"] = \"$x\",\n"; $inside = 0;
}
}
<END>
(this gives the same output as found in the mozilla-ca.bro file)
Then, I have a /etc/ca-certificates/update.d/bro-cacerts to
update Bro's root_certs everytime the system CA certs are
updated:
<BEGIN>
#! /bin/sh -
BRO_CERTSTORE=/usr/local/share/bro/site/certs.bro
if [ -f /etc/default/cacerts ]; then
. /etc/default/cacerts
fi
echo
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
echo "updates of cacerts keystore disabled."
exit 0
fi
printf '%s\n' "Updating Bro IDS CA Cert store $BRO_CERTSTORE"
set -C
{
echo "redef SSL::root_certs += {" &&
/usr/local/bin/crt-to-bro < /etc/ssl/certs/ca-certificates.crt &&
echo "};"
} > "$BRO_CERTSTORE.new" || exit
mv -f "$BRO_CERTSTORE.new" "$BRO_CERTSTORE" || exit
echo "Restarting bro"
broctl check &&
broctl install &&
broctl restart
<END>
This way, Bro uses the same rootca as the system's to verify
certificates.
HTH
Stephane
More information about the Bro
mailing list