[Bro] Adding SSL certs to Bro 2.0

Stephane Chazelas stephane.chazelas at gmail.com
Wed Feb 8 09:54:21 PST 2012 

2011-11-16 13:16:40 -0500, Seth Hall:
> On Nov 16, 2011, at 12:28 PM, Mathew Binkley wrote:
[...]
> > I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root
> > CA certs.   Is there a way to add our own to that or to a separate file?
> >  How is that file generated?   Thanks.
> 
> 
> We have a exercise from the workshop that specifically addresses this situation.  We will be posting the workshop material really soon too.
> 
> Ultimately, you need to take a DER formatted version of your root public key and convert it to Bro's hex string representation and add it to the SSL::root_certs table.  Like this....
> 
> redef SSL::root_certs += {
> 	["your root certificates subject"] = "\x30\x82\x03\x75\x30\x82<snip a lot more of this>";
> };
[...]

In case it may be of some help to anyone, here is a script to
convert a PEM CA cert bundle such as
/etc/ssl/certs/ca-certificates.crt as found on debian based
system to bro's format:

<BEGIN>
#! /usr/bin/perl
use Encode;
use Crypt::OpenSSL::X509;

while (<>) {
  if (/BEGIN /) {
    $p="";
    $inside=1;
  }
  $p .= $_ if $inside;
  if (/END /) {
    $c = Crypt::OpenSSL::X509->new_from_string($p);
    @s = map { $_->as_string } reverse @{$c->subject_name->entries};
    s/[\\,]/\\$&/g for @s;
    $s = join ",", @s;
    $s = encode("UTF-8", $s);
    $s =~ s/[\200-\377]/sprintf("\\%X",ord$&)/ge;
    $x = join "", map { "\\x" . uc$_ } unpack("(H2)*", $c->as_string(Crypt::OpenSSL::X509::FORMAT_ASN1));
    print "\t[\"$s\"] = \"$x\",\n"; $inside = 0;
  }
}
<END>

(this gives the same output as found in the mozilla-ca.bro file)

Then, I have a /etc/ca-certificates/update.d/bro-cacerts to
update Bro's root_certs everytime the system CA certs are
updated:

<BEGIN>
#! /bin/sh -
BRO_CERTSTORE=/usr/local/share/bro/site/certs.bro

if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

echo
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
    echo "updates of cacerts keystore disabled."
    exit 0
fi

printf '%s\n' "Updating Bro IDS CA Cert store $BRO_CERTSTORE"

set -C
{
  echo "redef SSL::root_certs += {" &&
    /usr/local/bin/crt-to-bro < /etc/ssl/certs/ca-certificates.crt &&
    echo "};"
} > "$BRO_CERTSTORE.new" || exit
mv -f "$BRO_CERTSTORE.new" "$BRO_CERTSTORE"  || exit

echo "Restarting bro"
broctl check &&
  broctl install &&
  broctl restart
<END>

This way, Bro uses the same rootca as the system's to verify
certificates.

HTH
Stephane

More information about the Bro mailing list