[Bro] Information on OCSP and CRL

Johanna Amann johanna at icir.org
Wed Feb 15 07:38:18 PST 2017 

Hello Tony,

Bro will get the capability to parse OCSP requests and replies that are 
being sent over the network soon (as in - the ones that you see in HTTP, 
not just the ones in the stapled ocsp extension of the TLS handshake). 
You should be able to map that to certificates seen in the network 
traffic, and to validate them; however, this only will be possible for 
certificates for which network clients perform OCSP requests by 
themselves.

Apart from that, there are currently no plans to add any OCSP support to 
Bro; there especially are no plans to make Bro able to perform OCSP 
queries itself.

If you want to add that - you should be able to just write a couple of 
bifs and add them as a package :)

Johanna

On 14 Feb 2017, at 19:50, Tony Waller wrote:

> Johanna,
>
> Thank you for the update. Do you see any plans for Bro to be able to 
> leverage a OCSP client soon? If not, is this something that could be 
> added to the code-base by the community?
>
> Sincerely,
>
> Tony
>
>
> Tony Waller, CPO (USN-Ret.)
> CISSP
> Director, Systems Engineering
> Bivio Networks, Inc.
> “Powering Advanced Cyber Operations” (TM)
> Mobile (443) 994-0936
>
>
>
> *Note: The information contained in this email confidential. This 
> information is intended only for the individual, individuals or entity 
> to whom it is addressed. If you are not the intended recipient(s), the 
> employee or agent responsible for delivering it to the intended 
> recipient(s), you are hereby notified that any use, dissemination, 
> distribution or copying of this communication is strictly prohibited. 
> If you have received this email in error, please return the original 
> message to us by email and delete or destroy any copies. Please note 
> any views or opinions expressed or presented in this email are solely 
> those of the author and do not necessarily represent those of Bivio 
> Networks, Inc. The recipient should check this email or any 
> attachments for the presence of viruses or malware. Bivio Networks, 
> Inc. accepts no responsibility for any damage caused by any virus or 
> malware transmitted by this email. Thank you.
>
> Think Green when printing
>
>
> On 2/14/17, 4:15 PM, "Johanna Amann" <johanna at icir.org> wrote:
>
>     To expand a bit on this...
>
>     there is a policy script to perform certificate validation, just 
> load
>     policy/protocols/ssl/validate-certs.bro. Note that this uses plain 
> OpenSSL
>     for validation and might not be able to validate a few cases which
>     browsers can validate.
>
>     For OCSP, the situation is a bit less optimal. The script that 
> Vlad
>     mentioned performs OCSP validation, but _only_ in case that the 
> OCSP
>     response is sent stapled in the TLS handshake - which is rather 
> rare.
>
>     Outside of this, Bro currently does not support OCSP validatiob.
>
>     Johanna
>
>     On Thu, Feb 09, 2017 at 01:37:44PM -0600, Vlad Grigorescu wrote:
>     > Tony,
>     >
>     > There's an optional script for OCSP validation:
>     > 
> https://github.com/bro/bro/blob/v2.5/scripts/policy/protocols/ssl/validate-ocsp.bro
>     >
>     > To use:
>     > > @load protocols/ssl/validate-ocsp
>     >
>     >   --Vlad
>     >
>     > Tony Waller <twaller at bivio.net> writes:
>     >
>     > > I am looking for additional information on utilizing OCSP and 
> CRL in Bro NSM. I would like to know if certificates from clients can 
> be checked in real-time or near real-time against a CRL? Also, can Bro 
> NSM perform a OCSP request to a RA and check a certificate to 
> determine if it is valid? If this is the case where in Bro NSM do you 
> set the address for the RA or CRL responder?
>     > >
>     > > Sincerely,
>     > >
>     > > Tony
>     > >
>     > >
>     > > Tony Waller, CISSP
>     > > Director, Systems Engineering
>     > > Bivio Networks, Inc.
>     > > “Powering Advanced Cyber Operations” (TM)
>     > > Mobile (443) 994-0936
>     > >
>     > > [cid:image001.png at 01D27E32.049899E0]
>     > >
>     > > *Note: The information contained in this email confidential. 
> This information is intended only for the individual, individuals or 
> entity to whom it is addressed. If you are not the intended 
> recipient(s), the employee or agent responsible for delivering it to 
> the intended recipient(s), you are hereby notified that any use, 
> dissemination, distribution or copying of this communication is 
> strictly prohibited. If you have received this email in error, please 
> return the original message to us by email and delete or destroy any 
> copies. Please note any views or opinions expressed or presented in 
> this email are solely those of the author and do not necessarily 
> represent those of Bivio Networks, Inc. The recipient should check 
> this email or any attachments for the presence of viruses or malware. 
> Bivio Networks, Inc. accepts no responsibility for any damage caused 
> by any virus or malware transmitted by this email. Thank you.
>     > >
>     > > Think Green when printing
>     > >
>     > > _______________________________________________
>     > > Bro mailing list
>     > > bro at bro-ids.org
>     > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>     > _______________________________________________
>     > Bro mailing list
>     > bro at bro-ids.org
>     > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list