[
https://bro-tracker.atlassian.net/browse/BIT-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15702#comment-15702
]
Bernhard Amann commented on BIT-953:
------------------------------------
Ok, the split of x509 handling into the file-analysis framework is basically
ready in the topic/bernhard/file-analysis-x509 branch.
I have a few small loose ends to tie up (mostly: update the test baselines),
which I already started to do. But - before investing too much work in this -
could someone take a look if the new Interface looks ok?
The big changes basically are:
* the certificate handling completely moved into a file analysis framework
plugin
* there is a new x509.log, which contains information about any certificate
encountered on the wire. This contains more information than the old ssl.log,
including a few certificate extensions like the subject alternative name, used
ec curve names, etc.
* the ssl.log has slightly less information about the certificates than
before. It includes the certificate file IDs as well as the subject and the
issuer of the host (and client) certificates. Validity, etc. was stripped (and
not used by any base scripts)
* the certificate der values are not passed around scriptland anymore.
Instead, a opaque of x509 is included into the x509_certificate event, which
can be used to access the string form of a certificate using the
x509_get_certificate_string function
* the certificate validation function was changed quite a lot. It now returns
the full validated certificate chain and takes arguments in a more convenient
manner (sorted list of opaque of x509). This also should reduce overhead by
quite a bit.
>From a users point of view, the biggest changes probably are the new logfiles.
>Do these look ok?
diff-link for the lazy:
https://github.com/bro/bro/compare/topic;bernhard;file-analysis-x509
> SSL Analyzer: return the root CA used to validate a cert
> --------------------------------------------------------
>
> Key: BIT-953
> URL: https://bro-tracker.atlassian.net/browse/BIT-953
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: liamrandall
> Assignee: Bernhard Amann
> Priority: Low
> Labels: Analyzer,, CA, Root,, SSL
> Fix For: 2.4
>
>
> Since Bro will validate certs can we add a variable that says who the root CA
> was; would be useful for CA pinning, white listing or black listing.
--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
