[
https://bro-tracker.atlassian.net/browse/BIT-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17103#comment-17103
]
Johanna Amann commented on BIT-1214:
------------------------------------
So - this question has two different answers, depending on what exactly is
happening in your case.
You mention that Bro does not validate certificates of sites that are actually
trusted. In case the root-certificates that those sites chain back to are
listed on
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included,
this almost certainly means that the server is not sending one of the
necessary intermediate certificates needed to verify the chain. Many browsers
either cache those intermediate certificates or download them on-the-fly, so
this kind of server configuration can go unnoticed for quite a while. You can
use sites like https://www.ssllabs.com/ssltest/ to check your servers for this.
In case the server is using a root certificate that is not included in the
Mozilla root store (and hence not shipped with Bro), you have to add the extra
root certificate to the list of root certificates known to Bro. The steps in
the email thread should still be applicable - you can add your extra
certificate to SSL::root_certs by adding it to local.bro like suggested in that
thread.
> Updating Root CAs used for ssl.log
> ----------------------------------
>
> Key: BIT-1214
> URL: https://bro-tracker.atlassian.net/browse/BIT-1214
> Project: Bro Issue Tracker
> Issue Type: Task
> Components: Bro
> Environment: Running on RHEL 6.5
> Reporter: Robert W
> Assignee: Johanna Amann
> Labels: logging
>
> Need assistance confirming how to update the root CAs that Bro uses for the
> ssl.log. When list of websites are visited from the logs that have used a
> self-signed cert but within that list a number of sites are actually trusted.
> I found some documentation that states you need to take a DER formatted
> version of your root public key and convert it to Bro's hex string, etc.
> http://comments.gmane.org/gmane.comp.security.detection.bro/4117
> Could you confirm the steps to take to resolve this specific issue? I am
> trying to ensure there isn't a specific location in a local config that will
> allow me to set the path. Please advise if you need any additional
> information.
--
This message was sent by Atlassian JIRA
(v6.3-OD-08-005-WN#6328)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
