diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index c9aca6e070..1d0815812e 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -506,6 +506,17 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { if ( reason != OCSP_REVOKED_STATUS_NOSTATUS ) { const char* revoke_reason = OCSP_crl_reason_str(reason); + +#if OPENSSL_VERSION_NUMBER < 0x30200000L + // OpenSSL 3.2.0 and later return the right strings for + // OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN (9) and + // OCSP_REVOKED_STATUS_AACOMPROMISE (10). + // + // For versions older than that, fix it up by hand. + if ( (reason == 9 || reason == 10) && zeek::util::streq(revoke_reason, "(UNKNOWN)") ) { + revoke_reason = reason == 9 ? "privilegeWithdrawn" : "aACompromise"; + } +#endif rvl.emplace_back(make_intrusive(strlen(revoke_reason), revoke_reason)); } else diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout index 3a3072a5a5..273b216e49 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout @@ -12,7 +12,7 @@ ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XX request, 0, request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4 ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, (UNKNOWN), XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, privilegeWithdrawn, XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XXXXXXXXXX.XXXXXX, sha1WithRSAEncryption request, 0, request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index 7a5f1b27ba..e0976d0485 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -9,6 +9,6 @@ #types time string string string string string string time string time time XXXXXXXXXX.XXXXXX Fv1Mrl4zObGy9drLdg sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E revoked XXXXXXXXXX.XXXXXX superseded XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX F7TCyr1Y6YSyUVOW5 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 revoked XXXXXXXXXX.XXXXXX unspecified XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX -XXXXXXXXXX.XXXXXX FmK7Wj1W7PV2RclIig sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 revoked XXXXXXXXXX.XXXXXX (UNKNOWN) XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX +XXXXXXXXXX.XXXXXX FmK7Wj1W7PV2RclIig sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 revoked XXXXXXXXXX.XXXXXX privilegeWithdrawn XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX FfpvoO3DJXnAcoNnp4 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A revoked XXXXXXXXXX.XXXXXX keyCompromise XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX #close XXXX-XX-XX-XX-XX-XX