From 311e113ff697071c46095c478b7fb42e47ff2a23 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 20 May 2021 13:51:00 +0100 Subject: [PATCH] Deprecate ICSI SSL notary script. The ICSI notary is pretty much inactive. Furthermore - this approach does no longer make much sense at this point of time - performing, e.g., signed certificate timestamp validation is much more worthwhile. --- scripts/policy/protocols/ssl/notary.zeek | 2 ++ scripts/site/local.zeek | 4 ---- testing/btest/Baseline/coverage.bare-mode-errors/errors | 2 ++ 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/policy/protocols/ssl/notary.zeek b/scripts/policy/protocols/ssl/notary.zeek index 422d5e2e0c..67f8734d41 100644 --- a/scripts/policy/protocols/ssl/notary.zeek +++ b/scripts/policy/protocols/ssl/notary.zeek @@ -1,3 +1,5 @@ +@deprecated("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") + @load base/protocols/ssl module CertNotary; diff --git a/scripts/site/local.zeek b/scripts/site/local.zeek index 2acd297c47..87838e4bee 100644 --- a/scripts/site/local.zeek +++ b/scripts/site/local.zeek @@ -67,10 +67,6 @@ redef digest_salt = "Please change this value."; # This script prevents the logging of SSL CA certificates in x509.log @load protocols/ssl/log-hostcerts-only -# Uncomment the following line to check each SSL certificate hash against the ICSI -# certificate notary service; see http://notary.icsi.berkeley.edu . -# @load protocols/ssl/notary - # If you have GeoIP support built in, do some geographic detections and # logging for SSH traffic. @load protocols/ssh/geo-data diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index eab45fe321..b9ef0f93a3 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -3,3 +3,5 @@ warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:44 ("Remove in v5.1. OCSP logging is now disabled by default") warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:44 ("Remove in v5.1. OCSP logging is now disabled by default") warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now disabled by default") +warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:4 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") +warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")