Log chosen curve when using ec cipher suite in TLS.

scripts/base/protocols/ssl/main.bro

@@ -19,6 +19,8 @@ export {
 		version:          string           &log &optional;
 		## SSL/TLS cipher suite that the server chose.
 		cipher:           string           &log &optional;
+		## Elliptic curve the server chose when using ECDH/ECDHE.
+		curve:            string           &log &optional;
 		## Value of the Server Name Indicator SSL/TLS extension.  It
 		## indicates the server name that the client was requesting.
 		server_name:      string           &log &optional;
@@ -159,6 +161,13 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
+event ssl_server_curve(c: connection, curve: count) &priority=5
+	{
+	set_session(c);
+
+	c$ssl$curve = ec_curves[curve];
+	}
+
 event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);

src/analyzer/protocol/ssl/events.bif

@@ -58,7 +58,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##              standardized as part of the SSL/TLS protocol.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_session_ticket_handshake x509_certificate
+##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -97,7 +97,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -114,9 +114,23 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
+## Generated a named curve is chosen by the server for the SSL/TLS connection. The
+## curve is sent by the server in the ServerKeyExchange message as defined in
+## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
+##
+## c: The connection.
+##
+## point_formats: List of supported point formats.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_server_curve%(c: connection, curve: count%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application

src/analyzer/protocol/ssl/ssl-analyzer.pac

@@ -400,6 +400,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_ec_server_key_exchange(rec: SSLRecord, curve_type: uint8, curve: uint16) : bool
+		%{
+		if ( curve_type == NAMED_CURVE )
+			BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			  bro_analyzer()->Conn(), curve);
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -488,3 +497,7 @@ refine typeattr ServerNameExt += &let {
 refine typeattr CertificateStatus += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
+
+refine typeattr EcServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
+};

src/analyzer/protocol/ssl/ssl-defs.pac

@@ -60,3 +60,355 @@ enum SSLExtensions {
 	EXT_PADDING = 35655,
 	EXT_RENEGOTIATION_INFO = 65281
 };
+
+enum ECCurveType {
+  EXPLICIT_PRIME = 1,
+	EXPLICIT_CHAR = 2,
+	NAMED_CURVE = 3
+};
+
+enum TLSCiphers {
+	NO_CHOSEN_CIPHER = 0xFFFFFF,
+	TLS_NULL_WITH_NULL_NULL = 0x0000,
+	TLS_RSA_WITH_NULL_MD5 = 0x0001,
+	TLS_RSA_WITH_NULL_SHA = 0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
+	TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
+	TLS_RSA_WITH_RC4_128_SHA = 0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017,
+	TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
+	TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B,
+	TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
+	TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
+	TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
+	TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
+	TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
+	TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
+	TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A,
+	TLS_RSA_WITH_NULL_SHA256 = 0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065,
+	TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D,
+	# draft-ietf-tls-openpgp-keys-06
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD = 0x0072,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD = 0x0073,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD = 0x0074,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD = 0x0077,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD = 0x0078,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD = 0x0079,
+	TLS_RSA_WITH_3DES_EDE_CBC_RMD = 0x007C,
+	TLS_RSA_WITH_AES_128_CBC_RMD = 0x007D,
+	TLS_RSA_WITH_AES_256_CBC_RMD = 0x007E,
+	# draft-chudov-cryptopro-cptls-04
+	TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080,
+	TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081,
+	TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082,
+	TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
+	TLS_PSK_WITH_RC4_128_SHA = 0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
+	TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B,
+	TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7,
+	TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
+	TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
+	TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
+	# draft-bmoeller-tls-downgrade-scsv-01
+	TLS_FALLBACK_SCSV = 0x5600,
+	# RFC 4492
+	TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
+	TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019,
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B,
+	# RFC 6209
+	TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C,
+	TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D,
+	TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E,
+	TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F,
+	TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040,
+	TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D,
+	TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E,
+	TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F,
+	TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050,
+	TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053,
+	TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054,
+	TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057,
+	TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058,
+	TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061,
+	TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062,
+	TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063,
+	TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064,
+	TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067,
+	TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068,
+	TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069,
+	TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A,
+	TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D,
+	TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E,
+	TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071,
+	# RFC 6367
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079,
+	TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A,
+	TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D,
+	TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E,
+	TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081,
+	TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082,
+	TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D,
+	TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E,
+	TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093,
+	TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094,
+	TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B,
+	# RFC 6655
+	TLS_RSA_WITH_AES_128_CCM = 0xC09C,
+	TLS_RSA_WITH_AES_256_CCM = 0xC09D,
+	TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E,
+	TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F,
+	TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0,
+	TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3,
+	TLS_PSK_WITH_AES_128_CCM = 0xC0A4,
+	TLS_PSK_WITH_AES_256_CCM = 0xC0A5,
+	TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6,
+	TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7,
+	TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8,
+	TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB,
+	# draft-agl-tls-chacha20poly1305-02
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15
+};

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -302,9 +302,11 @@ type ServerHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
+} &let {
+	cipher_set : bool =
+		$context.connection.set_cipher(cipher_suite[0]);
 };
 
-
 ######################################################################
 # V2 Server Hello (SSLv2 2.6.)
 ######################################################################
@@ -351,11 +353,51 @@ type CertificateStatus(rec: SSLRecord) = record {
 # V3 Server Key Exchange Message (7.4.3.)
 ######################################################################
 
-# For now ignore details; just eat up complete message
-type ServerKeyExchange(rec: SSLRecord) = record {
-	key : bytestring &restofdata &transient;
+# Usually, the server key exchange does not contain any information
+# that we are interested in.
+#
+# The one exception is when we are using an elliptic curve cipher suite.
+# In this case, we can extract the final chosen cipher from here.
+type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of {
+	TLS_ECDH_ECDSA_WITH_NULL_SHA,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_RSA_WITH_NULL_SHA,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_NULL_SHA,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_ANON_WITH_NULL_SHA,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+		-> ec_server_key_exchange : EcServerKeyExchange(rec);
+
+	default
+		-> key : bytestring &restofdata &transient;
 };
 
+# For the moment, we really only are interested in the curve name. If it
+# is not set (if the server sends explicit parameters), we do not bother.
+# We also do not parse the actual signature data following the named curve.
+type EcServerKeyExchange(rec: SSLRecord) = record {
+	curve_type: uint8;
+	curve: uint16; # only if curve_type = 3
+	data: bytestring &restofdata &transient;
+};
 
 ######################################################################
 # V3 Certificate Request (7.4.4.)
@@ -501,14 +543,24 @@ refine connection SSL_Conn += {
 		int client_state_;
 		int server_state_;
 		int record_layer_version_;
+		uint32 chosen_cipher_;
 	%}
 
 	%init{
 		server_state_ = STATE_CLEAR;
 		client_state_ = STATE_CLEAR;
 		record_layer_version_ = UNKNOWN_VERSION;
+		chosen_cipher_ = NO_CHOSEN_CIPHER;
 	%}
 
+	function chosen_cipher() : int %{ return chosen_cipher_; %}
+
+	function set_cipher(cipher: int64) : bool
+		%{
+		chosen_cipher_ = cipher;
+		return true;
+		%}
+
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
 					head2 : uint8, head3: uint8, head4: uint8) : int
 		%{

testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-45-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-#close	2014-03-13-20-45-24
+#open	2014-04-26-16-44-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+#close	2014-04-26-16-44-47

testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-45-46
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
-#close	2014-03-13-20-45-46
+#open	2014-04-26-16-45-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	secp256r1	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-45-01

testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-04-26-16-39-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1398529018.678827	CXWv6p3arKYeMETxOg	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-39-57

testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log

@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-04-26-16-39-57
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1398529018.711296	FDy6ve1m58lwPRfhE9	3	1E58FDC12DE4C703	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1397045108.000000	1404777600.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1398529018.711296	FnGjwc1EVGk5x0WZk5	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1398529018.711296	F2T07R1XZFCmeWafv2	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-04-26-16-39-57

testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-46-30
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
-#close	2014-03-13-20-46-30
+#open	2014-04-26-16-45-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
+#close	2014-04-26-16-45-16

testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-46-09
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
-#close	2014-03-13-20-46-09
+#open	2014-04-26-16-45-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
+#close	2014-04-26-16-45-09

testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-21-47-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-#close	2014-03-13-21-47-24
+#open	2014-04-26-16-45-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-45-23

testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-21-53-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
-1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
-1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
-#close	2014-03-13-21-53-03
+#open	2014-04-26-16-45-32
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
+1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
+#close	2014-04-26-16-45-32

testing/btest/scripts/base/protocols/ssl/ecdhe.test

@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log