From 94f55532f2a1cf0077a1a6bce2f13f58f117228e Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 30 Nov 2017 12:18:14 -0800 Subject: [PATCH] Make parsing of ServerKeyExchange work for D(TLS) < 1.2. Now we only parse the SignatureAndHashalgorithm field in cases where it is present. This change also takes care to respect SCTs, which do include the SignatureAndHashalgorithm in their digitally-signed struct, even when used in protocol versions that do not have the SignatureAndHashalgorithm in the protocols digitally-signed struct. I also added tests to make sure this does indeed work with TLS 1.1 - it turns out that so far we did not have a single TLS 1.1 pcap. --- src/analyzer/protocol/ssl/events.bif | 6 ++- .../protocol/ssl/tls-handshake-analyzer.pac | 26 +++++++++-- .../protocol/ssl/tls-handshake-protocol.pac | 28 +++++++++--- .../ssl1_2.log | 10 +++++ .../x5091_2.log | 10 +++++ .../ssl-all.log | 42 +++++++++++++++--- .../.stdout | 6 +++ .../scripts.base.protocols.ssl.tls1_1/ssl.log | 10 +++++ .../x509.log | 12 +++++ .../tls/{dtls-openssl.pcap => dtls1_0.pcap} | Bin testing/btest/Traces/tls/dtls1_2.pcap | Bin 0 -> 3675 bytes .../signed_certificate_timestamp_tls1_0.pcap | Bin 0 -> 7021 bytes testing/btest/Traces/tls/tls1_1.pcap | Bin 0 -> 6980 bytes .../scripts/base/protocols/ssl/basic.test | 1 + .../scripts/base/protocols/ssl/dtls.test | 7 ++- .../base/protocols/ssl/keyexchange.test | 6 +++ .../ssl/signed_certificate_timestamp.test | 10 +++++ .../scripts/base/protocols/ssl/tls1_1.test | 6 +++ 18 files changed, 163 insertions(+), 17 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log rename testing/btest/Traces/tls/{dtls-openssl.pcap => dtls1_0.pcap} (100%) create mode 100644 testing/btest/Traces/tls/dtls1_2.pcap create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap create mode 100644 testing/btest/Traces/tls/tls1_1.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/tls1_1.test diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 7b919c4587..e4743b9399 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -233,7 +233,11 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## c: The connection. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the -## digitally_signed struct +## digitally_signed struct. This field is only present +## starting with TLSv1.2 and DTLSv1.2. Earlier versions +## used a hardcoded hash algorithm. For protocol versions +## below D(TLS)v1.2 this field is filled with an dummy +## value of 256. ## ## signature: Signature part of the digitally_signed struct. The private key ## corresponding to the certified public key in the server's certificate diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 840d2536c1..b45fb7d2a9 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -283,8 +283,17 @@ refine connection Handshake_Conn += { bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); - ha->Assign(0, new Val(${kex.signed_params.algorithm.HashAlgorithm}, TYPE_COUNT)); - ha->Assign(1, new Val(${kex.signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT)); + if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) + { + ha->Assign(0, new Val(${kex.signed_params.algorithm.HashAlgorithm}, TYPE_COUNT)); + ha->Assign(1, new Val(${kex.signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT)); + } + else + { + // set to impossible value + ha->Assign(0, new Val(256, TYPE_COUNT)); + ha->Assign(1, new Val(256, TYPE_COUNT)); + } BifEvent::generate_ssl_server_signature(bro_analyzer(), bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); @@ -351,8 +360,17 @@ refine connection Handshake_Conn += { ); RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); - ha->Assign(0, new Val(${signed_params.algorithm.HashAlgorithm}, TYPE_COUNT)); - ha->Assign(1, new Val(${signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT)); + if ( ${signed_params.uses_signature_and_hashalgorithm} ) + { + ha->Assign(0, new Val(${signed_params.algorithm.HashAlgorithm}, TYPE_COUNT)); + ha->Assign(1, new Val(${signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT)); + } + else + { + // set to impossible value + ha->Assign(0, new Val(256, TYPE_COUNT)); + ha->Assign(1, new Val(256, TYPE_COUNT)); + } BifEvent::generate_ssl_server_signature(bro_analyzer(), bro_analyzer()->Conn(), ha, diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 327a4d8771..e6b3754d07 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -112,6 +112,7 @@ type ServerHelloChoice(rec: HandshakeRecord) = record { 0x7F -> 0x7F00; # map any draft version to 00 default -> server_version; }; + version_set : bool = $context.connection.set_version(server_version); }; type ServerHello(rec: HandshakeRecord, server_version: uint16) = record { @@ -361,7 +362,7 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c type EcdheServerKeyExchange(rec: HandshakeRecord) = record { curve_type: uint8; named_curve: case curve_type of { - NAMED_CURVE -> params: ServerEDCHParamsAndSignature; + NAMED_CURVE -> params: ServerECDHParamsAndSignature; default -> data: bytestring &restofdata &transient; }; signature: case curve_type of { @@ -371,10 +372,17 @@ type EcdheServerKeyExchange(rec: HandshakeRecord) = record { }; type ServerKeyExchangeSignature = record { - algorithm: SignatureAndHashAlgorithm; + alg: case uses_signature_and_hashalgorithm of { + true -> algorithm: SignatureAndHashAlgorithm; + false -> nothing: bytestring &length=0; + } &requires(uses_signature_and_hashalgorithm); signature_length: uint16; signature: bytestring &length=signature_length; -} +} &let { + uses_signature_and_hashalgorithm : bool = + ($context.connection.chosen_version() > TLSv11) && + ($context.connection.chosen_version() != DTLSv10); +}; # Parse an ECDH-anon ServerKeyExchange message, which does not contain a # signature over the parameters. Parsing explicit curve parameters from the @@ -382,12 +390,12 @@ type ServerKeyExchangeSignature = record { type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record { curve_type: uint8; named_curve: case curve_type of { - NAMED_CURVE -> params: ServerEDCHParamsAndSignature; + NAMED_CURVE -> params: ServerECDHParamsAndSignature; default -> data: bytestring &restofdata &transient; }; }; -type ServerEDCHParamsAndSignature() = record { +type ServerECDHParamsAndSignature() = record { curve: uint16; point_length: uint8; point: bytestring &length=point_length; @@ -876,10 +884,12 @@ refine connection Handshake_Conn += { %member{ uint32 chosen_cipher_; + uint16 chosen_version_; %} %init{ chosen_cipher_ = NO_CHOSEN_CIPHER; + chosen_version_ = UNKNOWN_VERSION; %} function chosen_cipher() : int %{ return chosen_cipher_; %} @@ -889,6 +899,14 @@ refine connection Handshake_Conn += { chosen_cipher_ = cipher; return true; %} + + function chosen_version() : int %{ return chosen_version_; %} + + function set_version(version: uint16) : bool + %{ + chosen_version_ = version; + return true; + %} }; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log new file mode 100644 index 0000000000..519af88f6a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-30-19-59-22 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1512070268.983215 CHhAvVGS1DHFjwGM9 192.168.17.58 60934 165.227.57.17 4400 DTLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fox0Fc3MY8kLKfhNK6 (empty) O=Internet Widgits Pty Ltd,ST=Some-State,C=AU O=Internet Widgits Pty Ltd,ST=Some-State,C=AU - - +#close 2017-11-30-19-59-22 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log new file mode 100644 index 0000000000..7eb8b9edbc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2017-11-30-19-59-22 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1512070269.021156 Fox0Fc3MY8kLKfhNK6 3 87AAFFBCA26E44BF O=Internet Widgits Pty Ltd,ST=Some-State,C=AU O=Internet Widgits Pty Ltd,ST=Some-State,C=AU 1512070108.000000 1543606108.000000 rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - - - - - T - +#close 2017-11-30-19-59-22 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log index bcb3e11484..74883271b6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log @@ -3,30 +3,60 @@ #empty_field (empty) #unset_field - #path ssl -#open 2017-11-28-21-44-19 +#open 2017-11-30-20-15-05 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string count count string string string string string 1398558136.319509 CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - F - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - 1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322 bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b 02 af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac - 1 6 18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a c3d48226a8f94d3bbb49918ac02187493258e74e - 0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483 - -#close 2017-11-28-21-44-19 +#close 2017-11-30-20-15-05 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path ssl -#open 2017-11-28-21-44-19 +#open 2017-11-30-20-15-06 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string count count string string string string string 1398529018.678827 CHhAvVGS1DHFjwGM9 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - d170a048a025925479f1a573610851d30a1f3e7267836932797def95 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c - - - 04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807 1 6 bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e e2fb0771ee6fc0d0e324bc863c02b57921257c86 - - 4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472 -#close 2017-11-28-21-44-20 +#close 2017-11-30-20-15-06 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path ssl -#open 2017-11-28-21-44-20 +#open 2017-11-30-20-15-06 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string count count string string string string string 1170717505.549109 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2 (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - e6b8efdf91cf44f7eae43c83398fdcb2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785 - - 1170717508.697180 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9 - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52 - - 1170717511.722913 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - 240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904 - - - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8 - - -#close 2017-11-28-21-44-20 +#close 2017-11-30-20-15-06 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-30-20-15-07 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string count count string string string string string +1512072318.429417 CHhAvVGS1DHFjwGM9 192.168.17.58 62987 216.58.192.14 443 TLSv11 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA secp256r1 - F - - T F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71 - - - 04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb 256 256 72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a b453697b78df7c522c3e2bfc889b7fa6674903ca - - 4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792 +#close 2017-11-30-20-15-07 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-30-20-15-08 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string count count string string string string string +1425932016.520157 CHhAvVGS1DHFjwGM9 192.168.6.86 63721 104.236.167.107 4433 DTLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FZi2Ct2AcCswhiIjKe (empty) CN=bro CN=bro - - 543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2 - - - 043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef 256 256 17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39 fa6d780625219f5e1ae0b4c863e8321328241134 - - 4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49 +#close 2017-11-30-20-15-08 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-30-20-15-09 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature_sig_alg server_signature_hash_alg server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string count count string string string string string +1512070268.983215 CHhAvVGS1DHFjwGM9 192.168.17.58 60934 165.227.57.17 4400 DTLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fox0Fc3MY8kLKfhNK6 (empty) O=Internet Widgits Pty Ltd,ST=Some-State,C=AU O=Internet Widgits Pty Ltd,ST=Some-State,C=AU - - e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490 - - - 049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9 1 6 e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c 1cb43b5f1de3fe36d595da76210bbf5572a721be - - 41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416 +#close 2017-11-30-20-15-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout index 342228a1cf..327b97df41 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -7,3 +7,9 @@ Verify of, Google 'Aviator' log, T Bad verify of, Google 'Aviator' log, F Verify of, Google 'Rocketeer' log, T Bad verify of, Google 'Rocketeer' log, F +0, Google 'Rocketeer' log, 1509548284.428, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Symantec log, 1509548284.713, [HashAlgorithm=4, SignatureAlgorithm=3] +Verify of, Google 'Rocketeer' log, T +Bad verify of, Google 'Rocketeer' log, F +Verify of, Symantec log, T +Bad verify of, Symantec log, F diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log new file mode 100644 index 0000000000..de6af18a69 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-30-20-08-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1512072318.429417 CHhAvVGS1DHFjwGM9 192.168.17.58 62987 216.58.192.14 443 TLSv11 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA secp256r1 - F - - T F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - +#close 2017-11-30-20-08-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log new file mode 100644 index 0000000000..f6a3eac608 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2017-11-30-20-08-27 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1512072318.462960 F1uIRd10FHM79akjJ1 3 3D1DE44E346ECE68 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1509544136.000000 1516800660.000000 rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.db833953.google.cn,*.g.co,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,yt.be - - - F - +1512072318.462960 FBy2pg1ix88ibHSEEf 3 0100212588B0FA59A777EF057B6627DF CN=Google Internet Authority G2,O=Google Inc,C=US CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US 1495452757.000000 1546300799.000000 rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - - - - - T 0 +1512072318.462960 FlfUEZ3rbay3xxsd9i 3 12BBE6 CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US OU=Equifax Secure Certificate Authority,O=Equifax,C=US 1021953600.000000 1534824000.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - +#close 2017-11-30-20-08-27 diff --git a/testing/btest/Traces/tls/dtls-openssl.pcap b/testing/btest/Traces/tls/dtls1_0.pcap similarity index 100% rename from testing/btest/Traces/tls/dtls-openssl.pcap rename to testing/btest/Traces/tls/dtls1_0.pcap diff --git a/testing/btest/Traces/tls/dtls1_2.pcap b/testing/btest/Traces/tls/dtls1_2.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a8ce0f92d5a4f99ec881ee246c5d4067938d099d GIT binary patch literal 3675 zcmd6q3pkY98pq%7n~TesaVxqYmy%2P#-)&U7>ejBR0u_GCGE6J%4yrhQS6kGlp-V| zZEa;s^|=-j9g3tYQX1DTQX6}Hs7ZC6=j@(yp69IRd1uXJl!_xJwStTlDTIY~Is zLD1-cp}`Jk#Z^xSIKV*z%JQbabPjji#w{$HTO?63QUZNGieNr zfiq}yjE>W3G>nGRXgG%BI1L4dVLMR~tBH09sR<+?Zp z1Q!|ugnuYf00ak0E_%cA1Ncwm^372G4<$s=Q9{BwiwIHnm0S`woTlhF)sCSP;qEJ- zLxaGNbdX%Uzop9mm4xDWg2H|&A(Yjygks;0kq}?TS`a!0mN=ljOU*_7;DAu+x%X4r ze=rK!YpIw1dcZ%l%9Ej|nxNJcthL5^LrFA{1b`&kYUqiNNg>?}R>WZs3uwN8mPIWH zXkI|`AVO(wL?~{RIJ^Z!AUtEJ;FQ0`HG<6)(Fn5&>tkaWivffsmqmy$Y4&ucG;U_k zl_n&qfv}jU-Np@`T6Tf%fu39?VhZ)4sMrK+|3J?l{XGK}9eq5!d;&KsE(r`$v<>ti z6lB?4s;~*)K_~e$Iy9*Nm`f0n{VXn5kKh{V8tNLZLLLl18~(Q<55<%}XM!<+7K(`j z5sHc8p%@08OHM!WPdla`b*;zcnL{|fU~-Qf&-egoKX-C`O{(cFzSBInOFLWVNh*o4;>!K4-ZfE|s>Vl8pO%ynvbAcaq*BG>T=|#%Z-Q?*Di_#PG)-NZ=kh+J;a?iS zbpm5P8DO{RFnQ;_h*+Cy?CnGE(lyjU1(;=Ul-WZp?9GnVGvXmx*m>y>Xi^1~+D_n4PQ$%g!}Cx2}f zCuCV>`klJoH*xW}PJ@SrN@9$iX=Cv67BIJwcobNgBh3=nR5} zy3fUdHVhI62BpmYXELZz|CZ}Ioule1HR-=WQHfe@^MZdqAqtm|qjj(!gq5X22R*aUXPb%~1 zdt;xJr&3!|9{1O-^;mnRM@0<4f0t}q~}#%sO~GupEa#;oY{w-u(}wd-ZJA{HOsYH2QoNPtuN~DiB5d)7${eB zMTfCJc0N(!tR-dDoLIguWa=*gmy)z1gO%>lQL&nz^Sa>wDqKCXL7mR zL*ey9_ruRe=xvow&Cs@JnVHwb6Uvu*o_I(hap17hD?y+_pe+WNHK2nQHDwyen$b@< z&8tNWKk;-achI`Q zjp1uny^mDf2x?KECvZm-XAUb&n zCS_lqS&%VuW*xB|b7sZ9=oZis0q>7=IslyIjMNv+USZ=NFPJ9(aKchaCMBngH0Nf2@7|*E{uP+e(d&gWG z&N&GSmZZZX2>|oalhWLbetf%!&gDD1cM$$h56`5VH`~?k?c%9#QR&xgV|nL=W(Mr- zs@$$@qc6=~?`B5hIIa0}PS=n1TNmGz;3cLIDKg_eUGEv_hDkXZIo1J)ExIp*1{y>w zBCB=uk7c&oD^I^|W82N_?JnyndlZK`$DYRh=dMl3F3U4;^1i${j>>P#QGh;_8)aYB z>BVTB*kkH+XYQaNKNjR5TBm`5o~L?{Q-nn9LfzYk=CXTjrH`ceG)*xph-?T>t161R z#Vw!sYm1sg1nW|xZ?SIvkU_0Wd%%LM8;+{UoZO}DZ3p}#8d=AC-)d@I?QCo)@3P8x z6?IU|Uapg$F`<^xJK1}~S@|%T$l_NsjBv~Se+=wNvbIv2G`~0Zm%JlY7xslc-*~k# zeW#0_ib+c8y6WRbZcl!mW_wlDkT<@$up}!^ROW8Zypoqs1q_kKhHvR>;sO0h8L_W0 ztQ^IVFb0FAyZ9LTJxiS*%s(m?7xG(kPH9S$@q!yB#q0ImBWGL0_Oh?yjI46{Bgj&} z$=D^~em0|0f}&qqAqGp4Tgtvt7q2mmQdgJe7aHItG(Qi(a{E!SR6-;asv{-FU>GxuaZAKd_*HUBsgRQ{P9?gW zRHUJ#kS-^st8^iWI+8BJzrPur;dK80f6nuJ?8mqExA(i&UTf`luW!3|<@7IDfCqp6 z-~k2-C!VVLWj-5#FARK985 z&qfEA*N%*Qc>n+wPdJOg;RqNEiL9Ev+Af ziz1^MFqIEaUOuKV05x!m*hnC_2771hocwho{gM~msASaLzNC~ij z0Pq5N0SPDq1t1Hg1=0c>AcGMsw8k7r0z3|2u&_fFsDNoe8UCFPl;E=>kO9*0y%d-N z-)h4ZQ=pH4yeN{%G%nT#F(Aqh>j>C^f$%~3os@)jE~yW6IO8=ZTbXmiaVv- z(oG2)t8nFRoo}jDkMr(VHb9^NFcKpebPu4*ln4Ew55$7rrI#wAo7Z1#U&Pcn-d-3~ zOiA)9=eDMTs|lGKN`@MtLcci0N6;|n!X=0!RtvQK=0LJp6p}nA_ai@AH`w|4x(1u9 zKCjpm?WUEV3%cClkV7*_Ia>$aZ?3HnoNTyUn6x+k@DoXz)jMll?TyrjzAvHTr`>9X z8>HQjXlA99ri4T!8E-GZwD@Lhvz5Dg^W3}YCXwRD`eKS(f74gLa@ICGRKw;k9?C_hVr|<_B@@{ri=e}@yU$@B{ zh8m^>^c!VF5>N&K16ktsx+H=d|~_4cGGAabZcRvvkf0x`B1w_${aMT)4wudJ zrzs*-RF#C3^fFE~o9EADYp!H6V#n>061QtAq9C+OO3J`ESZJ;>ofD4mF*C$hi6H*c`eVvii-h2u!Wh3+mkUL6V8MlX(=lXGV2%9Q{;YT&lO84Pm;5u}{(LckB}5oY1!E?A zq8u7AQH~DdQ~pHagd6*FCwD|o>Ij%T0$M#0BRpF@u{L|lQsl-3=FE07d=l1rcx9KI*0KCbh4P!$g#1p z=n7ChB%v3C3l?_|^@q+O2wj7Oj8O;%gZG7uZ#X6+*ex0%JYIygiAh8lQ_M*wPRO4ikXU%uz0~R^)_T4eM4(2l>5h?Vw z0tPdJ$07jHKqYOw5~7$)b$LouoL)5$@>|TOlyj8@Suf95C+5;ybn*-NMN?U zTBftL|15!bwBgg++gHz|b`0k(^J=VEPF~XHQ{{1I_QTaWE*`HHWZg=eTHD+=8!ukm zf6}gDXt4=psqUTHbo{9%l4fM>`Q=!Xx{Et$`}NjM*DH3!$-eD=WYghwzh}2)zCn_2 z54AOoyK|X)?h2bu`JRR@+uOf1-e5*>YZ7fdC^u&uk}>N0MRCv1$roDm|8>c3VCa)= zG)3X$+1ZlosucapGeBdmn!S=-M@og>Qq65GWy`wgVRZM~4pB4Ldal`ORJqk#m0#BP z>zrJM1h)46hIZ9b>(`Aeo%rdFLGjy)S{6`hD&-Cz{~f&0S3Qzj%9Z`ny zffb7Uc)t^i6X4I%v|lKyOAvEYQ&^aon#~o~B{Wkr_-k%uZsqg;EP?)8>5*@MkM(W! z$gw6C^PjhREUC)0`$IWGCBrf4d3N0&nax_gKEwXf6{d?bi+GZr?%s!*`2o4T-9PzV zYbPYjUtPD$u4>H^%YM(#Gdl)zx~5*e)$b|Y@ACbC*R#axqA*Un;I@Z`9)er&h!nM) zwQ0oK=IC7F_Df6U@ZE_spLKlwPKzAe)w2Ghu}c}s?S225+hv5@zIP(G8%mCGyUXH< z+`i~;#0 zbZVu|GYbj^W#r;B)#uigZRavaiy4d@EbpWz>~z6~ypU~~gU1PhQgVsM5*g~xHUrT_)W>85vqgTC(1MMl;=}2}N(hlh=L>mG6gLU)NzH@S&mFX#3fc z&n;$>tKtI%`LOAT>GL+Z0sLSgvj}rpSt7Z zjqO=0Pxc09ET4s}KOC^)%G{QDZ#NrYEYlC(iYPs_;l|a@hPp>p+NOQOO0@~k+vb_v zyDi(X+jVepg;t>S1+WW|*G*rYXGO52H1U_f?}MP;%V+(rjzpBSZ_0`{JkKyKzEDBy zB7YjtFnt1WDUf^;5k9siQ$)?~`9;>QM@H?)RjAEIpD_pLb)Ck~y`YG|%y8WA}zX((P*$b5|L8yw5aB z-mt2)uh%c^F4%T~`h_~x{Gq_HIDvaT=kg72!<)DF%+J>iY-(#xRgP?M>$umF@T>Ao z?`PNF-Cbwt`P$cgtI@EBw#E0Lj>heWtdv1TF4ihXQfAoF_>LN3-@vl@9EyZm*=+Uf z^;R#wS$HZ~-CL(?_}I3Dddaj~38%LLANl&YnQgmerG!OVKz{sNMWo+PVE867?A2Eh zO{9E4QhFwk#FCDXuZDL|=RR<1)z*}CH_O{`;GP&s{E$N^;m2P{d9t>@?kjsCwB&axi(|Lt^PQzI~zER&#KAdiiR3s*0lTc(o~E{)|Rji5@>oUj9p*hube@dAWXRiINV(dml`&x&1#Ptq_geT)mDDGR({{F z#Y$^xnLmbHXF!-&qN-tCmn27y5xl97@c7x4*O$nOeJ)knHKTWEwVp?|XU@*9cWc_# zB!(_lVrc|$<}kinyVt9$wR=5K>#ELW4Y{AJR+9V5mw0R!J7}`e+-`Vt`ZeE&{4|G@ zBCWd;#YNB7?#^$^irds-7)o04YXJp$pu3KgKP4t;MDOGNtYWt-RrKLVVs57s=!QK{+G?#RRvqF*;Drt_rH6A-gx5S=`Xxi4oDQcE}VR={5RLL`SUIxGn7o0 zrIe)+MTrD2_R8Uvp(C1_k^d0UbSp%R+F0{f#HQ?jW}^`C(?*+d#4}?yV#|o&I`jbA zCSM_gi=$V_$0uGPqpOC9O0r<}+i}E76cKf(qb$7QUWmVj>)V$i+4PiS@a#p8v zi3hE-;!Vw?sNZ7RQ(6*S9-n;jJ}>%m;mG=P+aeVAgQ{((?UUTpV^4haZESl~LPalc zFeo5m%szG0M{h?#_Y2GUTL)&ytQ?%(>d+st5otR$khSIlVOB8T5FgZ%cYjI43uTFA zT-5go^+ezgZ%ffOnHDgfLn=aA_%e|eOt(T>s7Y1=Wnt~2b-^|L1S49Bn$ZR?j2{C` zrU0~nbcqAHYcdwPA^9G2H#?;t-E5ew`u=R?v-8?=ktG!ms8PE!KWkoZTA+I(A6u&{ z@9}PG)#jm3={dC2X_sf8k#9ORLQ9Bq}E| zT%VkCwGQ1}t`czjJkb4^X`8(5L)0^^YW4MPpD&+jRCuENg zgK_0GOJknz>8jG5&A963#_rj(J?>wbcP`wg*9=?I_e?X;i)~S9c5ras?OEM$>{~OJ zn{Gv{-hT2}wV6gaqf5-;@jEx4?jBg}a3Q`2_f_ZCz9+|v7d}Zm5`17`f6+<}=gidV zgad^~v>%50wdj21N!&mkzVZ4$NX?qd$IOnyWdFQjl!u|SYfz_`Lc}d?1P~0Phqk|@ z=1-#3td*LSnj%D)n&jDIsp%SwB2I-N)O@wE+5elmq5kR*f7ldI5;vZe$)=Q8c?M`v zw#%1%%1uMnHbAxLzi80*7qx%K10BMJ$jO430~6Jvh)n}xh=2J<#PCUBE~ZY*MYH2D t7dw;XKpB5@*IHMmN~vbM2BV0wpT!XWSFY-WHlBda9^rP5+sHyu{|y?K!hHY$ literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tls/tls1_1.pcap b/testing/btest/Traces/tls/tls1_1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..36ad52c664fb28a6e03d3cdd7f45746029c7bfe4 GIT binary patch literal 6980 zcmb_h2V7Ih)}Nb-w9rJF5DSPP;Rd9Os5C30fCUR;5+D+ikc1|W78|T(7d3*et0>4? zKxK6W#1gT9fQX8Ux(cYUB7z8r1(i290XCq|_w9Z!zsxW9%$@nqnbYRXN$us|4&VR* z{PiIK1QLl%YT%qPB;W&|u~sypb@`^nvGhyV+)9;zCjis1?=(`)7U^M4=Q?MpdXEZH z5?C8!4+n#jxW2v%+X284h^G-eo`@hy$|l;Tf!I3&PL8hg0}0H4G}h#}@--kj6-+kF z1i*pxxdB7QRzOO6REXt|o!|-%$y#~IIdw90CIN@XkAMgmzj+W5TOMm)@oV1CZ_Y4& z9U!W+uLc#w-jSoQx01jYh=8@PP&(u&H~;u1iXIg(p8=qYN5Ew$#EW>GvG(quZI#Ole1RQ|_WIPpY0vo{wDMd;Ic3{0! zTRH;R0vkXFDA)sbgG`VCh3^5}!3-!D0{o!m!@k|0k?l zqcO?ifD5!A2Rts2%1l&wa_Ym21i$7$&mYq6d3RHeMKAeKo13@eQ0|IIAk~Ju=tD4T z#x|q^pb+4EN}md#^a9Fzpfm#&D@{ekWV0+h4#DA+Tt`3mnar&YL)AzlEH=*E_)ZN$ zREPkbMOQ&bknjNnk~S{DkFJesVuZ4`vNw+x%3)DwaT#<|bR5=+*ESmL6tM(cmWVn% zN)*NuutjlHZyVHjlp5WEPDkl<+sTf0_JNReMCmq@>9)3X6b(c}zPXf=s) z1b8t*0kB^gCq@vEXWX#hV@>_a%ek9kb`+w=-uLdj$04|7x(4?2l%+4+98Pum>^gd8 z)dB%N#45Epz+<~=(k=fCd#i%o4etfKXJtqAarW_{>HDIC>Sh-^>2zIZ)9)P2_PVCD zuc9!d!1zz|FVT9YvpOD~T8>UwM32i~{p#njD`v3o<7jgzA^y9BY~^_^>)+kVdOMLi zR~MhYB3k*FSM0Lcha#Si@pqY$;F5BKED6`DP|Xd~m}0yn8ZApyAF-r&qqXLp7UK!q z?Em~D+&d?$HQJ_Ws{Ye8mh%i#uPwfAdsQ;AaYRH|=Lm+1Up=>ToK@nmt3mSvNi()GF=~&R1s~v4^ zo$PD}ySZW#R3L;BtHWOgpB5S|vKc^@E7mHQ8_bClu^B>Hzsg?<4;CvB92vrZDbU#5 zq4XO5P&z7HO!*6m7eNaa4DW~<*0Fl{2*~wNjELA_9irh=qPYq@Gg%4*OQ=AE2o#90 zC5Me5i3ow`&%xBAmH^{EMhbx9Ukq?5(j9>{EESZco2YRE~Ocqbp zg;{}66b#isV{kDm7^I*TC_^$@M3)VeKg)Fp(IZ$Q0i2^a8bU=07-4L#Y`g|WaRv=S zZc}l*C{fgEmKB%B;PJxQa<1T_{r$3u(DeFA7Bh+gIpfIz$*^BUTP>3m=h=ufI)_}5wpI5uB;$><(QZlOb*yO zN-|l>#HJ`@oo|YmC=)OmHV`%tgs>b&dCLJB#cebR6N&iF*4F%Rwt}dwy=P7LhPELP zDGWvi2Q%clp)1bdF@$_{G!~N73AzNGf+C7`;IdEp`|Z=?+*_l~JnhCuqN>hL{j0q7zWltZ`Xm23hw}JMo9}Zatshx<*m7 zkDs2Tvhtj6@X1tADH-jqr`eoRXg-I!_3nvzEsSu+{2EW;_!WN3wpf*H2{00$=sYr6 z!Xo2J@2zb#%6D$6&Ec&M=1|?I%X1Ob&c+5NBQ~}UvRs62V++4_PIgX#|I4)Jzoi>{EeJ8o>wMFl zN!j9tI^UV+(%jzY^9@qH5*vQJ`X;S{{uZcN|pY~8mxPX(? z=RD{HRTpjci5a&mUtU>b@LQGNpezfs%j=2O<)yORQV`)`8VBG9rH;F=H&#K*pg7%K)8Y7XDmuZ zjR$BH*{IbYenM%&xCn+US3$L~`LZaXgkrJ%IE?Lo`(D*YEPoN=t6`EG;UvFT>8t&7 z6e{4<%Tf3m-@QYem7Oz_hn_PpLI%#6&L06FLBYVQ0BR?XTr_kNYLR80Wwvqr5K*kg zPD5*kfFraH6@|*228LtK|0O2Mg0Lw8bIQSVaqtN@%#~#UuwqtI-hC!BX4!?vk2kxG z$Cd42GyH>E=ibvdAIA*YW>mH*nHfabY<42EUYURHoW5&&yzP;s^WDT+ehJYm?&Y4c z%wn=WYjV|;7PqU&N1kfpqqY3ybH7-Dj*1Ib+fE-&?nSgyEBCrJmBdsyhuU{l-<^OH zxM!W`;@)@@Bc~!uTQv6>bgic(=N^o;vp!RHFlp4k8aFRG-X5B|U;?`8(CUSk9qzik z++cw?ZaR3ApP#e#`jtN`u0A|B&ZhH=UTJ(oy^D2ijYjjXxxF5RW0-2iU?-|&wrNSG z6VZ`UC7ucIBq8k=PX}G;;~#EJ+8k$D#IngQE~K|8zwI%x`2*lnVDL*o#kgj90K{vR zG%E^<2(Mv2Lt~x>irG25hLJrZqu3$Av2-hVR>B???eYCRR6iCYO2DGJvjie`2pi@; ztiP^fSo}k6VEm(_lTrAQ-^CmU$^S`={cnNqVU->O{oFljoWY{RW%W}yj?W_tW7BKT z9jKf8{;>NQe9OEsWTn)HORPhjCY~q8ZvMsb1+j2VVq{M9l~uVXUnf6LGpFn`z1Oy` zD?c~AEc5ydJv*IW@-w}*)8<#a+2npnSF+g3_jQ_8^4i7uo$W#4x53t8o%cE;?H)+I zvf~Bi=@+jDSl+0~n7Y@DSyf-XPCv53r@8iS{1N>d0Z+zub~ z)x(=FBt$kHvvqBBEFs&kU%fZ(r7qeXB(;1I8UFl(Jn*G-peb!b!rsj0un(5Ef0Nwz zt{X?ym~Wf;)Bak8u=mZVNEr-UL=+F5TxK7NanM=r@wO-(wa&82vfMba-{YZQ(?VH1 z5q5C?<@Q3E@i2mAZtsK5r4qbRPt=`6fR6xmL7fJ?8i(jwVOT<#$jNd=MKA$No@5HG z1uQ;K$QJPgal>pIpOONi8@0GTb9A*fqNLwalx}t?m6b&%hP0Qq)w-DUb##>b+;ew4 zS&Sy=)dZ|NxTexxbMK3pA=wd0McTFAUp5CW7k)baz|cnD@mR)Wouj*Mw`LpZD9t)k z(v<#soqg-*MZAiK=Y))(o+rgm9b4&2ZVPf0?R|##^*L}Nvpu+Ty_*)SjUaPW0pg7Z zqoxzeA5ZFCQH}RZ?Ot1*9q|LfeM919T-k+*qH2r4h^+(o=It`rapRJgwGj;l%N(2aw^~|o{iu2p~?D4~bMJYY(*QI`l=Qe8gib<+JY6y-v=RG~e+5Ij1w3=8w&#r!qN4Jj%7Cj4WM&M~@R z*V3s6-@DXBtyF%V?WnSRVT$o7SIJIKJDtsKLAogk-NidLKUbMk{x)dilRN5PW@dFI z-DBwX=B)3ry8W(EDqgm_b!G0KuWS?cR2db~uhs`KceiC+>h`~5 z9BAX>Z-7<22#Yef=4Js#M)N{&I|ozQd!Xz6Lo)C z7ar#j1r|7K|0OTOd1=7X?Q}wFf{3i&igIl(?mRo^=Pu)li+d|Js%yRb7?3Bq78Dz5P#H% zIBx%{ndN;qwuxpUQ4P_p=Aep%Y1UHtmO-!1B6PP|)HV>{!) zXPXU}ggpJpfCbG5YhRhrVnbLoh9;CS)P&ma2iC?)eD%P|n5FW))x&!DBY>ny!Cerj z{<8K&Sk;S!YlZViwUKV8-9S8MS7_|(y|}E=Pf|SJbQ^pBB8pX!C^hiZjNK+57p-r) zxThvxbY`xRFlCKFB7H9>sPeRgv+&@jH-99}$y?sp{-*tv@%dz<{CuO6f>&DR>>&Rm zTeErQUN<@=*9rnOe{U#hFfJ|EY7TvIExnsO|6Tb{`>lgLaF24jmMVQf?l`_8hm_fn z4%(ik`um&huT5<^exY#Q$0Cb!Ub^AJGge*KMt0TH9{Z#1dbcmRt<vqHoK)0&BJVYkRiv4NDfE)%Tpt-7e~RzmoCP z-8-tIb>CU#=XsxFyq4{8iOmVr4lCb2sJI>gjy6=RH$EfKBFHwVoNW+(7=zat=`EX z)iItNH@oGNS!Ce*Wy!WZ1v-_Z8fvkneR_z0+pl6PWE;?gC4ZrO13~8B`$NOn4YR#o zr=hmjLBeb=Sp%HR%?8jBh{}+zfUOea>i|Ujha%C3B5C}8h~%#2_v-$}(`1|R_{L@` zVcq}ay30_BvJbY6``^c!F2i#FCYC0|Dpkb7P5S%)@x)d_Rgs~s^$n=1f%RQgEs$|E TVHihbOf5219T-%V1nc`ZNmQ> ssl-all.log # @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log # @TEST-EXEC: btest-diff ssl-all.log # Test the new client and server key exchange events. diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index 0b9c5fc157..7c7dc90e4c 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -1,5 +1,15 @@ # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT +# +# The following file contains a tls 1.0 connection with a SCT in a TLS extension. +# This is interesting because the digitally-signed struct in TLS 1.0 does not come +# with a SignatureAndHashAlgorithm structure. The digitally-signed struct in the +# SCT is, however, based on the TLS 1.2 RFC, no matter which version of TLS one +# uses in the end. So this one does have a Signature/Hash alg, even if the protocol +# itself does not carry it in the same struct. +# +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT # @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: test ! -f dpd.log export { type LogInfo: record { diff --git a/testing/btest/scripts/base/protocols/ssl/tls1_1.test b/testing/btest/scripts/base/protocols/ssl/tls1_1.test new file mode 100644 index 0000000000..885a047ebe --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/tls1_1.test @@ -0,0 +1,6 @@ +# This tests a normal SSL connection and the log it outputs. + +# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log +# @TEST-EXEC: test ! -f dpd.log