Update Mozilla CA list and CT anchors.

This commit switches to only allowing the CT logs that are currently accepted by Google Chrome - which makes much more sense for us since this is (potentially) used for validation. Additional CT logs can be added in user-scripts.
2025-10-10 02:28:21 +00:00 · 2021-06-30 13:54:13 +01:00 · 2021-06-30 13:54:13 +01:00 · a193b08ecf
commit a193b08ecf
parent 09229c58d7
3 changed files with 17 additions and 85 deletions
--- a/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek
@ -7,6 +7,10 @@

@load protocols/ssl/validate-sct

+redef SSL::ct_logs += {
+["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = SSL::CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
+};
+
 module SSL;

 event ssl_established(c: connection)