SSL/TLS: Parse CertificateRequest message

This commit introduces parsing of the CertificateRequest message in the TLS handshake. It introduces a new event ssl_certificate_request, as well as a new function parse_distinguished_name, which can be used to parse part of the ssl_certificate_request event parameters. This commit also introduces a new policy script, which appends information about the CAs a TLS server requests in the CertificateRequest message, if it sends it.
2025-10-02 06:38:20 +00:00 · 2023-03-09 08:20:50 +01:00 · 2023-03-09 08:20:50 +01:00 · b56b856da9
commit b56b856da9
parent b73dda5cff
17 changed files with 221 additions and 4 deletions
--- a/scripts/policy/protocols/ssl/certificate-request-info.zeek
+++ b/scripts/policy/protocols/ssl/certificate-request-info.zeek
@ -0,0 +1,23 @@
+##! When the server requests a client certificate, it optionally may specify a list of CAs that
+##! it accepts. If the server does this, this script adds this list to ssl.log.
+
+@load base/protocols/ssl
+
+module SSL;
+
+redef record SSL::Info += {
+	## List of cient certificate CAs accepted by the server
+	requested_client_certificate_authorities: vector of string &optional &log;
+};
+
+event ssl_certificate_request(c: connection, is_client: bool, certificate_types: index_vec, supported_signature_algorithms: SSL::SignatureAndHashAlgorithm, certificate_authorities: string_vec)
+	{
+	if ( is_client )
+		return;
+
+	local out: vector of string = vector();
+	for ( i in certificate_authorities )
+		out[i] = parse_distinguished_name(certificate_authorities[i]);
+
+	c$ssl$requested_client_certificate_authorities = out;
+	}