Implement X509 certificate log caching

By default, each certificate is now output only once per hour. This also should work in cluster mode, where we use the net broker-table-syncing feature to distribute the information about already seen certificates across the entire cluster. Log caching is also pretty configureable and can be changed using a range of confiuration options and hooks. Note that this is currently completely separate from X509 events caching, which prevents duplicate parsing of X509 certificates.
2025-10-02 06:38:20 +00:00 · 2021-06-28 15:41:57 +01:00 · 2021-06-28 15:41:57 +01:00 · dde1e2e77e
commit dde1e2e77e
parent 311e113ff6
17 changed files with 400 additions and 152 deletions
--- a/scripts/base/files/x509/certificate-event-cache.zeek
+++ b/scripts/base/files/x509/certificate-event-cache.zeek
@ -14,17 +14,17 @@ module X509;

 export {
 	## How often do you have to encounter a certificate before
-	## caching it. Set to 0 to disable caching of certificates.
+	## caching the events for it. Set to 0 to disable caching of certificates.
 	option caching_required_encounters : count = 10;

 	## The timespan over which caching_required_encounters has to be reached
 	option caching_required_encounters_interval : interval = 62 secs;

 	## After a certificate has not been encountered for this time, it
-	## may be evicted from the certificate cache.
+	## may be evicted from the certificate event cache.
 	option certificate_cache_minimum_eviction_interval : interval = 62 secs;

-	## Maximum size of the certificate cache
+	## Maximum size of the certificate event cache
 	option certificate_cache_max_entries : count = 10000;

 	## This hook performs event-replays in case a certificate that already
--- a/scripts/base/files/x509/main.zeek
+++ b/scripts/base/files/x509/main.zeek
@ -1,6 +1,7 @@

@load base/frameworks/files
@load base/files/hash
+@load base/frameworks/cluster

 module X509;

@ -18,6 +19,17 @@ export {
 	## file ID is not present in the X509 log.
 	option log_x509_in_files_log: bool = F;

+	## Type that is used to decide which certificates are duplicates for loggign purposes.
+	## When adding entries to this, also change the create_deduplication_index to update them.
+	type LogCertHash: record {
+		## Certificate fingerprint
+		fp: string;
+		## Indicates if this certificate was a end-host certificate, or sent as part of a chain
+		host_cert: bool;
+		## Indicates if this certificate was sent from the client
+		client_cert: bool;
+	};
+
 	## The record type which contains the fields of the X.509 log.
 	type Info: record {
 		## Current timestamp.
@ -43,8 +55,13 @@ export {
 		host_cert: bool &log &default=F;
 		## Indicates if this certificate was sent from the client
 		client_cert: bool &log &default=F;
+		## Record that is used to deduplicate log entries.
+		deduplication_index: LogCertHash &optional;
 	};

+	## Hook that is used to create the index value used for log deduplication.
+	global create_deduplication_index: hook(c: X509::Info);
+
 	## This record is used to store information about the SCTs that are
 	## encountered in Certificates.
 	type SctInfo: record {
@ -65,10 +82,33 @@ export {
 		signature: string;
 	};

+	## By default, x509 certificates are deduplicated. This configuration option configures
+	## the maximum time after which certificates are re-logged. Note - depending on other configuration
+	## options, this setting might only apply on a per-worker basis and you still might see certificates
+	## logged several times.
+	##
+	## To disable deduplication completely, set this to 0secs.
+	option relog_known_certificates_after = 1day;
+
+	## The set that stores information about certificates that already have been logged and should
+	## not be logged again.
+	global known_log_certs: set[LogCertHash] &create_expire=relog_known_certificates_after;
+
+	## Maximum size of the known_log_certs table
+	option known_log_certs_maximum_size = 1000000;
+
+	## Use broker stores to deduplicate certificates across the whole cluster. This will cause log-deduplication
+	## to work cluster wide, but come at a slightly higher cost of memory and inter-node-communication.
+	##
+	## This setting is ignored if Zeek is run in standalone mode.
+	global known_log_certs_use_broker: bool = T;
+
 	## Event for accessing logged records.
 	global log_x509: event(rec: Info);
 }

+global known_log_certs_with_broker: set[LogCertHash] &create_expire=relog_known_certificates_after &backend=Broker::MEMORY;
+
 redef record Files::Info += {
 	## Information about X509 certificates. This is used to keep
 	## certificate information until all events have been received.
@ -96,11 +136,14 @@ event zeek_init() &priority=5
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
-
-	# SHA256 is used by us to determine which certificates to cache.
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/pkix-cert");
+
+@if ( Cluster::is_enabled() )
+	if ( known_log_certs_use_broker )
+		known_log_certs = known_log_certs_with_broker;
+@endif
 	}

 hook Files::log_policy(rec: Files::Info, id: Log::ID, filter: Log::Filter) &priority=5
@ -109,6 +152,14 @@ hook Files::log_policy(rec: Files::Info, id: Log::ID, filter: Log::Filter) &prio
 		break;
 	}

+hook create_deduplication_index(i: X509::Info)
+	{
+	if ( i?$deduplication_index || relog_known_certificates_after == 0secs )
+		return;
+
+	i$deduplication_index = LogCertHash($fp=i$fp, $host_cert=i$host_cert, $client_cert=i$client_cert);
+	}
+
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
 	local der_cert = x509_get_certificate_string(cert_ref);
@ -158,6 +209,17 @@ event file_state_remove(f: fa_file) &priority=5
 	if ( ! f$info?$x509 )
 		return;

+	if ( ! f$info$x509?$deduplication_index )
+		hook create_deduplication_index(f$info$x509);
+
+	if ( f$info$x509?$deduplication_index )
+		{
+		if ( f$info$x509$deduplication_index in known_log_certs )
+			return;
+		else if ( |known_log_certs| < known_log_certs_maximum_size )
+			add known_log_certs[f$info$x509$deduplication_index];
+		}
+
 	Log::write(LOG, f$info$x509);
 	}

--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -563,7 +563,9 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_max_entries, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::hash_function, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::known_log_certs_maximum_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::log_x509_in_files_log, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::relog_known_certificates_after, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> <no result>
@ -1585,7 +1587,9 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_max_entries, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::hash_function, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::known_log_certs_maximum_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::log_x509_in_files_log, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::relog_known_certificates_after, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100))
@ -2606,7 +2610,9 @@
 0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_max_entries, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(X509::hash_function, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(X509::known_log_certs_maximum_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(X509::log_x509_in_files_log, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(X509::relog_known_certificates_after, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)
--- a/testing/btest/Baseline/scripts.base.files.x509.event-caching/.stdout
+++ b/testing/btest/Baseline/scripts.base.files.x509.event-caching/.stdout
--- a/testing/btest/Baseline/scripts.base.files.x509.event-caching/x509.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.event-caching/x509.log
--- a/testing/btest/Baseline/scripts.base.files.x509.log-caching-cluster/manager-1.x509.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.log-caching-cluster/manager-1.x509.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fp	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
+XXXXXXXXXX.XXXXXX	a97a22b691caf62c1623d14abf8a31ac915f14d87f77d8a37c47eb4785b484ad	3	1E58FDC12DE4C703	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-	F	F
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.files.x509.log-caching-disabled-cluster/manager-1.x509.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.log-caching-disabled-cluster/manager-1.x509.log
@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fp	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
+XXXXXXXXXX.XXXXXX	a97a22b691caf62c1623d14abf8a31ac915f14d87f77d8a37c47eb4785b484ad	3	1E58FDC12DE4C703	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-	F	F
+XXXXXXXXXX.XXXXXX	a97a22b691caf62c1623d14abf8a31ac915f14d87f77d8a37c47eb4785b484ad	3	1E58FDC12DE4C703	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-	F	F
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.files.x509.log-caching/x509.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.log-caching/x509.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fp	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
+XXXXXXXXXX.XXXXXX	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-	F	F
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
@ -10,7 +10,4 @@
 XXXXXXXXXX.XXXXXX	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-	T	F
 XXXXXXXXXX.XXXXXX	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
 XXXXXXXXXX.XXXXXX	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-	F	F
-XXXXXXXXXX.XXXXXX	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-	T	F
-XXXXXXXXXX.XXXXXX	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
-XXXXXXXXXX.XXXXXX	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-	F	F
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/scripts/base/files/x509/event-caching.test
+++ b/testing/btest/scripts/base/files/x509/event-caching.test
@ -1,4 +1,4 @@
-# Test that certificate caching works as expected.
+# Test that certificate event caching works as expected.

 # @TEST-EXEC: zeek -b -r $TRACES/tls/google-duplicate.trace %INPUT
 # @TEST-EXEC: btest-diff x509.log
@ -8,6 +8,8 @@

 redef X509::caching_required_encounters = 1;

+redef X509::relog_known_certificates_after = 0secs;
+
 hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
 	{
 	print "Encountered cached certificate not further handled by core", sha256;
--- a/testing/btest/scripts/base/files/x509/log-caching-cluster.test
+++ b/testing/btest/scripts/base/files/x509/log-caching-cluster.test
@ -0,0 +1,63 @@
+# Test that certificate log deduplication works in clustered mode.
+#
+# @TEST-PORT: BROKER_PORT1
+# @TEST-PORT: BROKER_PORT2
+# @TEST-PORT: BROKER_PORT3
+#
+# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek -b %INPUT"
+# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+
+# @TEST-EXEC: $SCRIPTS/wait-for-file manager-1/lost 15 || (btest-bg-wait -k 1 && false)
+
+# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/x509.log
+
+@TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+@load base/protocols/ssl
+@load base/frameworks/cluster
+@load base/frameworks/logging
+
+redef Log::default_rotation_interval = 0secs;
+redef Log::default_rotation_postprocessor_cmd = "echo";
+redef exit_only_after_terminate = T;
+
+event terminate_me() {
+	terminate();
+}
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	continue_processing();
+	}
+@endif
+
+event SSL::log_ssl(i: SSL::Info)
+	{
+	print "log_line";
+	schedule 2secs { terminate_me() };
+	}
+
+global peers_lost = 0;
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peers_lost;
+	system("touch lost");
+
+	if ( peers_lost == 2 )
+		schedule 2sec { terminate_me() };
+	}
--- a/testing/btest/scripts/base/files/x509/log-caching-disabled-cluster.test
+++ b/testing/btest/scripts/base/files/x509/log-caching-disabled-cluster.test
@ -0,0 +1,65 @@
+# Test that certificate log deduplication can be disabled in clustered mode.
+#
+# @TEST-PORT: BROKER_PORT1
+# @TEST-PORT: BROKER_PORT2
+# @TEST-PORT: BROKER_PORT3
+#
+# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek -b %INPUT"
+# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+
+# @TEST-EXEC: $SCRIPTS/wait-for-file manager-1/lost 15 || (btest-bg-wait -k 1 && false)
+
+# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/x509.log
+
+@TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+@load base/protocols/ssl
+@load base/frameworks/cluster
+@load base/frameworks/logging
+
+redef Log::default_rotation_interval = 0secs;
+redef Log::default_rotation_postprocessor_cmd = "echo";
+redef exit_only_after_terminate = T;
+
+redef X509::relog_known_certificates_after = 0secs;
+
+event terminate_me() {
+	terminate();
+}
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	continue_processing();
+	}
+@endif
+
+event SSL::log_ssl(i: SSL::Info)
+	{
+	print "log_line";
+	schedule 2secs { terminate_me() };
+	}
+
+global peers_lost = 0;
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peers_lost;
+	system("touch lost");
+
+	if ( peers_lost == 2 )
+		schedule 2sec { terminate_me() };
+	}
--- a/testing/btest/scripts/base/files/x509/log-caching.test
+++ b/testing/btest/scripts/base/files/x509/log-caching.test
@ -0,0 +1,7 @@
+# Test that certificate log caching works as expected.
+# The trace has duplicate certificates - they should only be output once to X509.log.
+
+# @TEST-EXEC: zeek -b -r $TRACES/tls/google-duplicate.trace %INPUT
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/ssl
--- a/testing/btest/scripts/base/protocols/ftp/gridftp.test
+++ b/testing/btest/scripts/base/protocols/ftp/gridftp.test
@ -10,6 +10,8 @@ module GridFTP;

 redef size_threshold = 2;

+redef X509::relog_known_certificates_after = 0secs;
+
 redef enum Notice::Type += {
    Data_Channel
 };
--- a/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.zeek
@ -2,3 +2,5 @@
 # @TEST-EXEC: btest-diff x509.log

@load protocols/ssl/log-hostcerts-only
+
+redef X509::relog_known_certificates_after = 0secs;