Add policy script suppressing certificate events

The added disable-certificate-events-known-certs.zeek disables repeated
X509 events in SSL connections, given that the connection terminates at
the same server and used the samt SNI as a previously seen connection
with the same certificate.

For people that see significant amounts of TLS 1.2 traffic, this could
reduce the amount of raised events significantly - especially when a
lot of connections are repeat connections to the same servers.

The practical impact of not raising these events is actually very little
- unless a script directly interacts with the x509 events, everything
works as before - the x509 variables in the connection records are still
being set (from the cache).

scripts/base/files/x509/main.zeek

@@ -136,6 +136,9 @@ event zeek_init() &priority=5
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
+
+	# Please note that SHA256 caching is required to be enabled for the certificate event
+	# caching that is set up in certificate-event-cache.zeek to work.
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/pkix-cert");

scripts/policy/files/x509/disable-certificate-events-known-certs.zeek

@@ -0,0 +1,84 @@
+##! This script disables repeat certificate events for hosts for hosts for which the same
+##! certificate was seen in the recent past;
+##!
+##! This script specifically plugs into the event caching mechanism that is set up by the
+##! base X509 script certificate-event-cache.zeek. It adds another layer of tracking that
+##! checks if the same certificate was seen for the server IP address before, when the same
+##! SNI was used to connect. If the certificate is in the event cache and all of these conditions
+##! apply, then no certificate related events will be raised.
+##!
+##! Please note that while this optimization can lead to a considerable reduction of load in some
+##! settings, it also means that certain detection scripts that rely on the certificate events being
+##! raised do no longer work - since the events will not be raised for all connections.
+##!
+##! Currently this script only works for X509 certificates that are sent via SSL/TLS connections.
+##!
+##! If you use any script that requires certificate events for each single connection,
+##! you should not load this script.
+
+@load base/protocols/ssl
+@load base/files/x509
+
+module DisableX509Events;
+
+## Let's be a bit more generous with the number of certificates that we allow to be put into
+## the cache.
+redef X509::certificate_cache_max_entries = 100000;
+
+type CacheIndex: record {
+	## IP address of the server the certificate was seen on.
+	ip: addr;
+	## SNI the client sent in the connection
+	sni: string &optional;
+	## sha256 of the certificate
+	sha256: string;
+};
+
+redef record SSL::Info += {
+	## Set to true to force certificate events to always be raised for this connection.
+	always_raise_x509_events: bool &default=F;
+};
+
+redef record X509::Info += {
+	## Set to true to force certificate events to always be raised for this certificate.
+	always_raise_x509_events: bool &default=F;
+};
+
+global certificate_replay_tracking: set[CacheIndex] &read_expire=X509::certificate_cache_minimum_eviction_interval;
+
+hook X509::x509_certificate_cache_replay(f: fa_file, e: X509::Info, sha256: string) &priority=5
+	{
+	# Bail out if x509 is already set - or if the file tells us that we should always raise events.
+	if ( f$info?$x509 || e$always_raise_x509_events )
+		return;
+
+	local raise_events = F;
+
+	# not sure how that could happen - but let's be safe...
+	if ( |f$conns| == 0 )
+		return;
+
+	for ( c in f$conns )
+		{
+		if ( ! f$conns[c]?$ssl )
+			return;
+
+		local test = CacheIndex($ip=f$conns[c]$id$resp_h, $sha256=sha256);
+		if ( f$conns[c]$ssl?$server_name )
+			test$sni = f$conns[c]$ssl$server_name;
+
+		if ( test !in certificate_replay_tracking || f$conns[c]$ssl$always_raise_x509_events )
+			{
+			raise_events = T;
+			add certificate_replay_tracking[test];
+			}
+		}
+
+	if ( ! raise_events )
+		{
+		# We don't have to raise the events. :).
+		# Instead we just already set f$x509. That makes the data available to scripts that might need them - and the x509_certificate_cache_replayh
+		# hook in certificate-event-cache will just abort.
+		f$info$x509 = e;
+		}
+	}

scripts/test-all-policy.zeek

@@ -41,6 +41,7 @@
 @load frameworks/notice/extend-email/hostnames.zeek
 @load files/unified2/__load__.zeek
 @load files/unified2/main.zeek
+@load files/x509/disable-certificate-events-known-certs.zeek
 @load files/x509/log-ocsp.zeek
 @load frameworks/packet-filter/shunt.zeek
 @load frameworks/software/version-changes.zeek

testing/btest/Baseline/coverage.bare-mode-errors/errors

@@ -2,8 +2,8 @@
 ### NOTE: This file has been sorted with diff-sort.
 warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:10 "Remove in v5.1. Use log-certs-base64.zeek instead."
 warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from command line arguments "Remove in v5.1. Use log-certs-base64.zeek instead."
-warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:44 ("Remove in v5.1. OCSP logging is now disabled by default")
-warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:44 ("Remove in v5.1. OCSP logging is now disabled by default")
+warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:45 ("Remove in v5.1. OCSP logging is now disabled by default")
+warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:45 ("Remove in v5.1. OCSP logging is now disabled by default")
 warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now disabled by default")
 warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:4 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
 warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/.stdout

@@ -0,0 +1,53 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/ssl.log

@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fps	client_cert_chain_fps	subject	issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.71.55.249	37680	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	167.71.55.249	37682	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	167.71.55.249	37684	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	167.71.55.249	37686	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	167.71.55.249	37688	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	167.71.55.249	37690	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	167.71.55.249	37692	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	167.71.55.249	37694	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/x509.log

@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fp	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
+XXXXXXXXXX.XXXXXX	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47	3	FD62E14283CA9DF30A00000000DCA0BE	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	www.google.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522	3	0203BC53596B34C718F5015066	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	CN=GTS Root R1,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	3	77BD0D6CDB36F91AEA210FC4F058D30D	CN=GTS Root R1,O=Google Trust Services LLC,C=US	CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	4096	65537	-	-	-	-	-	T	-	F	F
+XXXXXXXXXX.XXXXXX	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d	3	9AFA430EE8EEE2FF0A00000000DCA0C8	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	id-ecPublicKey	sha256WithRSAEncryption	ecdsa	256	-	prime256v1	www.google.com	-	-	-	F	-	T	F
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/.stdout

@@ -0,0 +1,39 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+x509_certificate, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+Hook for, CN=www.google.com
+Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/ssl.log

@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fps	client_cert_chain_fps	subject	issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.71.55.249	37680	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	167.71.55.249	37682	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	167.71.55.249	37684	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	167.71.55.249	37686	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	167.71.55.249	37688	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	167.71.55.249	37690	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	167.71.55.249	37692	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	167.71.55.249	37694	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/x509.log

@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fp	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
+XXXXXXXXXX.XXXXXX	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47	3	FD62E14283CA9DF30A00000000DCA0BE	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	www.google.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522	3	0203BC53596B34C718F5015066	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	CN=GTS Root R1,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	3	77BD0D6CDB36F91AEA210FC4F058D30D	CN=GTS Root R1,O=Google Trust Services LLC,C=US	CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	4096	65537	-	-	-	-	-	T	-	F	F
+XXXXXXXXXX.XXXXXX	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d	3	9AFA430EE8EEE2FF0A00000000DCA0C8	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	id-ecPublicKey	sha256WithRSAEncryption	ecdsa	256	-	prime256v1	www.google.com	-	-	-	F	-	T	F
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/.stdout

@@ -0,0 +1,33 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com
+x509_certificate, CN=www.google.com
+x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
+x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US
+finishing, CN=www.google.com

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/ssl.log

@@ -0,0 +1,18 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fps	client_cert_chain_fps	subject	issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.71.55.249	37680	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	167.71.55.249	37682	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	167.71.55.249	37684	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	167.71.55.249	37686	142.250.179.196	443	TLSv12	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	-	-	F	-	-	T	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	167.71.55.249	37688	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	167.71.55.249	37690	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	167.71.55.249	37692	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	167.71.55.249	37694	142.250.179.196	443	TLSv12	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	-	www.google.com	F	-	-	T	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	(empty)	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	ok
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/x509.log

@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fp	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
+XXXXXXXXXX.XXXXXX	7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47	3	FD62E14283CA9DF30A00000000DCA0BE	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	www.google.com	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522	3	0203BC53596B34C718F5015066	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	CN=GTS Root R1,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5	3	77BD0D6CDB36F91AEA210FC4F058D30D	CN=GTS Root R1,O=Google Trust Services LLC,C=US	CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha256WithRSAEncryption	rsa	4096	65537	-	-	-	-	-	T	-	F	F
+XXXXXXXXXX.XXXXXX	c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d	3	9AFA430EE8EEE2FF0A00000000DCA0C8	CN=www.google.com	CN=GTS CA 1C3,O=Google Trust Services LLC,C=US	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	id-ecPublicKey	sha256WithRSAEncryption	ecdsa	256	-	prime256v1	www.google.com	-	-	-	F	-	T	F
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/files/x509/disable-certificate-events-known-certs.zeek

@@ -0,0 +1,46 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/google-cert-repeat.pcap common.zeek %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: btest-diff .stdout
+
+@TEST-START-FILE common.zeek
+
+@load base/protocols/ssl
+@load protocols/ssl/validate-certs.zeek
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+	{
+	print "x509_certificate", cert$subject;
+	}
+
+hook SSL::ssl_finishing(c: connection)
+	{
+	print "finishing", c$ssl$cert_chain[0]$x509$certificate$subject;
+	}
+
+hook X509::x509_certificate_cache_replay(f: fa_file, e: X509::Info, sha256: string) &priority=5
+	{
+	print "Hook for", e$certificate$subject;
+	}
+
+@TEST-END-FILE
+
+# First: Plain, no changes - certificate event caching won't even engage.
+
+# @TEST-START-NEXT
+
+# Second - engage certificate caching.
+# Log files and events are unchanged - but the replay hook engages
+
+redef X509::caching_required_encounters = 1;
+redef X509::certificate_cache_minimum_eviction_interval = 11min;
+
+# @TEST-START-NEXT
+
+# Third - load policy script to not raise events
+# Log files are unchanged; events are not raised from the third time.
+
+redef X509::caching_required_encounters = 1;
+redef X509::certificate_cache_minimum_eviction_interval = 11min;
+
+@load policy/files/x509/disable-certificate-events-known-certs