Change end-of-connection handling for validation

Move from using CCS (before: established) to just doing certificate validation at the end of the connection. This is (again) more robust in the case of aborted connection. I am moving this into a hook because of the complexity of the end-of-connection handling for SSL. This should probably be extended to not just handle SSL validation, but all other logging constructs that are currently called in _established.
2025-10-02 14:48:21 +00:00 · 2017-05-11 22:50:20 -07:00 · 2017-05-11 22:50:20 -07:00 · eb50b3fed1
commit eb50b3fed1
parent a334247478
3 changed files with 17 additions and 15 deletions
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -103,6 +103,9 @@ export {
 	## Event that can be handled to access the SSL
 	## record as it is sent on to the logging framework.
 	global log_ssl: event(rec: Info);
+
+	# do everything you want to do right before logging here
+	global ssl_finishing: hook(c: connection);
 }

 redef record connection += {
@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7
 	c$ssl$established = T;
 	}

+event ssl_established(c: connection) &priority=20
+	{
+	hook ssl_finishing(c);
+	}
+
 event ssl_established(c: connection) &priority=-5
 	{
 	finish(c, T);
 	}

+event connection_state_remove(c: connection) &priority=20
+	{
+	if ( c?$ssl && ! c$ssl$logged )
+		hook ssl_finishing(c);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )