mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Change end-of-connection handling for validation
Move from using CCS (before: established) to just doing certificate validation at the end of the connection. This is (again) more robust in the case of aborted connection. I am moving this into a hook because of the complexity of the end-of-connection handling for SSL. This should probably be extended to not just handle SSL validation, but all other logging constructs that are currently called in _established.
This commit is contained in:
Johanna Amann
parent
a334247478
commit
eb50b3fed1
3 changed files with 17 additions and 15 deletions
|
|
@ -103,6 +103,9 @@ export {
|
|||
## Event that can be handled to access the SSL
|
||||
## record as it is sent on to the logging framework.
|
||||
global log_ssl: event(rec: Info);
|
||||
|
||||
# do everything you want to do right before logging here
|
||||
global ssl_finishing: hook(c: connection);
|
||||
}
|
||||
|
||||
redef record connection += {
|
||||
|
|
@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7
|
|||
c$ssl$established = T;
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &priority=20
|
||||
{
|
||||
hook ssl_finishing(c);
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &priority=-5
|
||||
{
|
||||
finish(c, T);
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=20
|
||||
{
|
||||
if ( c?$ssl && ! c$ssl$logged )
|
||||
hook ssl_finishing(c);
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=-5
|
||||
{
|
||||
if ( c?$ssl )
|
||||
|
|
|
|||
|
|
@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
|
|||
return result;
|
||||
}
|
||||
|
||||
# The server issues CCS only after sending the certificates. This should
|
||||
# be more robust than using SSL_established, on the off chance that we don't
|
||||
# get that event.
|
||||
#
|
||||
# This is not TLSv1.3 compatible - but we will not have certificates in
|
||||
# that case in any way, so it even saves us a few cycles.
|
||||
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3
|
||||
hook ssl_finishing(c: connection) &priority=20
|
||||
{
|
||||
if ( is_orig )
|
||||
return;
|
||||
|
||||
# If there aren't any certs we can't very well do certificate validation.
|
||||
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
|
||||
! c$ssl$cert_chain[0]?$x509 )
|
||||
|
|
|
|||
|
|
@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
|
|||
c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
|
||||
}
|
||||
|
||||
# Priority = 2 will be handled after validation is done
|
||||
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
|
||||
# Priority = 19 will be handled after validation is done
|
||||
hook ssl_finishing(c: connection) &priority=19
|
||||
{
|
||||
if ( is_orig )
|
||||
return;
|
||||
|
||||
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
|
||||
return;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue