From b014e8e56eb3e100aac8ac334120ef1a7f438ca5 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Fri, 15 Aug 2025 22:06:55 +0200
Subject: [PATCH 1/3] Management framework: add TLS options for controller's
 websocket server

---
 .../policy/frameworks/management/controller/config.zeek   | 8 ++++++++
 scripts/policy/frameworks/management/controller/main.zeek | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/frameworks/management/controller/config.zeek b/scripts/policy/frameworks/management/controller/config.zeek
index 9fe10edaa6..0f202ccc78 100644
--- a/scripts/policy/frameworks/management/controller/config.zeek
+++ b/scripts/policy/frameworks/management/controller/config.zeek
@@ -61,6 +61,14 @@ export {
 	## for websocket clients.
 	const default_port_websocket = 2149/tcp &redef;
 
+	## TLS options for the controller's WebSocket server. The default is
+	## to operate unencrypted. To replicate Broker's default encryption
+	## without endpoint validation, set the
+	## :zeek:field:`Cluster::WebSocketTLSOptions$ca_file` field to
+	## "NONE" and :zeek:field:`Cluster::WebSocketTLSOptions$ciphers` to
+	## "AECDH-AES256-SHA@SECLEVEL=0:AECDH-AES256-SHA:P-384".
+	const tls_options_websocket = Cluster::WebSocketTLSOptions() &redef;
+
 	## Whether the controller should auto-assign Broker listening ports to
 	## cluster nodes that need them and don't have them explicitly specified
 	## in cluster configurations.
diff --git a/scripts/policy/frameworks/management/controller/main.zeek b/scripts/policy/frameworks/management/controller/main.zeek
index 19135149bf..48a6871e8d 100644
--- a/scripts/policy/frameworks/management/controller/main.zeek
+++ b/scripts/policy/frameworks/management/controller/main.zeek
@@ -1646,7 +1646,8 @@ event zeek_init()
 	if ( cni$bound_port != 0/unknown )
 		{
 		local ws_opts = Cluster::WebSocketServerOptions($listen_addr=to_addr(cni$address),
-		                                                $listen_port=cni$bound_port);
+		                                                $listen_port=cni$bound_port,
+		                                                $tls_options=Management::Controller::tls_options_websocket);
 		Cluster::listen_websocket(ws_opts);
 		websocket_info = fmt("websocket port %s:%s", cni$address, cni$bound_port);
 		}

From 779f7064ad4e0694be9568e56e1e4d107daf5e1b Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 18 Aug 2025 23:06:19 -0700
Subject: [PATCH 2/3] Bump zeek-client to pull in TLS config updates

---
 auxil/zeek-client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index 4440c7a05b..62e91d3abc 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit 4440c7a05ba4be229ac88d70e8f4eef2465afc50
+Subproject commit 62e91d3abc726c3c17be4d70bb222b29b7bb6476

From 236d3a1cedcb53fbdff6f88f264540cb642e02ae Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 18 Aug 2025 23:07:18 -0700
Subject: [PATCH 3/3] Bump zeek-testing-cluster to pull in WebSocket TLS
 updates

---
 testing/external/commit-hash.zeek-testing-cluster | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster
index 254da80396..1d70a56cca 100644
--- a/testing/external/commit-hash.zeek-testing-cluster
+++ b/testing/external/commit-hash.zeek-testing-cluster
@@ -1 +1 @@
-fc635b99a867a925dc23641e5bd37c93306bc981
+318f1209d92ca1c5e50c8d39af55e004e506a776