Merge remote-tracking branch 'origin/master' into topic/bernhard/file-analysis-x509

Conflicts:
	src/analyzer/protocol/ssl/events.bif

Still broken.

scripts/base/protocols/ssl/README

@@ -0,0 +1 @@
+Support for Secure Sockets Layer (SSL) protocol analysis.

scripts/base/protocols/ssl/consts.bro

@@ -23,7 +23,7 @@ export {
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
 	## Mapping between numeric codes and human readable strings for alert 
-	## descriptions..
+	## descriptions.
 	const alert_descriptions: table[count] of string = {
 		[0] = "close_notify",
 		[10] = "unexpected_message",
@@ -78,6 +78,9 @@ export {
 		[13] = "signature_algorithms",
 		[14] = "use_srtp",
 		[15] = "heartbeat",
+		[16] = "application_layer_protocol_negotiation",
+		[17] = "status_request_v2",
+		[18] = "signed_certificate_timestamp",
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
@@ -178,6 +181,21 @@ export {
 	const TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
 	const TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C;
 	const TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D;
+	# draft-ietf-tls-openpgp-keys-06
+	const TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD = 0x0072;
+	const TLS_DHE_DSS_WITH_AES_128_CBC_RMD = 0x0073;
+	const TLS_DHE_DSS_WITH_AES_256_CBC_RMD = 0x0074;
+	const TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD = 0x0077;
+	const TLS_DHE_RSA_WITH_AES_128_CBC_RMD = 0x0078;
+	const TLS_DHE_RSA_WITH_AES_256_CBC_RMD = 0x0079;
+	const TLS_RSA_WITH_3DES_EDE_CBC_RMD = 0x007C;
+	const TLS_RSA_WITH_AES_128_CBC_RMD = 0x007D;
+	const TLS_RSA_WITH_AES_256_CBC_RMD = 0x007E;
+	# draft-chudov-cryptopro-cptls-04
+	const TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080;
+	const TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081;
+	const TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082;
+	const TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083;
 	const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
 	const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
 	const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
@@ -244,6 +262,7 @@ export {
 	const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3;
 	const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4;
 	const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5;
+	# RFC 4492
 	const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001;
 	const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002;
 	const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003;
@@ -303,6 +322,126 @@ export {
 	const TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039;
 	const TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A;
 	const TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B;
+	# RFC 6209
+	const TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C;
+	const TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D;
+	const TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E;
+	const TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F;
+	const TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040;
+	const TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041;
+	const TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042;
+	const TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043;
+	const TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044;
+	const TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045;
+	const TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046;
+	const TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047;
+	const TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048;
+	const TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049;
+	const TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A;
+	const TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B;
+	const TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C;
+	const TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D;
+	const TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E;
+	const TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F;
+	const TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050;
+	const TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051;
+	const TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052;
+	const TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053;
+	const TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054;
+	const TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055;
+	const TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056;
+	const TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057;
+	const TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058;
+	const TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059;
+	const TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A;
+	const TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B;
+	const TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C;
+	const TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D;
+	const TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E;
+	const TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F;
+	const TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060;
+	const TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061;
+	const TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062;
+	const TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063;
+	const TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064;
+	const TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065;
+	const TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066;
+	const TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067;
+	const TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068;
+	const TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069;
+	const TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A;
+	const TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B;
+	const TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C;
+	const TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D;
+	const TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E;
+	const TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F;
+	const TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070;
+	const TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071;
+	# RFC 6367
+	const TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072;
+	const TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073;
+	const TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074;
+	const TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075;
+	const TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076;
+	const TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077;
+	const TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078;
+	const TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079;
+	const TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A;
+	const TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B;
+	const TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C;
+	const TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D;
+	const TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E;
+	const TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F;
+	const TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080;
+	const TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081;
+	const TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082;
+	const TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083;
+	const TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084;
+	const TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085;
+	const TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086;
+	const TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087;
+	const TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088;
+	const TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089;
+	const TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A;
+	const TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B;
+	const TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C;
+	const TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D;
+	const TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E;
+	const TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F;
+	const TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090;
+	const TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091;
+	const TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092;
+	const TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093;
+	const TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094;
+	const TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095;
+	const TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096;
+	const TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097;
+	const TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098;
+	const TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099;
+	const TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A;
+	const TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B;
+	# RFC 6655
+	const TLS_RSA_WITH_AES_128_CCM = 0xC09C;
+	const TLS_RSA_WITH_AES_256_CCM = 0xC09D;
+	const TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E;
+	const TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F;
+	const TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0;
+	const TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1;
+	const TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2;
+	const TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3;
+	const TLS_PSK_WITH_AES_128_CCM = 0xC0A4;
+	const TLS_PSK_WITH_AES_256_CCM = 0xC0A5;
+	const TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6;
+	const TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7;
+	const TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8;
+	const TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9;
+	const TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA;
+	const TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB;
+	# draft-agl-tls-chacha20poly1305-02
+	const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13;
+	const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14;
+	const TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15;
+
 	const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
 	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
 	const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1;
@@ -314,8 +453,8 @@ export {
 	const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;
 	
 	## This is a table of all known cipher specs.  It can be used for 
-	## detecting unknown ciphers and for converting the cipher spec constants 
-	## into a human readable format.
+	## detecting unknown ciphers and for converting the cipher spec
+	## constants into a human readable format.
 	const cipher_desc: table[count] of string = {
 		[SSLv20_CK_RC4_128_EXPORT40_WITH_MD5] =
 			"SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
@@ -410,6 +549,19 @@ export {
 		[TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
 		[TLS_DH_ANON_WITH_AES_128_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256",
 		[TLS_DH_ANON_WITH_AES_256_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256",
+		[TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD",
+		[TLS_DHE_DSS_WITH_AES_128_CBC_RMD] = "TLS_DHE_DSS_WITH_AES_128_CBC_RMD",
+		[TLS_DHE_DSS_WITH_AES_256_CBC_RMD] = "TLS_DHE_DSS_WITH_AES_256_CBC_RMD",
+		[TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD",
+		[TLS_DHE_RSA_WITH_AES_128_CBC_RMD] = "TLS_DHE_RSA_WITH_AES_128_CBC_RMD",
+		[TLS_DHE_RSA_WITH_AES_256_CBC_RMD] = "TLS_DHE_RSA_WITH_AES_256_CBC_RMD",
+		[TLS_RSA_WITH_3DES_EDE_CBC_RMD] = "TLS_RSA_WITH_3DES_EDE_CBC_RMD",
+		[TLS_RSA_WITH_AES_128_CBC_RMD] = "TLS_RSA_WITH_AES_128_CBC_RMD",
+		[TLS_RSA_WITH_AES_256_CBC_RMD] = "TLS_RSA_WITH_AES_256_CBC_RMD",
+		[TLS_GOSTR341094_WITH_28147_CNT_IMIT] = "TLS_GOSTR341094_WITH_28147_CNT_IMIT",
+		[TLS_GOSTR341001_WITH_28147_CNT_IMIT] = "TLS_GOSTR341001_WITH_28147_CNT_IMIT",
+		[TLS_GOSTR341094_WITH_NULL_GOSTR3411] = "TLS_GOSTR341094_WITH_NULL_GOSTR3411",
+		[TLS_GOSTR341001_WITH_NULL_GOSTR3411] = "TLS_GOSTR341001_WITH_NULL_GOSTR3411",
 		[TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
 		[TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
 		[TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
@@ -535,10 +687,130 @@ export {
 		[TLS_ECDHE_PSK_WITH_NULL_SHA] = "TLS_ECDHE_PSK_WITH_NULL_SHA",
 		[TLS_ECDHE_PSK_WITH_NULL_SHA256] = "TLS_ECDHE_PSK_WITH_NULL_SHA256",
 		[TLS_ECDHE_PSK_WITH_NULL_SHA384] = "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+		[TLS_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256] = "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
+		[TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384] = "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
+		[TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
+		[TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384] = "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
+		[TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256] = "TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256",
+		[TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384] = "TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384",
+		[TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
+		[TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
+		[TLS_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
+		[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
+		[TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256] = "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
+		[TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384] = "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
+		[TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256] = "TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256",
+		[TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384] = "TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384",
+		[TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
+		[TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
+		[TLS_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
+		[TLS_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
+		[TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
+		[TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
+		[TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
+		[TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
+		[TLS_PSK_WITH_ARIA_128_GCM_SHA256] = "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
+		[TLS_PSK_WITH_ARIA_256_GCM_SHA384] = "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
+		[TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
+		[TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
+		[TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
+		[TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
+		[TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
+		[TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
+		[TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+		[TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+		[TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+		[TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+		[TLS_RSA_WITH_AES_128_CCM] = "TLS_RSA_WITH_AES_128_CCM",
+		[TLS_RSA_WITH_AES_256_CCM] = "TLS_RSA_WITH_AES_256_CCM",
+		[TLS_DHE_RSA_WITH_AES_128_CCM] = "TLS_DHE_RSA_WITH_AES_128_CCM",
+		[TLS_DHE_RSA_WITH_AES_256_CCM] = "TLS_DHE_RSA_WITH_AES_256_CCM",
+		[TLS_RSA_WITH_AES_128_CCM_8] = "TLS_RSA_WITH_AES_128_CCM_8",
+		[TLS_RSA_WITH_AES_256_CCM_8] = "TLS_RSA_WITH_AES_256_CCM_8",
+		[TLS_DHE_RSA_WITH_AES_128_CCM_8] = "TLS_DHE_RSA_WITH_AES_128_CCM_8",
+		[TLS_DHE_RSA_WITH_AES_256_CCM_8] = "TLS_DHE_RSA_WITH_AES_256_CCM_8",
+		[TLS_PSK_WITH_AES_128_CCM] = "TLS_PSK_WITH_AES_128_CCM",
+		[TLS_PSK_WITH_AES_256_CCM] = "TLS_PSK_WITH_AES_256_CCM",
+		[TLS_DHE_PSK_WITH_AES_128_CCM] = "TLS_DHE_PSK_WITH_AES_128_CCM",
+		[TLS_DHE_PSK_WITH_AES_256_CCM] = "TLS_DHE_PSK_WITH_AES_256_CCM",
+		[TLS_PSK_WITH_AES_128_CCM_8] = "TLS_PSK_WITH_AES_128_CCM_8",
+		[TLS_PSK_WITH_AES_256_CCM_8] = "TLS_PSK_WITH_AES_256_CCM_8",
+		[TLS_PSK_DHE_WITH_AES_128_CCM_8] = "TLS_PSK_DHE_WITH_AES_128_CCM_8",
+		[TLS_PSK_DHE_WITH_AES_256_CCM_8] = "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+		[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
+		[SSL_RSA_WITH_RC2_CBC_MD5] = "SSL_RSA_WITH_RC2_CBC_MD5",
+		[SSL_RSA_WITH_IDEA_CBC_MD5] = "SSL_RSA_WITH_IDEA_CBC_MD5",
+		[SSL_RSA_WITH_DES_CBC_MD5] = "SSL_RSA_WITH_DES_CBC_MD5",
+		[SSL_RSA_WITH_3DES_EDE_CBC_MD5] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
+		[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
 	## Mapping between the constants and string values for SSL/TLS errors.

scripts/base/protocols/ssl/main.bro

@@ -26,7 +26,8 @@ export {
 		session_id:       string           &log &optional;
 		## Subject of the X.509 certificate offered by the server.
 		subject:          string           &log &optional;
-		## Subject of the signer of the X.509 certificate offered by the server.
+		## Subject of the signer of the X.509 certificate offered by the
+		## server.
 		issuer_subject:   string           &log &optional;
 		## NotValidBefore field value from the server certificate.
 		not_valid_before: time             &log &optional;
@@ -37,7 +38,8 @@ export {
 
 		## Subject of the X.509 certificate offered by the client.
 		client_subject:          string           &log &optional;
-		## Subject of the signer of the X.509 certificate offered by the client.
+		## Subject of the signer of the X.509 certificate offered by the
+		## client.
 		client_issuer_subject:   string           &log &optional;
 
 		## Full binary server certificate stored in DER format.
@@ -58,8 +60,8 @@ export {
 		analyzer_id:      count            &optional;
 	};
 
-	## The default root CA bundle.  By loading the
-	## mozilla-ca-list.bro script it will be set to Mozilla's root CA list.
+	## The default root CA bundle.  By default, the mozilla-ca-list.bro
+	## script sets this to Mozilla's root CA list.
 	const root_certs: table[string] of string = {} &redef;
 
 	## If true, detach the SSL analyzer from the connection to prevent
@@ -67,8 +69,8 @@ export {
 	## (especially with large file transfers).
 	const disable_analyzer_after_detection = T &redef;
 
-	## Delays an SSL record for a specific token: the record will not be logged
-	## as longs the token exists or until 15 seconds elapses.
+	## Delays an SSL record for a specific token: the record will not be
+	## logged as long as the token exists or until 15 seconds elapses.
 	global delay_log: function(info: Info, token: string);
 
 	## Undelays an SSL record for a previously inserted token, allowing the
@@ -151,7 +153,7 @@ function finish(c: connection)
 		disable_analyzer(c$id, c$ssl$analyzer_id);
 	}
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
 	{
 	set_session(c);
 
@@ -160,7 +162,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, session
 		c$ssl$session_id = bytestring_to_hexstr(session_id);
 	}
 
-event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
 	{
 	set_session(c);