From fb56b22cffdf8603404da367fac097b71b3bf36f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 23:48:47 -0700
Subject: [PATCH] Add DH support to SSL analyzer.

When using DHE or DH-Anon, sever key parameters are now available
in scriptland.

Also add script to alert on weak certificate keys or weak dh-params.
---
 scripts/policy/protocols/ssl/weak-keys.bro    |  90 +++++++++++++
 scripts/test-all-policy.bro                   |   1 +
 src/analyzer/protocol/ssl/events.bif          |  19 ++-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  17 +++
 src/analyzer/protocol/ssl/ssl-protocol.pac    | 121 +++++++++++++++++-
 .../scripts.base.protocols.ssl.dhe/.stdout    |   1 +
 .../scripts.base.protocols.ssl.dhe/ssl.log    |  10 ++
 .../ssl.log                                   |   8 +-
 .../notice-1.log                              |  12 ++
 testing/btest/Traces/tls/dhe.pcap             | Bin 0 -> 6929 bytes
 .../btest/scripts/base/protocols/ssl/dhe.test |   8 ++
 .../policy/protocols/ssl/weak-keys.bro        |   8 ++
 12 files changed, 288 insertions(+), 7 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/weak-keys.bro
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
 create mode 100644 testing/btest/Traces/tls/dhe.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/dhe.test
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/weak-keys.bro

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
new file mode 100644
index 0000000000..27cfb31554
--- /dev/null
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -0,0 +1,90 @@
+##! Generate notices when SSL/TLS connections use certificates or DH parameters
+##! that have potentially unsafe key lengths.
+
+@load base/protocols/ssl
+@load base/frameworks/notice
+@load base/utils/directions-and-hosts
+
+module SSL;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a server is using a potentially unsafe key.
+		SSL_Weak_Key,
+	};
+
+	## The category of hosts you would like to be notified about which have
+	## certificates that are going to be expiring soon.  By default, these
+	## notices will be suppressed by the notice framework for 1 day after
+	## a particular certificate has had a notice generated.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const notify_weak_keys = LOCAL_HOSTS &redef;
+
+	## The minimal key length in bits that is considered to be safe. Any
+	## shorter (non-EC) key lengths will trigger the notice.
+	const notify_minimal_key_length = 1024 &redef;
+
+	## Warn if the DH key length is smaller than the certificate key length.
+	## This is potentially unsafe, because it gives a wrong impression of safety
+	## due to the certificate key length.
+	## However, it is very common and cannot be avoided in some settings (e.g. with
+	## old jave clients).
+	const notify_dh_length_shorter_cert_length = T &redef;
+}
+
+## We check key lengths only for DSA or RSA certificates. For others, we do
+## not know what is safe (e.g. EC is safe even with very short key lengths).
+
+event ssl_established(c: connection) &priority=3
+	{
+	# If there are no certificates or we are not interested in the server, just return.
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	  ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	local fuid = c$ssl$cert_chain_fuids[0];
+	local cert = c$ssl$cert_chain[0]$x509$certificate;
+	if ( !cert?$key_type || !cert?$key_length )
+		return;
+	if ( cert$key_type != "dsa" && cert$key_type != "rsa" )
+		return;
+
+	local key_length = cert$key_length;
+
+	if ( key_length < notify_minimal_key_length )
+		NOTICE([$note=SSL_Weak_Key,
+		  $msg=fmt("Host uses weak certificate with %d bit key", key_length),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		]);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=3
+	{
+	if ( ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	local key_length = |Ys|*8; # key length in bits
+	if ( key_length < notify_minimal_key_length )
+		NOTICE([$note=SSL_Weak_Key,
+			$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		]);
+
+	if ( notify_dh_length_shorter_cert_length &&
+	  c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
+	  c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
+		( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
+		  c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
+		{
+		if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
+		  c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
+			NOTICE([$note=SSL_Weak_Key,
+				$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
+				key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
+				$conn=c, $suppress_for=1day,
+				$identifier=cat(c$id$orig_h, c$id$orig_p)
+			]);
+		}
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 5c6ed286fb..43dc6b9dce 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -90,6 +90,7 @@
 @load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
+@load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
 @load tuning/defaults/extracted_file_limits.bro
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 54bb0715d2..46747ecb58 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -59,6 +59,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
+##    ssl_dh_server_params
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -117,7 +118,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-## Generated a named curve is chosen by the server for the SSL/TLS connection. The
+## Generated if a named curve is chosen by the server for the SSL/TLS connection. The
 ## curve is sent by the server in the ServerKeyExchange message as defined in
 ## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
 ##
@@ -131,6 +132,22 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_extension_server_name
 event ssl_server_curve%(c: connection, curve: count%);
 
+## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
+## the server DH parameters, which are sent in the ServerKeyExchange message as
+## defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## p: The DH prime modulus.
+##
+## q: The DH generator.
+##
+## Ys: The server's DH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve
+event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 071edf2eac..ef1d862b87 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -409,6 +409,19 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_dh_server_key_exchange(rec: SSLRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(),
+		  new StringVal(p.length(), (const char*) p.data()),
+		  new StringVal(g.length(), (const char*) g.data()),
+		  new StringVal(Ys.length(), (const char*) Ys.data())
+		  );
+
+		return true;
+		%}
+
 };
 
 refine typeattr Alert += &let {
@@ -501,3 +514,7 @@ refine typeattr CertificateStatus += &let {
 refine typeattr EcServerKeyExchange += &let {
 	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
 };
+
+refine typeattr DhServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index e19fdb6aac..840aca4b84 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -356,8 +356,9 @@ type CertificateStatus(rec: SSLRecord) = record {
 # Usually, the server key exchange does not contain any information
 # that we are interested in.
 #
-# The one exception is when we are using an elliptic curve cipher suite.
-# In this case, we can extract the final chosen cipher from here.
+# The exception is when we are using an ECDHE, DHE or DH-Anon suite.
+# In this case, we can extract information about the chosen cipher from
+# here.
 type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of {
 	TLS_ECDH_ECDSA_WITH_NULL_SHA,
 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
@@ -453,6 +454,109 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);
 
+	# DHE suites
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_WITH_RC4_128_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_PSK_WITH_RC4_128_SHA,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_NULL_SHA256,
+	TLS_DHE_PSK_WITH_NULL_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_AES_128_CCM,
+	TLS_DHE_RSA_WITH_AES_256_CCM,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8,
+	TLS_DHE_PSK_WITH_AES_128_CCM,
+	TLS_DHE_PSK_WITH_AES_256_CCM,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	# DH-anon suites
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+	# DH non-anon suites do not send a ServerKeyExchange
+		-> dh_server_key_exchange : DhServerKeyExchange(rec);
+
 	default
 		-> key : bytestring &restofdata &transient;
 };
@@ -466,6 +570,19 @@ type EcServerKeyExchange(rec: SSLRecord) = record {
 	data: bytestring &restofdata &transient;
 };
 
+# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams
+# structure. After that, they start to differ, but we do not care about that.
+type DhServerKeyExchange(rec: SSLRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	data: bytestring &restofdata &transient;
+};
+
+
 ######################################################################
 # V3 Certificate Request (7.4.4.)
 ######################################################################
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
new file mode 100644
index 0000000000..c2cc676ec1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
@@ -0,0 +1 @@
+key length in bits, 1024
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
new file mode 100644
index 0000000000..652f3b3df7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-04-27-00-52-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1398558136.319509	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-
+#close	2014-04-27-00-52-03
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
index da805fd35d..b09bd04350 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-04-26-16-45-23
+#open	2014-04-27-06-48-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-#close	2014-04-26-16-45-23
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-27-06-48-05
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
new file mode 100644
index 0000000000..a8784bd8c8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-27-06-41-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-04-27-06-41-50
diff --git a/testing/btest/Traces/tls/dhe.pcap b/testing/btest/Traces/tls/dhe.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d5e034ef849d9b23bd713a69d6bcb69600ac3560
GIT binary patch
literal 6929
zcmd5=dpML^`+nb<G06FlQx4<YrlxnwsR$)GM@ACL9%EuMhCMS#2gXz+DaoOtLeA$R
z>7ZS7*hwXdB9#cGq9n14Z@t8q?Aq7wy1qYtu4`Rpy|dQ6?sc!{xu18|gW5A07zhVV
z{f&=95DYq14xZ!(Z5U_`_>4B6&E-M|d472Ta&%Dv$P$9g6G`TfIi9F{B~Nm3W*a7F
z&=S5FuBCYcMJmILk4FF`434h?#$s_WEHFngHAVsb4u_dU4{gUmwxEx;N!-ab06GCO
z0SiEj@J;3@GP(kManKUepTP%KxS1|#6h9y_iH^ev%)!5|W~1m}B`nI@>nRRe2~g2C
zi?^Pe9?E-*-VeNQ0(3lAoS<t^4HTH<n}#Bzh;yIgpd5gPwpoZrzJ{WR*Y^J-q8vfD
zTz)2^3>JpGfXE(L?50+3l1jwBu1D>bgUXE^ZbKvQeEoNvxuv=1(W#D_)^H#fv=<u3
zfYA#fb+Eb!M1Yj>Fdl=)^1*x<KA<fQgTrEBEC!3kz!(e$3yA^#C~N01{Im|U6xLHr
zKozd6{6S%SxR#bKSDatc(P@%3&>#t@n>L}t0X+1Y51ME{BJw>^Jd7fq7Wo-sW#Kep
zGKwgJ#X`$KG#Fs9WKV~3PlMlgAD@>cpq%DLeXr=FZi3tBW+Zy*aCIG74FW1aqT?_c
zo2U%v7QuAkC?QCg2MI?&_!S5bzZ~K5X{JxefE5e7jfmg{b)u}JhDBglhz~*{_mhMW
zK|FRH4ljkVu_wtO(r9Onln9waVR0-10|@pUA0kN?`3-$8B&9~CQG;1D!YaBiokL*|
zENCnaeKVa(;m`<Vx-XN?^d%V~2Iyd{)S_t+3kHSFCXfhDEP4Qi6-KaOa%ijonh$+q
z9*q@3V-YM?Aj+~LBt2xw5(HVgcqvKW9dz|UmxLIS^z|3JBWu26yN*nfM`R}#5)Tax
zB{Jv?N+^xNAu?$kk_MtSy;DJ0X08v72}t?`1W@P<a|(+Z$RhgC5FV`dy&^Clgyq3v
z5O_WZ!-HX{WTjEco9o!*4&NtBTvY2)a<vt&XA0)^$B?DTw#&i>x&<rZPQa38UP}U_
zdrLGL{Z>mnyILXP`{eB9m3lWfIfkeWH=oggP1CyWe^Pw0K5gi(;nB3<jN_wbdq+<p
z5jII~P3^D0Xg;5}_OMKI<Ti&mW?XEdsb4lTCUouM^=g+kD;r5;)nu#p-!d4T-zw{1
zoVzHXRZ7aI-(>yP4CG;iu;%68?<%y_?jy@NnEB&B>FI1b>ACx1!pZutR<HNDZK~La
zQzs{$<$GI6xx7ERF7%yOTcNps->FaPSr2wJvl0i~o_;YqfSk7WjO3=br%|QO-S78W
z^~tY=C0->Tb@~|wq$PZchv`Ikm}e7lq9ldGAP^!1bXO9?;XsPzAyQ~Z6DN$!!3*f(
zVLm>7EQ~0j4@Ge@IOz`^A=`@cBfJ-wzOd?$fO#^TSgwc)`n5Vv4w2zX_pQ`xI8s)4
z^5Z;zf#G@|V!!AD%ZYeXlEA4U1m3LE<q3a(*5I^UQ8WUM2Rnd{4I+TY`$h`G7#Q@7
z@j`$T4vsu)2xG9|feu2PqKScJ)ciP{pk<2|p#j83L!QlM5UGIyi-H0fbZQte$Y(PW
zIXpc9gG9bYv}FkY4eaUorw1|#D}p(Gfh;;F3;`JjD@0y)@uRZ|)afxaLMVkzptIS*
zG#>(m3Zl>lBn*KQNZ|O<2vbSoN@37_C>#`!Mf)R|&Y}g-m>f1CaP!2l|E|4)Fv)TO
z7{{Pfm{b}ekjV%mYz|~ijHH7sWBP!lf`VB=fovLq&Ln`n1x<~e!~=7~P!>U8_hE!U
zZwB3WVsSPR(MNSv!4Z)Kh)(+abgd|jZ*oytjG1y#Ssc<r^eJda<bf%{U>Fw}i9{ev
zryd}1)WUBVfmC+TOb~Xk_aZ9l6r@G$2~Su=r64P(r(&WEzD=djDKlrH60;Y9`NYZj
z#L4+YDg_YYAnNEoByoy}LX_Ok4*Yu~0M-bM0ERq#+oX@UoJt~JAa0(QuQE<8$fqt7
z7jXARonQ9QFP%Se!uf?~I)6^dR4u8#IMey%86I1SX03Y|XOVnO%VOw}TZRQIOWomp
zm3#e$Hm{uM5C=6@+}yHV3(~!e@7`{@td=hqC4ax0F%l#HxmsA$)6Hx@f1+{Qv5=y>
zt}nV<xmHSQ<p))ZT^;r}NnXkfnPW|sdz$ZfD1&d`mn!oEs~lUOFXyW*K3Dx!^Fl;&
zVa1I`CA()`?=B{-kV|w;5V735(8hK+8(DpR$wI8rtz*<8;dVocu1C$SKL^^>Qfo%7
zF~|7N`D64Gamv5B^gzd*cf6&U@yvW5>ysQhjb8a}5+3lF-)<9gd7eNHWBV3Axh`2H
zkD+)7Zv?869>T*ZPF5vY?t9_+Kuy~Doyq^NO44tLHV6SwlKwq&K@9@s23f4P7}3`w
z8KO1l`|kg@lKF2XtTN_CQNN(`R{o*{YQx7>a&o)5t}2I0I-*AxJ5@AU;Rm|;y@Eu=
zhn23}6*th^<1Us^wChHZo3q&kquwt)xf(Cba|A-JBrs3t1UQ&6DTFy~8=f}qq?Vhm
z9vf9%E7x)d$$87qG!BZc7#Zz*$1~vzOc>63G6zvU%pT*fYw_Y9S95bN!MDantJBN6
zbRNCl)mT0FM_Z8le6dn@qaaI3GsNMJajEP}vD@kS8?6gYQ=D$=-7)d373vkgvOjeI
zi}fBm!!TuuzEiZ&xn(W7e(5!m>R;kl7etS_Bsr@%n~)?^BYLi+XK#4;;-Klk!@Q1`
zAX5Id@_VHL<VE<8x!+0{Tnwx~9}z>1KnjM(aeN3C{6j?12V&?0P|INacV+7ztJ3#n
zYmHF9LYBElwk$mwsnhebXjoD50ogp|R>1k(5jPNa-%27dzIi`2K45bTrw3x9RDb4C
z?9J?Nj^=^#R>8R-&WLupX1e;n&td#9aF&Hnfdl{MqUZ!%7!ryEe_uagWb^;Idg@JW
z3{>0sKie2usixisCu;6@@2S8Ousra(uPSI`n!T6#TqxGMmE>@6*mZqoN0ayZS7%)Z
z_gDrSzjRW;#dfE=oAy8@dm8>8Ct!VU7h^hZ9AbSw<<R`Jx85vcUuNeH!`vH=2lbmj
zHZ$?t+f^Uma~;2psM(Cg;0E`+EO_6e(i<G_&_1$yc%|O3rJJyX$nLTmts6~8;1fL^
zt?QC5b5Q4B3!MKk7Mf^3zVl;mD<+}NU#>XQ`HNg9oL`P#684(u{EFMZI7mAdg|D;P
zx&33dh>dbm@37?6`tgt)O{<2%VExM}=iFra3Ou(4z9A!}uW=6b`IyduN}S{;<g~={
z_%*IREl*4=yx2?o?MkEjK8^Y9UB!Cc$bW-gb~PimU)H9Da@x|`%b1}0%HvG^$Cg*5
zA)&bx<86tZeUC3iB$jOH^!859^Vv}qJ$Q6+ctWQ0<%^$b_ilYazQkUw$w_YUis|sw
z;|?9P;$Kv8=+D!c;a+y`4IU>oqWIRj)3G!Qn?J5U4@}ha|1|GWewlqZx$mI$v$`c`
ztw#-P705YDgd1Y+*v!2XLo$iK!fK(}IqUCREwSqS@&of}Ii_JJJOx($R$QhpK~!B+
z)z~9$x^efe^4glN#v5M+?Kpz%@5`IyO}QeOLh=JfJ=beWU#PcHUL5yi5@KwK>RZlu
zU$v|_SsI)BUd{OP&KL0w+vNYYweM`)>1DeM`&PSI{e*v9#fHqs{S4l3?ZNUUX7=K7
z{TG9^8%uWO=H2zk1wWTCV!{wc2;yG6w6N~cYEJwPi!VdmSNGZ;yPX>Ht5|3!@a{pM
zSh<ru1B(gi5$6hf-oB8Rpe23%@|$d0_Sg4~(V3TUsokO6-(M*t<gV|;9rP;;8E#_y
z^&vI;S>%%ixtedfy@TqHIq5&Td$<2Yy0$H~P}yzttIghqPaCCu*SGR34Orgm@K1$c
z48$$nWdD@0?OL&!_sBC|_o=NJe~Hz9*m9{_N)o#?XnR2i>xz*=b&tvN-*-p{`BxP>
z2(~Z1o~)clk*<yK=jyv8xSQJhTwinlf~>OhNJQo{;_ypt%^O<!UA2YY?r`jA@R`l4
z0yV0hUtM0W8CUM%-22wO-LKB&X*@Xzu^;SsSA++zJaS)2ksIyFGL6RVl?tu$Jl1&b
zma?p2Cl4KURj2B(XxkI+g)N=O`uEqj6ECEF>1W*By7FfEhM3fpz{8@xN{0n%)5H6i
zrP2~vw-of%yYjN?ht!|x20aYOmNkvivM7#OmGs^=u{u}6^KEPNL&8gq5n1`2Z@j%m
zC3oF-?L4`#z-FcG%EHX&4PB<y<OsdEb3tQ_cm-LD1v~HOOK%}8t=;wEaNXH5`%3Z>
z4VS%3lB1SCkgqhftf&2Xi|@*ojVpHzjW5Y~n6#UMIh;`zm!GrO{(!IVI=>gS>&qL=
z_3?>+oxW*r*TD>VJyzA<ef&B+*RhFe)!_I=n0d@~bw<1n`U@N<3Vu(ci9QGt{pZ&v
zCn5BbL)~xYC5M(SroYIQE3T5QGd7v%imCh13z=jT@#8NMk26t3jnUbNrEdWuLpyyo
zqH`7=k^^@DX#4RZ2A=ch7>Wod{v)Cs0V?U6MifOkqT7!Whaeurb@9x2nV)iCg@XF<
zU1O)lLuuz)7k;%*x!+D`OVV%F5c0EHTejEof!$VqCqqRqwWHX38&v)8UDn*#88ngy
z%SNQPOW+k?_MM2X7W2+r`|F8$HETt%*h5-I(MZirlk_&P*2YYX@`-fKs(>pOqD!*9
z6IN&46Fb5Ryp#Xe@m0H|0hNg>4aoc~lQJ&7bp05$t0C;cn^^n~V&>Ar$=!NU0Y{A9
z_>EQ*@3!Q3MYqo9zgLbF-KctVx;b0E`Qi~iuYu_F8-9NTpvo6p2|y-5BeeZ!+AvWu
z88z**RWnVy^liA7Hq4ddKa#g=+O*5Td5WSs6@WWJaQy`@fYR%wa0}P%>tc@lJ$kgL
zxn-olgJCG(VKTNtL1l}a|D8ddokYEwHe01^tD)m9=ld>gUpcf~wb-L2?cuW41@eT9
z3a9q;cd>Ors`p4oE**!<M$P|l%(vUas7zj>9r7e>WBkJn2M&kFroSn@6&4g4V)*D?
zlz@z(k!+Kl$hgg5mVnjbO(`WB43VSbbHXj0qGP2sKA*WGzqgyT^t@92H7Uk-T5c1u
zaP76W&g0vhSYXwJQP)j26C8=?unTo&y|<US)xWi=y-s}W7F6~jO0sFqxJ+p^?u(2r
zcmCei*yf$rY7$T_Q>+Dkkrxt;Xv~!*&x|>37}H<Y1EP39<H~f*g@KqWzX%X*FJPf)
zkacMLF^ZwE$8jiPZ_+;^f+!9+H-(t^8AX%@r(=H1Ok!Y!By9Sz#Cc<ItJ~`Ao=n4c
zm9px?MzwanLb$Ig8rAosRtzQM1=ZhVKE1AB8+MdY-;+Cho>OUXK)&c4N^AFXVdxT|
zgtl3<N`{Z3wCY@bMl1ID6s?ps|1(<X-Vo>Kod#-;BL6VrxO01TkN9o7a7WxkC{K5M
z?0k`~!TvO1Z~TM7ZVHoag|9YYkW$gTkV8eG^&t4sHY)*a6jLS=AZ=y>l=XlF*p4Q^
zc+=!w@UO4p6;o5z02;73S!z%?o?y5-Pdl5N+P4ZT=()^<F4qz4pnPEN@WAEeS4w34
z&V^r0*f7d#JF>t&<K)wW7Fi+7>m2p9MjF(p!N&sE6_DlZ*qsYKIvbs8BJ(PiWA863
zB3c_syfyZDrfVv6;V+#UnG~%TQE~9aXzu*pc!MyJ<F>W>TQ5*#UH2c1_k8l&<#p9u
z<AYgyOpX^PL!B5G$2DFXRQ~L0`n^cW(c3P%_xEd`{f7dzw!d8=f5xLR_rc%e1;n|{
z&0~i?TW6nbKAfLu5W%yya1+v6nvZ=Z*hN-X&3hczO}ko0lF?ZCN=@fhxO1D3wo&iu
zb8LOv+sRZVvpvOeRa)MWX|}u?pFbP)a|*Wx7A_X$^(Ue-<F<-Ip&(q)_M^-YUGWGi
zbLIA#GN1l3A+tRHk<)TBWuA+kHqJn`IoQ+U-pl#9hmlsBOhpG%E=|lmRMlTqvnVX(
zHsRFyinYAYDn0@flao(Bg`qT-0~$XsT}D}G<i=e4A#%54`cHoWDf&+G)O6%lq9=|b
zGJlC^XNn?*>dZzwvlt-uNe0bEj1T*-RI{>+uConAOgaCLh#={GYiA-(NcDNU1uP$Q
zGODo-Ql&ikP2uHvpEvF6-S|{4aF&qd2doPBH=M^AIadWa&fV2^AXOFJSOTE&bE)hm
zXoS4`fkqjoA8bs507+`jq;Ux#-o6X2@WJ_`ZB`7-=g&i9;C9i>7&x;S42GOQO^Ndc
eh67MU8h(kAKY>#CZz%nZzeFjRKq>eY%6|Z?SPkO<

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/dhe.test b/testing/btest/scripts/base/protocols/ssl/dhe.test
new file mode 100644
index 0000000000..f41cb70fab
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/dhe.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff ssl.log
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
+  {
+  print "key length in bits", |Ys|*8;
+  }
diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
new file mode 100644
index 0000000000..ba07b6e647
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-1.log
+# @TEST-EXEC: btest-diff notice-1.log
+
+@load protocols/ssl/weak-keys
+
+redef SSL::notify_weak_keys = ALL_HOSTS;
+redef SSL::notify_minimal_key_length = 4096;