a few more small fixes for chains containing broken certs.

2025-10-15 13:08:20 +00:00 · 2014-05-21 11:01:33 -07:00 · 2014-05-21 11:01:33 -07:00 · ff00c0786a
commit ff00c0786a
parent b16322aefb
4 changed files with 7 additions and 5 deletions
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@ -48,7 +48,7 @@ event bro_init() &priority=5

 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 || ! c$ssl$cert_chain[0]?$x509 )
 		return;

 	local fuid = c$ssl$cert_chain_fuids[0];
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@ -28,7 +28,7 @@ export {
 event ssl_established(c: connection) &priority=3
 	{
 	# If there aren't any certs we can't very well do certificate validation.
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || !c$ssl$cert_chain[0]?$x509 )
 		return;

 	local chain_id = join_string_vec(c$ssl$cert_chain_fuids, ".");