* origin/topic/johanna/ssl-resumption:
Update baseline of new SSL policy script for changes
update test baselines
Mark everything below 2048 bit as a weak key (Browsers will stop accepting 1024 bits soon, so we can be of that opinion too).
add information about server chosen protocol to ssl.log, if provided by alpn.
change SSL log to contain a boolean flag signaling if a session was resumed instead of the (usually not really that useful) session ID the client sent.
BIT-1279 #merged
This fixes the case that an SMTP session has multiple mails sent from
the originator but we miss the server's response (e.g., because we
don't see server side packets at all).
triggered for the tls change cipherspec message.
Also - fix small bug. In case SSL::disable_analyzer_after_detection was set
to F, the ssl_established event would fire after each data packet after the
session is established.
* origin/fastpath:
last ssl fixes - missed three more.
and more tiny ssl script fixes
a few more small fixes for chains containing broken certs.
fix expression errors in x509 policy scrips when unparseable data is in certificate chain.
Good stuff! (but I admit I didn't look at the OpenSSL code too closely :)
* origin/topic/bernhard/even-more-ssl-changes:
small test update & script fix
update baselines & add ocsp leak check
Add policy script adding ocsp validation to ssl.log
Implement verification of OCSP replies.
Add tls flag to smtp.log. Will be set if a connection switched to startls.
add starttls support for pop3
Add smtp starttls support
Replace errors when parsing x509 certs with weirds (as requested by Seth).
move tls content types from heartbleed to consts.bro. Seems better to put them there...
Add new features from other branch to the heartbleed-detector (and clean them up).
Let TLS analyzer fail better when no longer in sync with the data stream. The version field in each record-layer packet is now re-checked.
BIT-1190 #merged
Conflicts:
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
* origin/topic/vladg/radius:
Radius functionality and memleak test.
Update test baselines.
Move seq to uint64 to match recent changes in seq processing.
BIT-1129 #merged
BIT-1189 #merged
* origin/topic/bernhard/ec-curve:
fix broxygen errors
Polish changes for ecdhe/dhe
Add DH support to SSL analyzer.
Add a few more ciphers Bro did not know at all so far.
Forgot a few ciphers in the EC list...
Log chosen curve when using ec cipher suite in TLS.
* origin/topic/bernhard/ssl-analyzer:
Fix a few failing tests
Add very basic ocsp stapling support.
Add documentation, consts and tests for the new events.
Support parsing of several TLS extensions.
Make SSL/TLS version detection less brittle.
Nicer notices for heartbleed.
rip out state handline from ssl analyzer.
enable detection of encrypted heartbleeds.
also extract payload data in ssl_heartbeat
add to local.bro, add disclaimer
make tls heartbeat messages a bit better.
fix tabs.
polish script and probably detect encrypted attacks too.
detect and alert on simple case of heartbleed
default to TLS when not being able to determine version
add is_orig to heartbeat event
Throw new event for heartbeat messages.
BIT-1178 #merged
* origin/topic/jsiwek/faf-perf:
Adapt HTTP partial content to cache file analysis IDs.
Adapt SSL analyzer to generate file analysis handles itself.
Adapt more of HTTP analyzer to use cached file analysis IDs.
Adapt IRC/FTP analyzers to cache file analysis IDs.
Refactor regex/signature AcceptingSet data structure and usages.
Enforce data size limit when checking files for MIME matches.
Refactor file analysis file ID lookup.
The "dns_TXT_reply" event now uses a "vector of strings" as the final
parameter instead of just a "string" in order to support DNS TXT
resource records that contain multiple character-strings.
The format in which the TXT answers are logged by default is now changed
to be a list of strings of the form `fmt("TXT %d %s", |str|, str)`, one
for each character-string in the RR and delimited by a space (' ')
character.
This also fixes the heartbleed detector to work for encrypted attacks in this
branch again. It stopped working, because the SSL analyzer now successfully detects
established connections, and the scripts usually disable analyzing after that.
(The heartbeat branch should not have been affected)
At the moment, we have support for:
elliptic_curves: client supported elliptic curves
ec_point_formats: list of client supported EC point formats
application_layer_protocol_negotiation: list of supported application layer protocols (used for spdy/http2 negotiation)
server_name: server name sent by client. This was supported before, but... a bit brittle.
