This allows the path for the default filter to be specified explicitly
when creating a stream and reduces the need to rely on the default path
function to magically supply the path.
The default path function is now only used if, when a filter is added to
a stream, it has neither a path nor a path function already.
Adapted the existing Log::create_stream calls to explicitly specify a
path value.
Addresses BIT-1324
* origin/topic/johanna/cert-validation:
and still use the hash for notice suppression.
add knob to revert to old validation behavior
Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates.
BIT-1332 #merged
intermediate chains that it encounters on the wire and use those to try
to validate chains that might be missing intermediate certificates.
This vastly improves the number of certificates that Bro can validate.
The only drawback is that now validation behavior is not entirely
predictable anymore - the certificate of a server can fail to validate
when Bro just started up (due to the intermediate missing), and succeed
later, when the intermediate can be found in the cache.
Has been tested on big-ish clusters and should not introduce any
performance problems.
* origin/topic/johanna/ssl-policy:
Extend the weak-keys policy file to also alert when encountering ssl connections with old versions as well as unsafe cipher suites.
BIT-1321 #merged
ssl connections with old versions as well as unsafe cipher suites.
Also make the notice suppression handling of other ssl policy files
a tad more robust.
Fixing one missing index adjustment (I believe ...)
BIT-757 #merged
* origin/topic/jsiwek/deprecation:
Fix typo.
Update documentation (broken links, outdated tests).
Update NEWS for deprecated/changed functions.
Deprecate split* family of BIFs.
Improve use of &deprecated on functions.
Add a new attribute: &deprecated.
These functions are now deprecated in favor of alternative versions that
return a vector of strings rather than a table of strings.
Deprecated functions:
- split: use split_string instead.
- split1: use split_string1 instead.
- split_all: use split_string_all instead.
- split_n: use split_string_n instead.
- cat_string_array: see join_string_vec instead.
- cat_string_array_n: see join_string_vec instead.
- join_string_array: see join_string_vec instead.
- sort_string_array: use sort instead instead.
- find_ip_addresses: use extract_ip_addresses instead.
Changed functions:
- has_valid_octets: uses a string_vec parameter instead of string_array.
Addresses BIT-924, BIT-757.
* origin/fastpath:
last ssl fixes - missed three more.
and more tiny ssl script fixes
a few more small fixes for chains containing broken certs.
fix expression errors in x509 policy scrips when unparseable data is in certificate chain.
Good stuff! (but I admit I didn't look at the OpenSSL code too closely :)
* origin/topic/bernhard/even-more-ssl-changes:
small test update & script fix
update baselines & add ocsp leak check
Add policy script adding ocsp validation to ssl.log
Implement verification of OCSP replies.
Add tls flag to smtp.log. Will be set if a connection switched to startls.
add starttls support for pop3
Add smtp starttls support
Replace errors when parsing x509 certs with weirds (as requested by Seth).
move tls content types from heartbleed to consts.bro. Seems better to put them there...
Add new features from other branch to the heartbleed-detector (and clean them up).
Let TLS analyzer fail better when no longer in sync with the data stream. The version field in each record-layer packet is now re-checked.
BIT-1190 #merged
Conflicts:
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
BIT-1189 #merged
* origin/topic/bernhard/ec-curve:
fix broxygen errors
Polish changes for ecdhe/dhe
Add DH support to SSL analyzer.
Add a few more ciphers Bro did not know at all so far.
Forgot a few ciphers in the EC list...
Log chosen curve when using ec cipher suite in TLS.
* origin/fastpath:
Correct a notice for heartbleed. The notice is thrown correctly, just the message conteined wrong values.
Improve/standardize some malloc/realloc return val checks.
Improve file analysis manager shutdown/cleanup.
* origin/topic/bernhard/ssl-analyzer:
Fix a few failing tests
Add very basic ocsp stapling support.
Add documentation, consts and tests for the new events.
Support parsing of several TLS extensions.
Make SSL/TLS version detection less brittle.
Nicer notices for heartbleed.
rip out state handline from ssl analyzer.
enable detection of encrypted heartbleeds.
also extract payload data in ssl_heartbeat
add to local.bro, add disclaimer
make tls heartbeat messages a bit better.
fix tabs.
polish script and probably detect encrypted attacks too.
detect and alert on simple case of heartbleed
default to TLS when not being able to determine version
add is_orig to heartbeat event
Throw new event for heartbeat messages.
BIT-1178 #merged
This also fixes the heartbleed detector to work for encrypted attacks in this
branch again. It stopped working, because the SSL analyzer now successfully detects
established connections, and the scripts usually disable analyzing after that.
(The heartbeat branch should not have been affected)
