mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
109 lines
5 KiB
ReStructuredText
109 lines
5 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
policy/protocols/ssl/weak-keys.zeek
|
|
===================================
|
|
.. zeek:namespace:: SSL
|
|
|
|
Generate notices when SSL/TLS connections use certificates, DH parameters,
|
|
or cipher suites that are deemed to be insecure.
|
|
|
|
:Namespace: SSL
|
|
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
=========================================================================================== ==============================================================================
|
|
:zeek:id:`SSL::notify_dh_length_shorter_cert_length`: :zeek:type:`bool` :zeek:attr:`&redef` Warn if the DH key length is smaller than the certificate key length.
|
|
:zeek:id:`SSL::notify_minimal_key_length`: :zeek:type:`count` :zeek:attr:`&redef` The minimal key length in bits that is considered to be safe.
|
|
:zeek:id:`SSL::notify_weak_keys`: :zeek:type:`Host` :zeek:attr:`&redef` The category of hosts you would like to be notified about which are using weak
|
|
keys/ciphers/protocol_versions.
|
|
:zeek:id:`SSL::tls_minimum_version`: :zeek:type:`count` :zeek:attr:`&redef` Warn if a server negotiates a SSL session with a protocol version smaller than
|
|
the specified version.
|
|
:zeek:id:`SSL::unsafe_ciphers_regex`: :zeek:type:`pattern` :zeek:attr:`&redef` Warn if a server negotiates an unsafe cipher suite.
|
|
=========================================================================================== ==============================================================================
|
|
|
|
Redefinitions
|
|
#############
|
|
============================================ ===============================================================
|
|
:zeek:type:`Notice::Type`: :zeek:type:`enum`
|
|
|
|
* :zeek:enum:`SSL::Old_Version`:
|
|
Indicates that a server is using a potentially unsafe version
|
|
|
|
* :zeek:enum:`SSL::Weak_Cipher`:
|
|
Indicates that a server is using a potentially unsafe cipher
|
|
|
|
* :zeek:enum:`SSL::Weak_Key`:
|
|
Indicates that a server is using a potentially unsafe key.
|
|
============================================ ===============================================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
.. zeek:id:: SSL::notify_dh_length_shorter_cert_length
|
|
:source-code: policy/protocols/ssl/weak-keys.zeek 34 34
|
|
|
|
:Type: :zeek:type:`bool`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``T``
|
|
|
|
Warn if the DH key length is smaller than the certificate key length. This is
|
|
potentially unsafe because it gives a wrong impression of safety due to the
|
|
certificate key length. However, it is very common and cannot be avoided in some
|
|
settings (e.g. with old java clients).
|
|
|
|
.. zeek:id:: SSL::notify_minimal_key_length
|
|
:source-code: policy/protocols/ssl/weak-keys.zeek 28 28
|
|
|
|
:Type: :zeek:type:`count`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``2048``
|
|
|
|
The minimal key length in bits that is considered to be safe. Any shorter
|
|
(non-EC) key lengths will trigger a notice.
|
|
|
|
.. zeek:id:: SSL::notify_weak_keys
|
|
:source-code: policy/protocols/ssl/weak-keys.zeek 24 24
|
|
|
|
:Type: :zeek:type:`Host`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``LOCAL_HOSTS``
|
|
|
|
The category of hosts you would like to be notified about which are using weak
|
|
keys/ciphers/protocol_versions. By default, these notices will be suppressed
|
|
by the notice framework for 1 day after a particular host has had a notice
|
|
generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
|
|
|
|
.. zeek:id:: SSL::tls_minimum_version
|
|
:source-code: policy/protocols/ssl/weak-keys.zeek 41 41
|
|
|
|
:Type: :zeek:type:`count`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``769``
|
|
|
|
Warn if a server negotiates a SSL session with a protocol version smaller than
|
|
the specified version. By default, the minimal version is TLSv10 because SSLv2
|
|
and v3 have serious security issued.
|
|
See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00
|
|
To disable, set to SSLv20
|
|
|
|
.. zeek:id:: SSL::unsafe_ciphers_regex
|
|
:source-code: policy/protocols/ssl/weak-keys.zeek 45 45
|
|
|
|
:Type: :zeek:type:`pattern`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default:
|
|
|
|
::
|
|
|
|
/^?((_EXPORT_)|(_RC4_))$?/
|
|
|
|
|
|
Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
|
|
encountering old export cipher suites, or RC4 (see RFC7465).
|
|
|
|
|