Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/policy/protocols/ssl/extract-certs-pem.zeek
Johanna Amann 279a060fae Deprecate extract-certs-pem.zeek and add log-certs-base64.zeek 
Extract-certs-pem writes pem files to a dedicated file; since it does
not really work in cluster-environments it was never super helpful.

This commit deprecates this file and, instead, adds
log-certs-base64.zeek, which adds the base64-encoded certificate (which
is basically equivalent with a PEM) to the log-file. Since, nowadays,
the log-files are deduplicates this should not add a huge overhead.
2021-06-29 09:45:18 +01:00

56 lines
1.7 KiB
Text
Raw Blame History

@deprecated "Remove in v5.1. Use log-certs-base64.zeek instead."
##! This script is used to extract host certificates seen on the wire to disk
##! after being converted to PEM files. The certificates will be stored in
##! a single file, one for local certificates and one for remote certificates.
##!
##! .. note::
##!
##! - It doesn't work well on a cluster because each worker will write its
##! own certificate files and no duplicate checking is done across the
##! cluster so each node would log each certificate.
##!
@load base/protocols/ssl
@load base/files/x509
@load base/utils/directions-and-hosts
module SSL;
export {
## Control if host certificates offered by the defined hosts
## will be written to the PEM certificates file.
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
option extract_certs_pem = LOCAL_HOSTS;
}
# This is an internally maintained variable to prevent relogging of
# certificates that have already been seen. It is indexed on an sha1 sum of
# the certificate.
global extracted_certs: set[string] = set() &read_expire=1hr &redef;
event ssl_established(c: connection) &priority=5
{
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 )
return;
if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
return;
local hash = c$ssl$cert_chain[0]$sha1;
local cert = c$ssl$cert_chain[0]$x509$handle;
if ( hash in extracted_certs )
# If we already extracted this cert, don't do it again.
return;
add extracted_certs[hash];
local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
local outfile = open_for_append(filename);
enable_raw_output(outfile);
print outfile, x509_get_certificate_string(cert, T);
close(outfile);
}
Reference in a new issue View git blame Copy permalink