mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
549661bd11
- Certificate validation volume has been greatly cut down by caching results. - Cert hashing is now done in one place instead of being repeated everywhere a cert hash was needed. - Some small cleanups for notice suppression that should greatly reduce duplicate notice volume about invalid certificates.
51 lines
1.4 KiB
Text
51 lines
1.4 KiB
Text
##! Perform full certificate chain validation for SSL certificates.
|
|
|
|
@load base/frameworks/notice/main
|
|
@load base/protocols/ssl/main
|
|
|
|
@load protocols/ssl/cert-hash
|
|
|
|
module SSL;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
Invalid_Server_Cert
|
|
};
|
|
|
|
redef record Info += {
|
|
validation_status: string &log &optional;
|
|
};
|
|
|
|
## MD5 hash values for recently validated certs along with the validation
|
|
## status message are kept in this table so avoid constant validation
|
|
## everytime the same certificate is seen.
|
|
global recently_validated_certs: table[string] of string = table()
|
|
&read_expire=5mins &synchronized;
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=3
|
|
{
|
|
# If there aren't any certs we can't very well do certificate validation.
|
|
if ( ! c$ssl?$cert || ! c$ssl?$cert_chain )
|
|
return;
|
|
|
|
if ( c$ssl?$cert_hash && c$ssl$cert_hash in recently_validated_certs )
|
|
{
|
|
c$ssl$validation_status = recently_validated_certs[c$ssl$cert_hash];
|
|
}
|
|
else
|
|
{
|
|
local result = x509_verify(c$ssl$cert, c$ssl$cert_chain, root_certs);
|
|
c$ssl$validation_status = x509_err2str(result);
|
|
}
|
|
|
|
if ( c$ssl$validation_status != "ok" )
|
|
{
|
|
local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
|
|
NOTICE([$note=Invalid_Server_Cert, $msg=message,
|
|
$sub=c$ssl$subject, $conn=c,
|
|
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status,c$ssl$cert_hash)]);
|
|
}
|
|
}
|
|
|
|
|