Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/scripts/policy/protocols/ssl/extract-certs-pem.bro
Jon Siwek a71ab223c4 Various unit test cleanup. 
Updated README and collected coverage-related tests in a common dir.

There are still coverage failures resulting from either the following
scripts not being @load'd in the default bro mode:

base/frameworks/time-machine/notice.bro
base/protocols/http/partial-content.bro
base/protocols/rpc/main.bro

Or the following result in errors when @load'd:

policy/protocols/conn/scan.bro
policy/hot.conn.bro

If these are all scripts-in-progress, can we move them all to live
outside the main scripts/ directory until they're ready?
2011-09-27 12:41:30 -05:00

49 lines
1.8 KiB
Text
Raw Blame History

##! This script is used to extract host certificates seen on the wire to disk
##! after being converted to PEM files. The certificates will be stored in
##! a single file, one for local certificates and one for remote certificates.
##!
##! A couple of things to think about with this script::
##!
##! - It doesn't work well on a cluster because each worker will write its
##! own certificate files and no duplicate checking is done across
##! clusters so each node would log each certificate.
##!
##! - If there is a certificate input based vulnerability found in the
##! openssl command line utility, you could be in trouble because this
##! script uses that utility to convert from DER to PEM certificates.
##!
@load base/protocols/ssl
@load base/utils/directions-and-hosts
module SSL;
export {
## Setting to control if host certificates offered by the defined hosts
## will be written to the PEM certificates file.
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
const extract_certs_pem = LOCAL_HOSTS &redef;
}
## This is an internally maintained variable to prevent relogging of
## certificates that have already been seen. It is indexed on an md5 sum of
## the certificate.
global extracted_certs: set[string] = set() &read_expire=1hr &redef;
event ssl_established(c: connection)
{
if ( ! c$ssl?$cert )
return;
if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
return;
local cert_hash = md5_hash(c$ssl$cert);
if ( cert_hash in extracted_certs )
# If we already extracted this cert, don't do it again.
return;
add extracted_certs[cert_hash];
local side = Site::is_local_addr(c$id$resp_h) ? "local" : "remote";
local cmd = fmt("%s x509 -inform DER -outform PEM >> certs-%s.pem", openssl_util, side);
piped_exec(cmd, c$ssl$cert);
}
Reference in a new issue View git blame Copy permalink