Bro communication via SSL

Hi all,

I'd like to understand to which degree folks are currently using Bro's
built-in support for doing Bro-to-Bro or Bro-to-Broccoli communication
via SSL.

My hunch is that not many installations are using this, though I know
a few that do (note that if you haven't configured SSL specifically,
you are not using it :-).

Those who do use SSL for Bro communication, would it be an option to
replace it with something externally like stunnel?

I'm asking because we're planing to rework the communication layer
quite a bit. Not only has supporting SSL directly been quite a pain in
the past, but we'd also be more flexbile in terms of leveraging
external libraries if SSL were not crucial.


I second this idea. No encryption would help a lot and cut down on
compile requirements. It can also make debugging easier. To achieve
confidentiality, I wire all my NMS together using OpenVPN so they have
their own private network, though stunnel would work just fine as
you've pointed out.

It actually won't cut down on compilation requirements due to OpenSSL being a required dependency for the next release.


(Just to clarify, that dependency is due to new SSL protocol