Hi,
I’m analyzing X.509 certificates and I have to check that the CN/SAN matches the hostname to which I am connecting. I was using the hostname value derived from the ssl extension “server_name”, but in some cases this extension is not set.
I then tried to use the lookup_addr() function but it returns nothing.
event ssl_established(c: connection)
{
local hostname: string;
if( c$ssl?$server_name )
hostname = c$ssl$server_name;
when(local host = lookup_addr(c$id$resp_h)) { print host; }
}
It does not print the hostname. why?
Jessica.
I'm analyzing X.509 certificates and I have to check that the CN/SAN matches the hostname to which I am connecting. I was using the hostname value derived from the ssl extension "server_name", but in some cases this extension is not set.
Yep, there is no requirement that certificates have the server name indicator extension. You will also see this in cases where an SSL session is resumed and there is no certificate exchange.
event ssl_established(c: connection)
{
local hostname: string;
if( c$ssl?$server_name )
hostname = c$ssl$server_name;
when(local host = lookup_addr(c$id$resp_h)) { print host; }
}
It does not print the hostname. why?
Are you running this on live traffic or on a trace file? If you are running on a tracefile, it could be that Bro is terminating before the DNS reply has a chance to get back into Bro and run that code. When statements work like closures so they aren't executed immediately. You can think of it like the body of the when statement is stored in the background until the condition for the when statement becomes true or completes, it's only then that the body is executed.
Also, you may want to print something just before the when statement just to make sure your code is actually making it to the when statement.
.Seth
yes, i’m working on trace files, so, there’s noy way to wait the DNS reply? in that case I cannot check the validity of CN/SAN field, right?