Robin,
I think w/ the new commits I just did on fastpath all the current unit tests are passing except for istate.events-ssl. What's the status of that one? Looks like it's just missing a baseline?
- Jon
$ btest -D istate/events-ssl.bro
istate.events-ssl ... failed
% 'btest-diff sender/http.log' failed unexpectedly (exit code 100)
% cat .diag
== File ===============================
1307736535.043138 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
1307736535.043138 %events-send-1 > USER-AGENT: Wget/1.10
1307736535.043138 %events-send-1 > ACCEPT: */*
1307736535.043138 %events-send-1 > HOST: www.icir.org
1307736535.043138 %events-send-1 > CONNECTION: Keep-Alive
1307736535.227178 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
1307736535.227178 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
1307736535.227178 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
1307736535.227178 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
1307736535.227178 %events-send-1 < ACCEPT-RANGES: bytes
1307736535.227178 %events-send-1 < CONTENT-LENGTH: 9130
1307736535.227178 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
1307736535.227178 %events-send-1 < CONNECTION: Keep-Alive
1307736535.227178 %events-send-1 < CONTENT-TYPE: text/html
1307736535.411667 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
1307736535.411961 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
1307736535.595485 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
1307736535.595485 %events-send-1 GET / (200 "OK" [9130] www.icir.org )
== Error ===============================
test-diff: no baseline found.
SSL is going to a bit messed up for now because the new analyzer has been merged in but there isn't a script to go with it. Partly because I'm running into a bug with it the core analyzer and I can't really write a comprehensive script yet.
.Seth
robin
June 10, 2011, 8:52pm
3
I think w/ the new commits I just did on fastpath all the current unit
tests are passing except for istate.events-ssl.
Great, thanks! I'll merge that soon.
What's the status of that one? Looks like it's just missing a
baseline?
No, the SSL communication is actually not working for a reason I
haven't figured out yet. The same kind of test worked fine with Bro
1.5 and the old istate test-suite but seems something broke when I
rewrote the test for btest. Not sure yet what.
1307736535.043138 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
Note that this is only the sender side; iirc, I didn't see anything
received on at the other end, and the connection was just aborted.
Robin
robin
June 10, 2011, 8:53pm
4
(This is about SSL-encrypted Bro-to-Bro communication, not related to
the analyzer.)
Robin
No, the SSL communication is actually not working for a reason I
haven't figured out yet. The same kind of test worked fine with Bro
1.5 and the old istate test-suite but seems something broke when I
rewrote the test for btest. Not sure yet what.
The CA cert that the test is using expired last March. (see output at bottom).
> 1307736535.043138 %events-send-1 start 141.42.64.125:56730 >
> 125.190.109.199:80
Note that this is only the sender side; iirc, I didn't see anything
received on at the other end, and the connection was just aborted.
I tried generating my own keys and replacing what was in the test and the receiver looks like it saw everything (again output below). Let me know if it looks right to you and I can probably follow through and commit a working test unless you want to.
- Jon
$ openssl x509 -in ca_cert.pem -noout -enddate
notAfter=Mar 10 04:13:23 2011 GMT
$ ssldump -i lo0
New TCP connection #1: localhost(51344) <-> localhost(47756)
1 1 0.0011 (0.0011) C>S Handshake
ClientHello
Version 3.0
cipher suites
Unknown value 0x3a
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
Unknown value 0x34
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
unknown value
NULL
1 2 0.0012 (0.0001) S>C Handshake
ServerHello
Version 3.0
session_id[32]=
d7 3d eb 9a c8 d9 f1 e7 de fb 3a 2a 2d c3 4f 64
cc 26 46 d1 e0 41 34 2c 95 a9 8c 37 f9 8c 51 43
cipherSuite Unknown value 0x35
compressionMethod unknown value
1 3 0.0012 (0.0000) S>C Handshake
Certificate
1 4 0.0012 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
ServerHelloDone
1 5 0.0023 (0.0010) C>S Alert
level fatal
value certificate_expired
1 6 0.0025 (0.0001) C>S Alert
level fatal
value certificate_expired
1 7 0.0027 (0.0001) C>S Alert
level fatal
value certificate_expired
1 0.0027 (0.0000) C>S TCP FIN
1 0.0029 (0.0001) S>C TCP FIN
# after replacing keys
$ btest -D istate/events-ssl.bro
istate.events-ssl ... failed
% 'btest-diff sender/http.log' failed unexpectedly (exit code 100)
% cat .diag
== File ===============================
1307985621.588992 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
1307985621.588992 %events-send-1 > USER-AGENT: Wget/1.10
1307985621.588992 %events-send-1 > ACCEPT: */*
1307985621.588992 %events-send-1 > HOST: www.icir.org
1307985621.588992 %events-send-1 > CONNECTION: Keep-Alive
1307985621.773032 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
1307985621.773032 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
1307985621.773032 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
1307985621.773032 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
1307985621.773032 %events-send-1 < ACCEPT-RANGES: bytes
1307985621.773032 %events-send-1 < CONTENT-LENGTH: 9130
1307985621.773032 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
1307985621.773032 %events-send-1 < CONNECTION: Keep-Alive
1307985621.773032 %events-send-1 < CONTENT-TYPE: text/html
1307985621.957521 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
1307985621.957815 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
1307985622.141339 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
1307985622.141339 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
== Error ===============================
test-diff: no baseline found.
robin
June 15, 2011, 7:54pm
6
(This was supposed to have been sent already ...)
The CA cert that the test is using expired last March. (see output at bottom).
D'oh! That's something Bro should report a bit more directly I guess ...
I tried generating my own keys and replacing what was in the test and
the receiver looks like it saw everything (again output below).
Yes, looks good. It should match the output from the clear-text
version of the test. If that's the case, feel free to commit.
Thanks!
Robin