&log cert_chain attribute (vector of Files::info) in ssl.log file

&log cert_chain attribute (vector of Files::info) in ssl.log file.

I would like to list the server’s chain of certificates in ssl.log (log of handshake data) alongside each handshake.

In ssl.log, the cert_chain attribute (certificate chain of the server) is not being logged, and is of type vector of Files::info. When I tried to add “&log” attribute to cert_chain in files.bro, it gave an error that:

“… cert_chain is of type that cannot be logged.”

When I tried changing the type from vector of Files::info to vector of string, it sprang up some different errors since cert_chain is referenced as a vector of Files::info in other parts of files.bro script.

Please tell me how I can log the cert_chain attribute in ssl.log file.


yes, you are right, cert_chain can currently not be logged. The logging
framework is limited to fields that can be represented in ASCII columns;
hence only vectors of base-types can be logged. Files::info is not a base
type :).

What exactly do you want to log? The hashes?

In this case, the way to do this is to add an event handler that takes the
information in cert_chain, transforms it into a format that can be logged,
and writes it into another field. For example, if you want to log the
certificate hashes, you would go through the cert_chain, extract all
hashes, and then write them to a field of type vector of string, which can
be logged.

I hope this helps :slight_smile: