(no subject)

Zeek
1

Hi.

A script that is a slightly modified version of what’s shipped with Bro, gives me interesting results

The script source

http://michal.pastebin.mozilla.org/7542181

Take a look at lines

  1. local key_length = cert$key_length;

  3. if ( key_length < notify_minimal_key_length )

  4. NOTICE([$note=Weak_Key,

I can see (in notice.log) warnings about host using 1024 bit certificate. Well, the minimal acceptable length is set to 1024 so I should not get any warnings.

notice.log

1416937779.196106 CoZK6Z1Y61rsevYSCd 63.245.221.32 34715 10.22.72.139 13000 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 63.245.221.32 10.22.72.139 13000 - nsm7-eth4-6 Notice::ACTION_LOG 86400.000000 F

The ssl.log and x509.log show that the connection was over SSL, and the certificate is 1024 bit.

2

Hi Michał,

The standard set by the Certification Authority/Browser (CA/B) Forum required that SSL certificates issued after January 1, 2014 must have a key length of at least 2048-bits. So while some 1024-bit SSL certs may still be valid if they were issued before that date, they are not up to current standards and are quickly becoming deprecated. Additionally, the overlap with SHA-1 phaseout and browser security warnings in the upcoming months, I expect most 1024-bit SSL certs will be killed off quickly.

Hope this helps,
Zach

Zachary Holt
Information Security Office
Carnegie Mellon University

3

Well that’s an interesting story, completely off topic :wink:

Anyway, I found the bug, I had the constant redefined somewhere else. Const that you can redef are funny sometimes.