why x509_extensions event never called?

Zeek
1

Hi all,
I’m analyzing X509 certificates with extensions, I defined a handler for x509_extensions event, but it is never called!!! Why doesn’t it work?

event x509_extension(c: connection, is_orig: bool, data: string)
{
print “THERE’S AN EXTENSION!”;
}

2

That looks correct. You're going to have to give us more information and ideally a trace file. Also, consider that if you aren't seeing certificates that have extensions you won't see this event fire.

  .Seth

3

Hi Seth,
thanks for reply, but there is no more information to give you. I just visited the site www.paypal.com and all SSL events (ssl_client_hello, ssl_server_hello, ssl_established, x509_certificate) are fired except x509_extension. I cannot understand why, but the Paypal’s certificate contains many extensions.

module MYMODULE;

export {
}

event bro_init() {

fires

}

event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
{

fires

}

event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
{

fires

}

event ssl_established(c: connection)
{

fires

}

event x509_extension(c: connection, is_orig: bool, is_critical: bool, name: string, value: string)
{
print “THERE’S AN EXTENSION!”; # no fire
}

event x509_certificate(c: connection , is_orig: bool , cert: X509 , chain_idx: count , chain_len: count , der_cert: string )
{

fires

}

Jessica

4

Sorry, this one is our fault. At the moment, the x509_extension event never fires due to
a bug in the SSL analyzer.

I have this fixed in a branch — however the fix never made it back into the Bro master
(because the branch also changes a number of other things about x509 certificate
handling; some of them are not quite working yet).

I will backport that little part and post a patch in a bit.

Johanna

5

Hello Jessica,

a patch for the x509_extension event is in the topic/johanna/fix-x509-extensions git branch.

The event syntax slightly changed - using

event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info)
{
  print extension;
}

should work now.

Johanna

6

Thank you so much Johanna :slight_smile:

Jessica.