forked from 0xxon/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
chrome-sha1.bro
75 lines (58 loc) · 2.02 KB
/
chrome-sha1.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# This script identifies certificates on the local network which will be
# impacted by the Chrome SHA-1 sunset changes. For more details, please
# see http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
@load base/protocols/ssl
@load base/frameworks/notice
module ChromeSHA;
export {
redef enum Notice::Type += {
## Indicates that the certificate of a host will be impacted by the google
## SHA-1 sunset changes.
SSL_Chrome_SHA_Sunset
};
}
global recently_checked_certs: set[string] = set();
event ssl_established(c: connection)
{
if (!Site::is_local_addr(c$id$resp_h))
return;
# If there aren't any certs we can't validate the chain.
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 )
return;
local chain_id = "";
local chain: vector of opaque of x509 = vector();
for ( i in c$ssl$cert_chain )
{
chain_id = cat(chain_id, c$ssl$cert_chain[i]$sha1);
if ( c$ssl$cert_chain[i]?$x509 )
chain[i] = c$ssl$cert_chain[i]$x509$handle;
}
if ( chain_id in recently_checked_certs )
return;
add recently_checked_certs[chain_id];
# This only applies to certificates with an expiry after 2016-01-01.
local cutoff: time = double_to_time(1451606400.0);
if ( c$ssl$cert_chain[0]$x509$certificate$not_valid_after < cutoff )
return;
local result = x509_verify(chain, SSL::root_certs);
# If we cannot validate, we cannot tell anything in any case...
if ( result$result_string != "ok" )
return;
local vchain = result$chain_certs;
for ( i in vchain )
{
local cert = x509_parse(vchain[i]);
if ( cert$subject == cert$issuer )
# skip the root
return;
if ( /^sha1With/ in cert$sig_alg )
NOTICE([$note=SSL_Chrome_SHA_Sunset,
$msg=fmt("A certificate in the chain uses SHA-1 as the hash algorithm. Chrome will consider this unsafe in the future"),
$sub=fmt("Subject: %s, Issuer: %s, Signature algorithm: %s", cert$subject, cert$issuer, cert$sig_alg),
$conn=c,
$identifier=cat(c$id$resp_h),
$suppress_for=7 days
]);
}
}