policy/protocols/ssl/weak-keys.bro

SSL

Generate notices when SSL/TLS connections use certificates or DH parameters that have potentially unsafe key lengths.

Namespace:SSL
Imports:base/frameworks/notice, base/protocols/ssl, base/utils/directions-and-hosts.bro
Source File:/scripts/policy/protocols/ssl/weak-keys.bro

Summary

Options

SSL::notify_dh_length_shorter_cert_length: bool &redef Warn if the DH key length is smaller than the certificate key length.
SSL::notify_minimal_key_length: count &redef The minimal key length in bits that is considered to be safe.
SSL::notify_weak_keys: Host &redef The category of hosts you would like to be notified about which have certificates that are going to be expiring soon.

Redefinitions

Notice::Type: enum  

Detailed Interface

Options

SSL::notify_dh_length_shorter_cert_length
Type:bool
Attributes:&redef
Default:T

Warn if the DH key length is smaller than the certificate key length. This is potentially unsafe because it gives a wrong impression of safety due to the certificate key length. However, it is very common and cannot be avoided in some settings (e.g. with old jave clients).

SSL::notify_minimal_key_length
Type:count
Attributes:&redef
Default:1024

The minimal key length in bits that is considered to be safe. Any shorter (non-EC) key lengths will trigger the notice.

SSL::notify_weak_keys
Type:Host
Attributes:&redef
Default:LOCAL_HOSTS

The category of hosts you would like to be notified about which have certificates that are going to be expiring soon. By default, these notices will be suppressed by the notice framework for 1 day after a particular certificate has had a notice generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS


Copyright 2013, The Bro Project. Last updated on June 15, 2015. Created using Sphinx 1.2.2.