:tocdepth: 3

policy/protocols/ssl/weak-keys.bro
==================================
.. bro:namespace:: SSL

Generate notices when SSL/TLS connections use certificates or DH parameters
that have potentially unsafe key lengths.

:Namespace: SSL
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.bro </scripts/base/utils/directions-and-hosts.bro>`
:Source File: :download:`/scripts/policy/protocols/ssl/weak-keys.bro`

Summary
~~~~~~~
Options
#######
======================================================================================== =====================================================================
:bro:id:`SSL::notify_dh_length_shorter_cert_length`: :bro:type:`bool` :bro:attr:`&redef` Warn if the DH key length is smaller than the certificate key length.
:bro:id:`SSL::notify_minimal_key_length`: :bro:type:`count` :bro:attr:`&redef`           The minimal key length in bits that is considered to be safe.
:bro:id:`SSL::notify_weak_keys`: :bro:type:`Host` :bro:attr:`&redef`                     The category of hosts you would like to be notified about which have
                                                                                         certificates that are going to be expiring soon.
======================================================================================== =====================================================================

Redefinitions
#############
========================================== =
:bro:type:`Notice::Type`: :bro:type:`enum` 
========================================== =


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: SSL::notify_dh_length_shorter_cert_length

   :Type: :bro:type:`bool`
   :Attributes: :bro:attr:`&redef`
   :Default: ``T``

   Warn if the DH key length is smaller than the certificate key length. This is
   potentially unsafe because it gives a wrong impression of safety due to the
   certificate key length. However, it is very common and cannot be avoided in some
   settings (e.g. with old jave clients).

.. bro:id:: SSL::notify_minimal_key_length

   :Type: :bro:type:`count`
   :Attributes: :bro:attr:`&redef`
   :Default: ``1024``

   The minimal key length in bits that is considered to be safe. Any shorter
   (non-EC) key lengths will trigger the notice.

.. bro:id:: SSL::notify_weak_keys

   :Type: :bro:type:`Host`
   :Attributes: :bro:attr:`&redef`
   :Default: ``LOCAL_HOSTS``

   The category of hosts you would like to be notified about which have
   certificates that are going to be expiring soon.  By default, these
   notices will be suppressed by the notice framework for 1 day after a particular
   certificate has had a notice generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS,
   ALL_HOSTS, NO_HOSTS


