1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file
20 *
21 * \author Tom DeCanio <td@npulsetech.com>
22 *
23 * Implements TLS JSON logging portion of the engine.
24 */
25
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35
36 #include "util-print.h"
37 #include "util-unittest.h"
38
39 #include "util-debug.h"
40 #include "app-layer-parser.h"
41 #include "output.h"
42 #include "app-layer-ssl.h"
43 #include "app-layer.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46
47 #include "util-logopenfile.h"
48 #include "util-crypt.h"
49 #include "util-ja3.h"
50
51 #include "output-json.h"
52 #include "output-json-tls.h"
53
54 SC_ATOMIC_EXTERN(unsigned int, cert_id);
55
56 #define MODULE_NAME "LogTlsLog"
57 #define DEFAULT_LOG_FILENAME "tls.json"
58
59 #define LOG_TLS_DEFAULT 0
60 #define LOG_TLS_EXTENDED (1 << 0)
61 #define LOG_TLS_CUSTOM (1 << 1)
62 #define LOG_TLS_SESSION_RESUMPTION (1 << 2)
63
64 #define LOG_TLS_FIELD_VERSION (1 << 0)
65 #define LOG_TLS_FIELD_SUBJECT (1 << 1)
66 #define LOG_TLS_FIELD_ISSUER (1 << 2)
67 #define LOG_TLS_FIELD_SERIAL (1 << 3)
68 #define LOG_TLS_FIELD_FINGERPRINT (1 << 4)
69 #define LOG_TLS_FIELD_NOTBEFORE (1 << 5)
70 #define LOG_TLS_FIELD_NOTAFTER (1 << 6)
71 #define LOG_TLS_FIELD_SNI (1 << 7)
72 #define LOG_TLS_FIELD_CERTIFICATE (1 << 8)
73 #define LOG_TLS_FIELD_CHAIN (1 << 9)
74 #define LOG_TLS_FIELD_SESSION_RESUMED (1 << 10)
75 #define LOG_TLS_FIELD_JA3 (1 << 11)
76 #define LOG_TLS_FIELD_JA3S (1 << 12)
77
78 typedef struct {
79 const char *name;
80 uint64_t flag;
81 } TlsFields;
82
83 TlsFields tls_fields[] = {
84 { "version", LOG_TLS_FIELD_VERSION },
85 { "subject", LOG_TLS_FIELD_SUBJECT },
86 { "issuer", LOG_TLS_FIELD_ISSUER },
87 { "serial", LOG_TLS_FIELD_SERIAL },
88 { "fingerprint", LOG_TLS_FIELD_FINGERPRINT },
89 { "not_before", LOG_TLS_FIELD_NOTBEFORE },
90 { "not_after", LOG_TLS_FIELD_NOTAFTER },
91 { "sni", LOG_TLS_FIELD_SNI },
92 { "certificate", LOG_TLS_FIELD_CERTIFICATE },
93 { "chain", LOG_TLS_FIELD_CHAIN },
94 { "session_resumed", LOG_TLS_FIELD_SESSION_RESUMED },
95 { "ja3", LOG_TLS_FIELD_JA3 },
96 { "ja3s", LOG_TLS_FIELD_JA3S },
97 { NULL, -1 }
98 };
99
100 typedef struct OutputTlsCtx_ {
101 LogFileCtx *file_ctx;
102 uint32_t flags; /** Store mode */
103 uint64_t fields; /** Store fields */
104 OutputJsonCommonSettings cfg;
105 } OutputTlsCtx;
106
107
108 typedef struct JsonTlsLogThread_ {
109 LogFileCtx *file_ctx;
110 OutputTlsCtx *tlslog_ctx;
111 MemBuffer *buffer;
112 } JsonTlsLogThread;
113
JsonTlsLogSubject(JsonBuilder * js,SSLState * ssl_state)114 static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state)
115 {
116 if (ssl_state->server_connp.cert0_subject) {
117 jb_set_string(js, "subject",
118 ssl_state->server_connp.cert0_subject);
119 }
120 }
121
JsonTlsLogIssuer(JsonBuilder * js,SSLState * ssl_state)122 static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state)
123 {
124 if (ssl_state->server_connp.cert0_issuerdn) {
125 jb_set_string(js, "issuerdn",
126 ssl_state->server_connp.cert0_issuerdn);
127 }
128 }
129
JsonTlsLogSessionResumed(JsonBuilder * js,SSLState * ssl_state)130 static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state)
131 {
132 if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
133 /* Only log a session as 'resumed' if a certificate has not
134 been seen, and the session is not TLSv1.3 or later. */
135 if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
136 ssl_state->server_connp.cert0_subject == NULL) &&
137 (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
138 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
139 jb_set_bool(js, "session_resumed", true);
140 }
141 }
142 }
143
JsonTlsLogFingerprint(JsonBuilder * js,SSLState * ssl_state)144 static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state)
145 {
146 if (ssl_state->server_connp.cert0_fingerprint) {
147 jb_set_string(js, "fingerprint",
148 ssl_state->server_connp.cert0_fingerprint);
149 }
150 }
151
JsonTlsLogSni(JsonBuilder * js,SSLState * ssl_state)152 static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state)
153 {
154 if (ssl_state->client_connp.sni) {
155 jb_set_string(js, "sni",
156 ssl_state->client_connp.sni);
157 }
158 }
159
JsonTlsLogSerial(JsonBuilder * js,SSLState * ssl_state)160 static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state)
161 {
162 if (ssl_state->server_connp.cert0_serial) {
163 jb_set_string(js, "serial",
164 ssl_state->server_connp.cert0_serial);
165 }
166 }
167
JsonTlsLogVersion(JsonBuilder * js,SSLState * ssl_state)168 static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state)
169 {
170 char ssl_version[SSL_VERSION_MAX_STRLEN];
171 SSLVersionToString(ssl_state->server_connp.version, ssl_version);
172 jb_set_string(js, "version", ssl_version);
173 }
174
JsonTlsLogNotBefore(JsonBuilder * js,SSLState * ssl_state)175 static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state)
176 {
177 if (ssl_state->server_connp.cert0_not_before != 0) {
178 char timebuf[64];
179 struct timeval tv;
180 tv.tv_sec = ssl_state->server_connp.cert0_not_before;
181 tv.tv_usec = 0;
182 CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
183 jb_set_string(js, "notbefore", timebuf);
184 }
185 }
186
JsonTlsLogNotAfter(JsonBuilder * js,SSLState * ssl_state)187 static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state)
188 {
189 if (ssl_state->server_connp.cert0_not_after != 0) {
190 char timebuf[64];
191 struct timeval tv;
192 tv.tv_sec = ssl_state->server_connp.cert0_not_after;
193 tv.tv_usec = 0;
194 CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
195 jb_set_string(js, "notafter", timebuf);
196 }
197 }
198
JsonTlsLogJa3Hash(JsonBuilder * js,SSLState * ssl_state)199 static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state)
200 {
201 if (ssl_state->client_connp.ja3_hash != NULL) {
202 jb_set_string(js, "hash",
203 ssl_state->client_connp.ja3_hash);
204 }
205 }
206
JsonTlsLogJa3String(JsonBuilder * js,SSLState * ssl_state)207 static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state)
208 {
209 if ((ssl_state->client_connp.ja3_str != NULL) &&
210 ssl_state->client_connp.ja3_str->data != NULL) {
211 jb_set_string(js, "string",
212 ssl_state->client_connp.ja3_str->data);
213 }
214 }
215
JsonTlsLogJa3(JsonBuilder * js,SSLState * ssl_state)216 static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state)
217 {
218 jb_open_object(js, "ja3");
219
220 JsonTlsLogJa3Hash(js, ssl_state);
221 JsonTlsLogJa3String(js, ssl_state);
222
223 jb_close(js);
224 }
225
JsonTlsLogJa3SHash(JsonBuilder * js,SSLState * ssl_state)226 static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state)
227 {
228 if (ssl_state->server_connp.ja3_hash != NULL) {
229 jb_set_string(js, "hash",
230 ssl_state->server_connp.ja3_hash);
231 }
232 }
233
JsonTlsLogJa3SString(JsonBuilder * js,SSLState * ssl_state)234 static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state)
235 {
236 if ((ssl_state->server_connp.ja3_str != NULL) &&
237 ssl_state->server_connp.ja3_str->data != NULL) {
238 jb_set_string(js, "string",
239 ssl_state->server_connp.ja3_str->data);
240 }
241 }
242
JsonTlsLogJa3S(JsonBuilder * js,SSLState * ssl_state)243 static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
244 {
245 jb_open_object(js, "ja3s");
246
247 JsonTlsLogJa3SHash(js, ssl_state);
248 JsonTlsLogJa3SString(js, ssl_state);
249
250 jb_close(js);
251 }
252
JsonTlsLogCertificate(JsonBuilder * js,SSLState * ssl_state)253 static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state)
254 {
255 if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
256 return;
257 }
258
259 SSLCertsChain *cert = TAILQ_FIRST(&ssl_state->server_connp.certs);
260 if (cert == NULL) {
261 return;
262 }
263
264 unsigned long len = BASE64_BUFFER_SIZE(cert->cert_len);
265 uint8_t encoded[len];
266 if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
267 SC_BASE64_OK) {
268 jb_set_string(js, "certificate", (char *)encoded);
269 }
270 }
271
JsonTlsLogChain(JsonBuilder * js,SSLState * ssl_state)272 static void JsonTlsLogChain(JsonBuilder *js, SSLState *ssl_state)
273 {
274 if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) {
275 return;
276 }
277
278 jb_open_array(js, "chain");
279
280 SSLCertsChain *cert;
281 TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) {
282 unsigned long len = BASE64_BUFFER_SIZE(cert->cert_len);
283 uint8_t encoded[len];
284 if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) ==
285 SC_BASE64_OK) {
286 jb_append_string(js, (char *)encoded);
287 }
288 }
289
290 jb_close(js);
291 }
292
JsonTlsLogJSONBasic(JsonBuilder * js,SSLState * ssl_state)293 void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
294 {
295 /* tls subject */
296 JsonTlsLogSubject(js, ssl_state);
297
298 /* tls issuerdn */
299 JsonTlsLogIssuer(js, ssl_state);
300
301 /* tls session resumption */
302 JsonTlsLogSessionResumed(js, ssl_state);
303 }
304
JsonTlsLogJSONCustom(OutputTlsCtx * tls_ctx,JsonBuilder * js,SSLState * ssl_state)305 static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js,
306 SSLState *ssl_state)
307 {
308 /* tls subject */
309 if (tls_ctx->fields & LOG_TLS_FIELD_SUBJECT)
310 JsonTlsLogSubject(js, ssl_state);
311
312 /* tls issuerdn */
313 if (tls_ctx->fields & LOG_TLS_FIELD_ISSUER)
314 JsonTlsLogIssuer(js, ssl_state);
315
316 /* tls session resumption */
317 if (tls_ctx->fields & LOG_TLS_FIELD_SESSION_RESUMED)
318 JsonTlsLogSessionResumed(js, ssl_state);
319
320 /* tls serial */
321 if (tls_ctx->fields & LOG_TLS_FIELD_SERIAL)
322 JsonTlsLogSerial(js, ssl_state);
323
324 /* tls fingerprint */
325 if (tls_ctx->fields & LOG_TLS_FIELD_FINGERPRINT)
326 JsonTlsLogFingerprint(js, ssl_state);
327
328 /* tls sni */
329 if (tls_ctx->fields & LOG_TLS_FIELD_SNI)
330 JsonTlsLogSni(js, ssl_state);
331
332 /* tls version */
333 if (tls_ctx->fields & LOG_TLS_FIELD_VERSION)
334 JsonTlsLogVersion(js, ssl_state);
335
336 /* tls notbefore */
337 if (tls_ctx->fields & LOG_TLS_FIELD_NOTBEFORE)
338 JsonTlsLogNotBefore(js, ssl_state);
339
340 /* tls notafter */
341 if (tls_ctx->fields & LOG_TLS_FIELD_NOTAFTER)
342 JsonTlsLogNotAfter(js, ssl_state);
343
344 /* tls certificate */
345 if (tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE)
346 JsonTlsLogCertificate(js, ssl_state);
347
348 /* tls chain */
349 if (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)
350 JsonTlsLogChain(js, ssl_state);
351
352 /* tls ja3_hash */
353 if (tls_ctx->fields & LOG_TLS_FIELD_JA3)
354 JsonTlsLogJa3(js, ssl_state);
355
356 /* tls ja3s */
357 if (tls_ctx->fields & LOG_TLS_FIELD_JA3S)
358 JsonTlsLogJa3S(js, ssl_state);
359 }
360
JsonTlsLogJSONExtended(JsonBuilder * tjs,SSLState * state)361 void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state)
362 {
363 JsonTlsLogJSONBasic(tjs, state);
364
365 /* tls serial */
366 JsonTlsLogSerial(tjs, state);
367
368 /* tls fingerprint */
369 JsonTlsLogFingerprint(tjs, state);
370
371 /* tls sni */
372 JsonTlsLogSni(tjs, state);
373
374 /* tls version */
375 JsonTlsLogVersion(tjs, state);
376
377 /* tls notbefore */
378 JsonTlsLogNotBefore(tjs, state);
379
380 /* tls notafter */
381 JsonTlsLogNotAfter(tjs, state);
382
383 /* tls ja3 */
384 JsonTlsLogJa3(tjs, state);
385
386 /* tls ja3s */
387 JsonTlsLogJa3S(tjs, state);
388 }
389
JsonTlsLogger(ThreadVars * tv,void * thread_data,const Packet * p,Flow * f,void * state,void * txptr,uint64_t tx_id)390 static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
391 Flow *f, void *state, void *txptr, uint64_t tx_id)
392 {
393 JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
394 OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
395
396 SSLState *ssl_state = (SSLState *)state;
397 if (unlikely(ssl_state == NULL)) {
398 return 0;
399 }
400
401 if ((ssl_state->server_connp.cert0_issuerdn == NULL ||
402 ssl_state->server_connp.cert0_subject == NULL) &&
403 ((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0 ||
404 (tls_ctx->flags & LOG_TLS_SESSION_RESUMPTION) == 0) &&
405 ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
406 return 0;
407 }
408
409 JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL);
410 if (unlikely(js == NULL)) {
411 return 0;
412 }
413
414 EveAddCommonOptions(&tls_ctx->cfg, p, f, js);
415
416 jb_open_object(js, "tls");
417
418 /* reset */
419 MemBufferReset(aft->buffer);
420
421 /* log custom fields */
422 if (tls_ctx->flags & LOG_TLS_CUSTOM) {
423 JsonTlsLogJSONCustom(tls_ctx, js, ssl_state);
424 }
425 /* log extended */
426 else if (tls_ctx->flags & LOG_TLS_EXTENDED) {
427 JsonTlsLogJSONExtended(js, ssl_state);
428 }
429 /* log basic */
430 else {
431 JsonTlsLogJSONBasic(js, ssl_state);
432 }
433
434 /* print original application level protocol when it have been changed
435 because of STARTTLS, HTTP CONNECT, or similar. */
436 if (f->alproto_orig != ALPROTO_UNKNOWN) {
437 jb_set_string(js, "from_proto",
438 AppLayerGetProtoName(f->alproto_orig));
439 }
440
441 /* Close the tls object. */
442 jb_close(js);
443
444 OutputJsonBuilderBuffer(js, aft->file_ctx, &aft->buffer);
445 jb_free(js);
446
447 return 0;
448 }
449
JsonTlsLogThreadInit(ThreadVars * t,const void * initdata,void ** data)450 static TmEcode JsonTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
451 {
452 JsonTlsLogThread *aft = SCCalloc(1, sizeof(JsonTlsLogThread));
453 if (unlikely(aft == NULL)) {
454 return TM_ECODE_FAILED;
455 }
456
457 if (initdata == NULL) {
458 SCLogDebug("Error getting context for eve-log tls 'initdata' argument NULL");
459 goto error_exit;
460 }
461
462 aft->buffer = MemBufferCreateNew(JSON_OUTPUT_BUFFER_SIZE);
463 if (aft->buffer == NULL) {
464 goto error_exit;
465 }
466
467 /* use the Output Context (file pointer and mutex) */
468 aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
469
470 aft->file_ctx = LogFileEnsureExists(aft->tlslog_ctx->file_ctx, t->id);
471 if (!aft->file_ctx) {
472 goto error_exit;
473 }
474 *data = (void *)aft;
475 return TM_ECODE_OK;
476
477 error_exit:
478 if (aft->buffer != NULL) {
479 MemBufferFree(aft->buffer);
480 }
481 SCFree(aft);
482 return TM_ECODE_FAILED;
483 }
484
JsonTlsLogThreadDeinit(ThreadVars * t,void * data)485 static TmEcode JsonTlsLogThreadDeinit(ThreadVars *t, void *data)
486 {
487 JsonTlsLogThread *aft = (JsonTlsLogThread *)data;
488 if (aft == NULL) {
489 return TM_ECODE_OK;
490 }
491
492 MemBufferFree(aft->buffer);
493
494 /* clear memory */
495 memset(aft, 0, sizeof(JsonTlsLogThread));
496
497 SCFree(aft);
498 return TM_ECODE_OK;
499 }
500
OutputTlsInitCtx(ConfNode * conf)501 static OutputTlsCtx *OutputTlsInitCtx(ConfNode *conf)
502 {
503 OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
504 if (unlikely(tls_ctx == NULL))
505 return NULL;
506
507 tls_ctx->flags = LOG_TLS_DEFAULT;
508 tls_ctx->fields = 0;
509
510 if (conf == NULL)
511 return tls_ctx;
512
513 const char *extended = ConfNodeLookupChildValue(conf, "extended");
514 if (extended) {
515 if (ConfValIsTrue(extended)) {
516 tls_ctx->flags = LOG_TLS_EXTENDED;
517 }
518 }
519
520 ConfNode *custom = ConfNodeLookupChild(conf, "custom");
521 if (custom) {
522 tls_ctx->flags = LOG_TLS_CUSTOM;
523 ConfNode *field;
524 TAILQ_FOREACH(field, &custom->head, next)
525 {
526 TlsFields *valid_fields = tls_fields;
527 for ( ; valid_fields->name != NULL; valid_fields++) {
528 if (strcasecmp(field->val, valid_fields->name) == 0) {
529 tls_ctx->fields |= valid_fields->flag;
530 break;
531 }
532 }
533 }
534 }
535
536 const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
537 if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
538 tls_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
539 }
540
541 if ((tls_ctx->fields & LOG_TLS_FIELD_JA3) &&
542 Ja3IsDisabled("fields")) {
543 /* JA3 is disabled, so don't log any JA3 fields */
544 tls_ctx->fields &= ~LOG_TLS_FIELD_JA3;
545 tls_ctx->fields &= ~LOG_TLS_FIELD_JA3S;
546 }
547
548 if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
549 (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
550 SCLogWarning(SC_WARN_DUPLICATE_OUTPUT,
551 "Both 'certificate' and 'chain' contains the top "
552 "certificate, so only one of them should be enabled "
553 "at a time");
554 }
555
556 return tls_ctx;
557 }
558
OutputTlsLogDeinitSub(OutputCtx * output_ctx)559 static void OutputTlsLogDeinitSub(OutputCtx *output_ctx)
560 {
561 OutputTlsCtx *tls_ctx = output_ctx->data;
562 SCFree(tls_ctx);
563 SCFree(output_ctx);
564 }
565
OutputTlsLogInitSub(ConfNode * conf,OutputCtx * parent_ctx)566 static OutputInitResult OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
567 {
568 OutputInitResult result = { NULL, false };
569 OutputJsonCtx *ojc = parent_ctx->data;
570
571 OutputTlsCtx *tls_ctx = OutputTlsInitCtx(conf);
572 if (unlikely(tls_ctx == NULL))
573 return result;
574
575 OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
576 if (unlikely(output_ctx == NULL)) {
577 SCFree(tls_ctx);
578 return result;
579 }
580
581 tls_ctx->file_ctx = ojc->file_ctx;
582 tls_ctx->cfg = ojc->cfg;
583
584 if ((tls_ctx->fields & LOG_TLS_FIELD_CERTIFICATE) &&
585 (tls_ctx->fields & LOG_TLS_FIELD_CHAIN)) {
586 SCLogWarning(SC_WARN_DUPLICATE_OUTPUT,
587 "Both 'certificate' and 'chain' contains the top "
588 "certificate, so only one of them should be enabled "
589 "at a time");
590 }
591
592 output_ctx->data = tls_ctx;
593 output_ctx->DeInit = OutputTlsLogDeinitSub;
594
595 AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
596
597 result.ctx = output_ctx;
598 result.ok = true;
599 return result;
600 }
601
JsonTlsLogRegister(void)602 void JsonTlsLogRegister (void)
603 {
604 /* register as child of eve-log */
605 OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TLS, "eve-log",
606 "JsonTlsLog", "eve-log.tls", OutputTlsLogInitSub, ALPROTO_TLS,
607 JsonTlsLogger, TLS_HANDSHAKE_DONE, TLS_HANDSHAKE_DONE,
608 JsonTlsLogThreadInit, JsonTlsLogThreadDeinit, NULL);
609 }
610