base/files/x509/certificate-event-cache.zeek
- X509
This script sets up the certificate event cache handling of Zeek.
The Zeek core provided a method to skip certificate processing for known certificates.
For more details about this functionality, see x509_set_certificate_cache
.
This script uses this feature to lower the amount of processing that has to be performed by Zeek by caching all certificate events for common certificates. For these certificates, the parsing of certificate information in the core is disabled. Instead, the cached events and data structures from the previous certificates are used.
- Namespace
X509
- Imports
Summary
Runtime Options
How often do you have to encounter a certificate before caching the events for it. |
|
The timespan over which caching_required_encounters has to be reached |
|
Maximum size of the certificate event cache |
|
|
After a certificate has not been encountered for this time, it may be evicted from the certificate event cache. |
Hooks
This hook performs event-replays in case a certificate that already is in the cache is encountered. |
Detailed Interface
Runtime Options
- X509::caching_required_encounters
-
How often do you have to encounter a certificate before caching the events for it. Set to 0 to disable caching of certificates.
- X509::caching_required_encounters_interval
-
The timespan over which caching_required_encounters has to be reached
- X509::certificate_cache_max_entries
- Type
- Attributes
- Default
10000
- Redefinition
from policy/files/x509/disable-certificate-events-known-certs.zeek
=
:100000
Maximum size of the certificate event cache
- X509::certificate_cache_minimum_eviction_interval
-
After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.
Hooks
- X509::x509_certificate_cache_replay
- Type
hook
(f:fa_file
, e:X509::Info
, sha256:string
) :bool
This hook performs event-replays in case a certificate that already is in the cache is encountered.
It is possible to change this behavior/skip sending the events by installing a higher priority hook instead.