More cipher fields in certifcates

Again some new fields are added to certificates:

- cipherorder_sslv3
- cipherorder_tlsv1
- cipherorder_tlsv1_1
- cipherorder_tlsv1_2
- cipherorder_tlsv1_3

You can use these to build queries like this one, which finds all certificates on servers that still support RC4 ciphers:

index=certificates cipherorder_sslv3=*RC4* OR
cipherorder_tlsv1=*RC4* OR cipherorder_tlsv1_1=*RC4* OR 
cipherorder_tlsv1_2=*RC4* OR cipherorder_tlsv1_3=*RC4*

Bug fixes and improved software detection

Besides a bunch of bug fixes, software detection has also improved this week. Attacks on edge devices are ever increasing. We try to detect all devices and technology that are commonly targeted. This week that meant we needed to add detection of Ubuiqiti network devices.

Extra data in certificates

After fixing a bug that prevented the proper scan of the cryptographic suites used on a TLS server, it was opportune to add some extra data. There are four new fields available:

dh_groups: The list of Diffie Hellman groups used for key exchange, for instance: "RFC3526/Oakley Group 14".

ecdhe_curves: The list of Elliptic curves used in Diffie Hellman, for instance: "prime256v1"

tls12_sig_algs: The list signature algorithms used in TLS 1.2, for instance: "ECDSA+SHA256"

tls13_sig_algs: The list signature algorithms used in TLS 1.3, for instance: "ECDSA+SHA256"

These new fields are available everywhere, including in queries and the API. This example query will give you an overview of all Oaklye groups used in your certificates:

index=certificates dh_groups=*oakley* by dh_groups

Any group below 14 is considered weak these days.