Bug #7332
Updated by Juliana Fajardini Reichow 15 days ago
When enabling the custom field @subjectaltname@, the JSON schema validator complains that the @issuerdn@ key
is duplicated:
<pre><code class="shell">
tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
</code></pre>
(output from modified version of SV test using @ja4-tls@ test's pcap)
Relevant YAML config:
<pre><code class="yaml">
outputs:¬
- eve-log:¬
enabled: yes¬
types:¬
- tls:¬
extended: yes # enable this for extended logging information¬
custom: [subject, issuer, subjectaltname]¬
</code></pre>
TLS event (stripped of non-tls fields for readability):
<pre><code class="json">
{
"event_type":"tls",
"pkt_src":"wire/pcap",
"tls":{
"subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
"issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
"issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS"
}
}
</code></pre>
Investigation indicates that when logging the subject alternative name we were actually calling the @issuerdn@ logging function.