Bug #7332
Updated by Juliana Fajardini Reichow about 1 month ago
h3. When enabling the custom field @subjectaltname@ in custom logging, @subjectaltname@, the JSON schema validator complains that the @issuerdn@ key is duplicated: <pre><code class="shell"> tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS </code></pre> (output from modified version of SV test using @ja4-tls@ test's pcap) Relevant YAML config: <pre><code class="yaml"> outputs:¬ - eve-log:¬ enabled: yes¬ types:¬ - tls:¬ extended: yes # enable this for extended logging information¬ custom: [subject, issuer, subjectaltname]¬ </code></pre> TLS event (stripped of non-tls fields for readability): <pre><code class="json"> { "event_type":"tls", "pkt_src":"wire/pcap", "tls":{ "subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS", "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS", "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS" } } </code></pre> Investigation indicates that when logging the subject alternative name in custom logging, we were actually calling the @issuerdn@ logging function.