ssl.py: In the "Incompatible CN" detection, check the CN from the sub…

…ject field, not the issuer field.
stratosphereips · Jan 29, 2025 · 680a70f · 680a70f
1 parent fed8f11
commit 680a70f
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/modules/flowalerts/ssl.py b/modules/flowalerts/ssl.py
@@ -90,12 +90,12 @@ def detect_incompatible_cn(self, twid, flow):
         Detects if a certificate claims that it's CN (common name) belongs
         to an org that the domain doesn't belong to
         """
-        if not flow.issuer:
+        if not flow.subject:
             return False
 
         found_org_in_cn = ""
         for org in utils.supported_orgs:
-            if org not in flow.issuer.lower():
+            if org not in flow.subject.lower():
                 continue
 
             # save the org this domain/ip is claiming to belong to,
@@ -116,6 +116,8 @@ def detect_incompatible_cn(self, twid, flow):
                 return False
 
         if not found_org_in_cn:
+            # the certificate doesn't claim to belong to any of slips known
+            # orgs
             return False
 
         # found one of our supported orgs in the cn but