Get it here
Text snippet help:
redef SSL_KnownCerts::logged_hosts = AllHosts;When this script really becomes cool is when you have DPD enabled (i'll write a post on how to do that soon). If DPD is enabled, you will actually be detecting SSL on all ports and then logging the X.509 certificate in the log just the same as SSL on the normal ports like 443/tcp and 995/tcp.
18.104.22.168 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.comThose fields are tab separated too, so they're nice and easy to parse. More tomorrow hopefully!
22.214.171.124 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.mail.google.com
126.96.36.199 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google-analytics.com
188.8.131.52 443 /C=US/postalCode=43210/ST=OH/L=Columbus/streetAddress=250 West Woodruff Avenue/O=The Ohio State University/OU=Office of Information Technology/OU=Hosted by The Ohio State University/OU=Comodo PremiumSSL Wildcard/CN=*.osu.edu