Invalid_Server_Cert entries in notice.log

Zeek
1

I am seeing a lot of entries in notice.log for invalid SSL certs; SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate)

These are for legitimate sites, that I think have valid SSL certs. When I go to the IP listed in a web browser they do indeed have valid certificates.

Is there any way to further verify that nothing strange is going on. And if everything is ok, is there a way suppress these warnings for sites that do have valid certs, so that if any users visit sites with self signed or otherwise invalid certificates they’ll stand out in the notice.log?

A few examples from notice.log:

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2014-11-02-20-28-34
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1414989068.580505 CyZhPK15RzCUnN7ura 192.168.1.143 49285 134.170.165.251 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=fe2.update.microsoft.com,OU=WUPDS,O=Microsoft,L=Redmond,ST=Washington,C=US 192.168.1.143 134.170.165.251 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1414989315.341931 C1Ll1O381lfcKl4H3k 192.168.1.105 57151 17.158.52.16 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US 192.168.1.105 17.158.52.16 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1414989316.321356 CHwvguxImPT6pSiU7 192.168.1.105 57152 17.158.52.77 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US 192.168.1.105 17.158.52.77 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1414989495.154433 C6TtbD2IR6tOvyBEze 192.168.1.195 50506 72.32.45.19 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=giga.logs.roku.com,O=Roku\, Inc.,ST=California,C=US 192.168.1.195 72.32.45.19 443 bro Notice::ACTION_LOG 3600.000000 F - - - - -
1414989678.402401 C2uDCc4cE0Brc2GUV1 192.168.1.143 49387 184.180.124.10 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=MA,C=US 192.168.1.143 184.180.124.10 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1414990083.832444 C4Z0274jeydu7rN8G1 192.168.1.105 57356 17.158.52.69 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US 192.168.1.105 17.158.52.69 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1414990161.080209 CKVmf6WV0KGxfT3T7 192.168.1.105 57369 17.158.52.68 443 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US 192.168.1.105 17.158.52.68 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -

2

Hello Jeff,

I am seeing a lot of entries in notice.log for invalid SSL certs;
SSL::Invalid_Server_Cert SSL certificate validation failed with
(unable to get local issuer certificate)

These are for legitimate sites, that I think have valid SSL certs. When
I go to the IP listed in a web browser they do indeed have valid
certificates.

You stumbled accross one of the slightly annoying parts of the current
certificate ecosystem here. What happens is that those servers are not
sending a complete certificate chain. Instead, they only send the end-host
certificates without the intermediate CA certificates that are necessary
for verification.

Browsers tend to still be able to verify the end-host certificates, even
when the intermediates are missing. For example, Firefox just keeps a
cached list of all intermediate certificates it ever encounters and uses
those to build the chain and Browsers like Chrome use an extension field
present in the certificate to automatically download missing intermediate
certs.

Is there any way to further verify that nothing strange is going on. And
if everything is ok, is there a way suppress these warnings for sites
that do have valid certs, so that if any users visit sites with self
signed or otherwise invalid certificates they’ll stand out in the
notice.log?

There is nothing strange going on and, sadly, at the Moment there is
nothing you can do about these notices. The sites are not sending complete
chains that can easily be verified and it is not easy to replicate Browser
behavior in those instances. You also can verify that if you use tools
like wget or curl, they also will complain about certificate mismatches
(they use similar code to Bro for certificate verification).

I hope this clears things up a bit,
Johanna