Question about missing cert expired notice...

Hi all,

We’re running Bro 2.5.3, and I’ve noticed that what seems to be the same certificate sometimes get flagged as expired, sometimes not. For instance, here are the log entries associated with two connection UIDs, one set that generated an ‘expired cert’ notice, and one that didn’t. Given that the hashes for the cert are the same, i would think both should have been classified one way or the other. I’ve replaced the two IPs with 10.x.x.x and 178.x.x.x, but they were consistent across both connection UIDs.

CERT APPARENTLY VALID

grep CNPeEy2dKUx3LGty0k *

conn.21:23:00-21:24:00.log:1563845011.183787 CNPeEy2dKUx3LGty0k 10.x.x.x 55847 178.x.x.x 443 tcp ssl 1.673746 373 3246 SF T F 190 ShADadFf 7475 8 3574 (empty)

files.21:23:00-21:24:00.log:1563845011.430465 FWRyJzWEVQN1qjrxd 178.x.x.x 10.x.x.x CNPeEy2dKUx3LGty0k SSL 0 SHA256,X509,SHA1,MD5 application/pkix-cert - 0.000000 FF 1368 - 0 0 F - 8f63ea9982d47eaedde789dc7d81c4bb a4875d27ad671e92703eec7145b76297ad2ee476 76221dfe013cc6fd2b46294e823349be51617b5eee8069c53da32502b6b1a099 – - 10.x.x.x 178.x.x.x tcp - - - - -

files.21:23:00-21:24:00.log:1563845011.430465 FiWpkz4BkQGSWA36O7 178.x.x.x 10.x.x.x CNPeEy2dKUx3LGty0k SSL 0 SHA256,X509,SHA1,MD5 application/pkix-cert - 0.000000 FF 1174 - 0 0 F - b15409274f54ad8f023d3b85a5ecec5d e6a3b45b062d509b3382282d196efe97d5956ccb 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d – - 10.x.x.x 178.x.x.x tcp - - - - -

ssl.21:23:00-21:24:00.log:1563845011.305071 CNPeEy2dKUx3LGty0k 10.x.x.x 55847 178.x.x.x 443 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - adserver.video F - - FFWRyJzWEVQN1qjrxd,FiWpkz4BkQGSWA36O7 (empty) - - - - - - - - - - - - -

weird.21:23:00-21:24:00.log:1563845011.430440 CNPeEy2dKUx3LGty0k 10.x.x.x 55847 178.x.x.x 443 window_recision - F main-s0f0-1

WHOOPS - LOOKS LIKE CERT IS INVALID

grep CsnEaj44xdEyJva9W8 *

conn.21:23:00-21:24:00.log:1563845012.953787 CsnEaj44xdEyJva9W8 10.x.x.x 55936 178.x.x.x 443 tcp ssl 0.436407 405 3246 SF T F 0 ShADadFf 7697 8 3574 (empty)

files.21:23:00-21:24:00.log:1563845013.144430 F7hMB24QQdYAnV68Ia 178.x.x.x 10.x.x.x CsnEaj44xdEyJva9W8 SSL 0 SHA256,X509,SHA1,MD5 application/pkix-cert - 0.000000 FF 1368 - 0 0 F - 8f63ea9982d47eaedde789dc7d81c4bb a4875d27ad671e92703eec7145b76297ad2ee476 76221dfe013cc6fd2b46294e823349be51617b5eee8069c53da32502b6b1a099 – - 10.x.x.x 178.x.x.x tcp - - - - -

files.21:23:00-21:24:00.log:1563845013.144430 FjcGCY1SisKJ6ZzYD2 178.x.x.x 10.x.x.x CsnEaj44xdEyJva9W8 SSL 0 SHA256,X509,SHA1,MD5 application/pkix-cert - 0.000000 FF 1174 - 0 0 F - b15409274f54ad8f023d3b85a5ecec5d e6a3b45b062d509b3382282d196efe97d5956ccb 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d – - 10.x.x.x 178.x.x.x tcp - - - - -

notice.21:23:00-21:24:00.log:1563845013.441985 CsnEaj44xdEyJva9W8 10.x.x.x 55936 178.x.x.x - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (certificate has expired) CN=adserver.video 10.x.x.x 178.x.x.x 443 - main-s0f0-1 Notice::ACTION_LOG 3600.000000 F - - - - -

ssl.21:23:00-21:24:00.log:1563845013.048317 CsnEaj44xdEyJva9W8 10.x.x.x 55936 178.x.x.x 443 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - adserver.video F - - TF7hMB24QQdYAnV68Ia,FjcGCY1SisKJ6ZzYD2 (empty) CN=adserver.video CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US - - certificate has expired - - - - - - –

weird.21:23:00-21:24:00.log:1563845013.142121 CsnEaj44xdEyJva9W8 10.x.x.x 55936 178.x.x.x 443 window_recision - F main-s0f0-1

Does anyone have any thoughts? Are these actually the same certs? Anyone know if this 1) is a bug and 2) is fixed in later versions?

Thanks,
jason

Hi Jason,

We're running Bro 2.5.3,

first - to state the obvious - please upgrade your installtion. There
are _multiple_ security issues in 2.5.3. These can be at least used to
crash your installation.

ssl.21:23:00-21:24:00.log:1563845011.305071 CNPeEy2dKUx3LGty0k 10.x.x.x 55847 178.x.x.x 443 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - adserver.video F - - FFWRyJzWEVQN1qjrxd,FiWpkz4BkQGSWA36O7 (empty) - - - - - - - - - - - - -

Actually - no certificate validation was performed at allhere (the entries
that would state anything about validity simply are not present, meaning
that the validation code was not run).

The reason for that is probably a bug in 2.5.x - in versions before 2.6,
certificate validation was only performed if the connection was recognized
as established. If packets were missing at the right time of the
connection, this did not happen; there also were some edge-cases were the
detection failed.

This is fixed in 2.6.x

Johanna