ssl established but no validation status

Palumbo_Mauro · October 31, 2019, 3:48pm

Hi there,

I have a question related to the ssl.log. As I am no expert of the SSL protocol, it is higly probable that I am missing something here.

I noticed in the ssl.log several cases where the field “established” is T, but there is no certificate found (no fuids) and the field validation_status in empty (-). In the code I saw that the field “established” is set to T if the event ssl_established is generated. Is it possible to establish an ssl session without certificates? Is it because some sessions can be resumed with tickets as described in RFC 5077?

I’d appreciate some help to save me some time…

Mauro

johanna · October 31, 2019, 9:15pm

Hi Mauro,

it is probably resumed connections. An indication for that is that there are no server certificates present.

Alternatively - for TLS 1.3 connections validation is not possible because the certificates are encrypted.

Johanna

Topic		Replies	Views
Writing to SSL log Zeek	6	92	May 6, 2022
Invalid_Server_Cert entries in notice.log Zeek	2	93	May 6, 2022
Adding connection data to the SSL log Zeek	6	128	May 6, 2022
Log serial number in ssl.log Zeek	6	104	May 6, 2022
Howto Zeek	6	74	May 6, 2022

ssl established but no validation status

Related topics