[Bro] Detection of SSL clients which invalidate server cert

Johanna Amann johanna at icir.org
Wed Apr 15 06:17:29 PDT 2015

Hello Emmanuel,

On Wed, Apr 15, 2015 at 11:57:22AM +0200, Emmanuel TORQUATO wrote:
> I am searching a way to detect SSL clients which invalidate the server
> Cert during the SSL Handshake and refused the SSL connection
> establishment. Is there a way to do this with Bro? Does ssl_alert event
> can catch this ?

Yes, there probably is a way to do it, but it will involve quite a bit of
manual work.

First - I do not really think that the way that clients handle this case
is completely specified. You will probably have to examine the network
traffic of different clients, determine how exactly they are ending the
connection in this case, identify the client in your Bro script (usually
using the cipher suite they send), and then watch for that kind of

E.g., at least ~1 year ago, Chrome just used to send TCP resets in
connections where it did not accept the server certificate. Hence, if you
have a client where the cipher suites it specifies match chrome, and you
see a certificate exchange followed by a client-initiated reset, it
probably rejected the certificate.

Sadly I do not think there is a trivial way to measuer that.

I hope this helps,

More information about the Bro mailing list