[Bro] Detection of SSL clients which invalidate server cert

Emmanuel TORQUATO Emmanuel.TORQUATO at monext.net
Wed Apr 15 08:00:52 PDT 2015

Hello Johanna,

Thanks for your reply. We have done a test with BRO and a tcpdump and in fact client send a SSL alert with "bad certificate". And Bro do the job beautifully and insert "bad_certificate" in the "last_alert" field.



-----Message d'origine-----
De : Johanna Amann [mailto:johanna at icir.org] 
Envoyé : mercredi 15 avril 2015 15:17
À : Emmanuel TORQUATO
Cc : bro at bro.org
Objet : Re: [Bro] Detection of SSL clients which invalidate server cert

Hello Emmanuel,

On Wed, Apr 15, 2015 at 11:57:22AM +0200, Emmanuel TORQUATO wrote:
> I am searching a way to detect SSL clients which invalidate the server 
> Cert during the SSL Handshake and refused the SSL connection 
> establishment. Is there a way to do this with Bro? Does ssl_alert 
> event can catch this ?

Yes, there probably is a way to do it, but it will involve quite a bit of manual work.

First - I do not really think that the way that clients handle this case is completely specified. You will probably have to examine the network traffic of different clients, determine how exactly they are ending the connection in this case, identify the client in your Bro script (usually using the cipher suite they send), and then watch for that kind of traffic.

E.g., at least ~1 year ago, Chrome just used to send TCP resets in connections where it did not accept the server certificate. Hence, if you have a client where the cipher suites it specifies match chrome, and you see a certificate exchange followed by a client-initiated reset, it probably rejected the certificate.

Sadly I do not think there is a trivial way to measuer that.

I hope this helps,

More information about the Bro mailing list