[Bro] Invalid_Server_Cert entries in notice.log

[Johanna Amann]

Hello Jeff,

> I am seeing a lot of entries in notice.log for invalid SSL certs;
> SSL::Invalid_Server_Cert	SSL certificate validation failed with
> (unable to get local issuer certificate)
>
> These are for legitimate sites, that I think have valid SSL certs. When
> I go to the IP listed in a web browser they do indeed have valid
> certificates.

You stumbled accross one of the slightly annoying parts of the current
certificate ecosystem here. What happens is that those servers are not
sending a complete certificate chain. Instead, they only send the end-host
certificates without the intermediate CA certificates that are necessary
for verification.

Browsers tend to still be able to verify the end-host certificates, even
when the intermediates are missing. For example, Firefox just keeps a
cached list of all intermediate certificates it ever encounters and uses
those to build the chain and Browsers like Chrome use an extension field
present in the certificate to automatically download missing intermediate
certs.

> Is there any way to further verify that nothing strange is going on. And
> if everything is ok, is there a way suppress these warnings for sites
> that do have valid certs, so that if any users visit sites with self
> signed or otherwise invalid certificates they’ll stand out in the
> notice.log?

There is nothing strange going on and, sadly, at the Moment there is
nothing you can do about these notices. The sites are not sending complete
chains that can easily be verified and it is not easy to replicate Browser
behavior in those instances. You also can verify that if you use tools
like wget or curl, they also will complain about certificate mismatches
(they use similar code to Bro for certificate verification).

I hope this clears things up a bit,
 Johanna