[Zeek] ssl established but no validation status
Johanna Amann
johanna at corelight.com
Thu Oct 31 14:15:01 PDT 2019
Hi Mauro,
it is probably resumed connections. An indication for that is that there
are no server certificates present.
Alternatively - for TLS 1.3 connections validation is not possible
because the certificates are encrypted.
Johanna
On 31 Oct 2019, at 16:48, Palumbo Mauro wrote:
> Hi there,
> I have a question related to the ssl.log. As I am no expert of the
> SSL protocol, it is higly probable that I am missing something here.
>
> I noticed in the ssl.log several cases where the field "established"
> is T, but there is no certificate found (no fuids) and the field
> validation_status in empty (-). In the code I saw that the field
> "established" is set to T if the event ssl_established is generated.
> Is it possible to establish an ssl session without certificates? Is it
> because some sessions can be resumed with tickets as described in RFC
> 5077?
>
> I'd appreciate some help to save me some time...
>
> Mauro
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list