[Zeek] ssl established but no validation status

Johanna Amann johanna at corelight.com
Thu Oct 31 14:15:01 PDT 2019


Hi Mauro,

it is probably resumed connections. An indication for that is that there 
are no server certificates present.

Alternatively - for TLS 1.3 connections validation is not possible 
because the certificates are encrypted.

Johanna


On 31 Oct 2019, at 16:48, Palumbo Mauro wrote:

> Hi there,
>    I have a question related to the ssl.log. As I am no expert of the 
> SSL protocol, it is higly probable that I am missing something here.
>
> I noticed in the ssl.log several cases where the field "established" 
> is T, but there is no certificate found (no fuids) and the field 
> validation_status in empty (-). In the code I saw that the field 
> "established" is set to T if the event ssl_established  is generated. 
> Is it possible to establish an ssl session without certificates? Is it 
> because some sessions can be resumed with tickets as described in RFC 
> 5077?
>
> I'd appreciate some help to save me some time...
>
> Mauro
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


More information about the Zeek mailing list