68

Google is surprisingly mute on this issue.

In my company's web software error logs, we're seeing multiple individuals with an Apache access log entry that has this in it: ... HTTP/1.1" 500 - "-" "Test Certificate Info"

I have no clue what piece of software this comes from or why it's sending us requests with malformed URLs... but it'd be nice to find out... and perhaps to correct it if it's open source software. :)

(This might be a ServerFault question, but I'm a developer so I figured I'd ask here first.)

ckrailo
  • 1,009
  • 1
  • 8
  • 13
  • 4
    Maybe it's using sample code from here? http://blogs.msdn.com/b/jpsanders/archive/2009/04/17/how-to-get-certificate-information-using-wininet-apis.aspx – Zarel Jun 22 '10 at 21:28
  • 1
    Any one know why somebody would want to get certificate info using this script? Our site is hit with a HEAD and the same user agent as in the msdn code, I just don't know what the purpose of someone doing it would be. – JeremyWeir Aug 17 '10 at 18:43
  • 1
    The purpose is to try and find SSL vulnerabilities. – Piotr Kula Oct 28 '15 at 14:06

3 Answers3

62

My guess someone read this and didn't end up changing the example code.

edhgoose
  • 887
  • 8
  • 26
Andrew Song
  • 3,120
  • 1
  • 27
  • 22
  • 4
    So far, that's our guess too. – ckrailo Jun 22 '10 at 21:34
  • 2
    ha! just had exactly this issue, bloody cowboys! now i have to hack my error logger to prevent this from spamming my logs! – Andrew Bullock Nov 03 '11 at 15:44
  • This is starting to deserve a RFC or an addition to HTTP libraries ... :( – dgilperez Sep 30 '14 at 15:51
  • Well, having in mind recent flaw discoveries in openSSL, could this not be a malicious checkup from potential attacker? Would it be possible to collect information about insecure sites this way? – lubosdz Oct 02 '14 at 08:44
  • 4
    The original sample code has been changed but can be found in the Internet Archive here: https://web.archive.org/web/20100715071639/http://blogs.msdn.com/b/jpsanders/archive/2009/04/17/how-to-get-certificate-information-using-wininet-apis.aspx – einnocent Nov 10 '14 at 23:22
  • Seems this code is still out there, got a few of these today! – DavidG Dec 23 '16 at 02:42
  • It's still around! o.O Just had this in my logs: `[18/Sep/2017:19:03:38 +0200] : 84.92.48.65 : "musicchris.de:443" "HEAD /https://musicchris.de/ HTTP/1.1" "Test Certificate Info" 403 0` see also: http://geoiplookup.net/ip/84.92.48.65 :P – chris_blues Sep 18 '17 at 17:23
9

It's used in some sample code on an MSDN blog for getting SSL cert info. So basically it could be any C++ app which has lifted the code from there, or used that as a basis. Or any other app which happens to use the same UA string, of course.

The point in the sample is just to complete the SSL handshake so it can get certificate info, and it seems to pass in an awful lot of NULLs to HttpOpenRequest, so the error is to be expected and rather inconsequential.

edhgoose
  • 887
  • 8
  • 26
Chris
  • 10,337
  • 1
  • 38
  • 46
  • 1
    Thanks! It's not causing us problems... we just wanted to know if we should go ahead and start filtering it out of our error log emails. :) – ckrailo Jun 22 '10 at 21:56
  • If that user agent is present, auto ban IP in firewall. not sure why they doing that any way buts its causing errors, and it seems allot of various IP's doing this now. Most likely testing for SSL vulnerabilities or something. BANNED but +1 for you :) – Piotr Kula Oct 28 '15 at 13:58
8

For those of you that don't want your logs spammed with this script kiddie nonsense, you can add the following filteringRules to your web.config file to block the user agent entirely:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <filteringRules>
          <filteringRule name="Block Bad User Agent" scanUrl="false" scanQueryString="false">
            <scanHeaders>
              <add requestHeader="User-Agent" />
            </scanHeaders>
            <denyStrings>
              <add string="Test Certificate Info" />
            </denyStrings>
          </filteringRule>
        </filteringRules>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>
Dieter Fortune
  • 99
  • 1
  • 1
  • I get an Intellisense syntax error on the filteringRules element (Visual Studio 2019). I don't think it prevents the filtering from working however. – Mike Jun 01 '20 at 09:33