Passive SSL

Passive SSL

CIRCL Passive DNS

CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address, which makes it searchable for incident handlers, security analysts or researchers.

How do you collect the SSL certificates?

The CIRCL Passive SSL database uses public scanning datasets like the excellent scans.io project.

For more information, Passive SSL was presented at FIRST 2015 in Berlin.

How to use the service?

CIRCL Passive SSL is accessible via a REST API and the output is in JSON format.

The REST API is accessible via the following URLs. ‘query’ is to query IP address or CIDR blocks (/32 up to /23). ‘cquery’ is to query per certificate fingerprint and find where the certificate is used per IP address. ‘cfetch’ is to fetch and parse a specified certificate from the Passive SSL store by its fingerprint.

https://www.circl.lu/v2pssl/query/<CIDR block>
https://www.circl.lu/v2pssl/cquery/<SHA1 certificate fingerprint>
https://www.circl.lu/v2pssl/cfetch/<SHA1 certificate fingerprint>

Query values can be IP addresses or CIDR blocks between /32 up to /23:

https://www.circl.lu/v2pssl/query/172.228.24.0/28

and a sample JSON output:

1{"172.228.24.7": {"certificates": ["37221925980c05deefac014f9a72b4765e716341", "3209cc3ce4f1c22ab64b2e4284100b0022ad2739", "4d34ea92764b3a3149119952f41930ca11348361", "6ad2b04e2196e48bf685752890e811cd2ed60606", "c43b30bf08bfb0b92c070f42f51b6980c8ada064", "30d1fd4a296ab1a8831cd56b4110a227f557bfff", "79068f16776372aa6b12b83dd2b7288298727f54"], "subjects": {"37221925980c05deefac014f9a72b4765e716341": {"values": ["C=JP, ST=Tokyo, L=Minato-ku, O=Sony corporation, OU=NPS, CN=psn-rsc.prod.dl.playstation.net"]}, "3209cc3ce4f1c22ab64b2e4284100b0022ad2739": {"values": ["C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1"]}, "4d34ea92764b3a3149119952f41930ca11348361": {"values": ["C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"]}, "c43b30bf08bfb0b92c070f42f51b6980c8ada064": {"values": ["C=CY, ST=Cyprus, L=Limassol, O=Blue Capital Markets Limited, OU=IT, CN=www.easy-forex.com"]}, "6ad2b04e2196e48bf685752890e811cd2ed60606": {"values": ["C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA2"]}, "30d1fd4a296ab1a8831cd56b4110a227f557bfff": {"values": ["O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA"]}, "79068f16776372aa6b12b83dd2b7288298727f54": {"values": ["C=CY, ST=Cyprus, L=Limassol, O=Easy Forex, OU=IT, CN=www.easy-forex.com"]}}}, "172.228.24.8": {"certificates": ["4ab70b97decd784aa60395a351daf4274fd37fca", "e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12", "c46fed822dadac3f31f9bb4d1a78a1d9eae4567b", "4d34ea92764b3a3149119952f41930ca11348361", "30d1fd4a296ab1a8831cd56b4110a227f557bfff", "32f30882622b87cf8856c63db873df0853b4dd27"], "subjects": {"4ab70b97decd784aa60395a351daf4274fd37fca": {"values": ["C=US, ST=MARYLAND, L=Hanover, O=Allegis Group Inc, OU=IT, CN=*.apac.allegisgroup.com"]}, "e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12": {"values": ["C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3"]}, "c46fed822dadac3f31f9bb4d1a78a1d9eae4567b": {"values": ["1.3.6.1.4.1.311.60.2.1.3=AU/businessCategory=Private Organization/serialNumber=85 092 445 442, C=AU/postalCode=1230, ST=NSW, L=Sydney/street=680 George Street, O=HotelClub Pty. Ltd., OU=Engineering, CN=www.hotelclub.cn"]}, "4d34ea92764b3a3149119952f41930ca11348361": {"values": ["C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"]}, "30d1fd4a296ab1a8831cd56b4110a227f557bfff": {"values": ["O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA"]}, "32f30882622b87cf8856c63db873df0853b4dd27": {"values": ["C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"]}}}, "172.228.24.9": {"certificates": ["780a06f6e9b4061cad0c6502710606eb535f1c26", "08ff9ecb28facd74dd125ded44f4e0dd6707f902", "2ea71c367d178c843fd21db4fdb630ba54a20dc5", "d10050dad40f850c2f84c215929e344ff8c9c552"], "subjects": {"780a06f6e9b4061cad0c6502710606eb535f1c26": {"values": ["C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA"]}, "08ff9ecb28facd74dd125ded44f4e0dd6707f902": {"values": ["serialNumber=Dyi4QNdi9bHxOhWakExUXmDdd09Ny/kj, C=US, ST=Texas, L=Dallas, O=FareCompare, LP, OU=Information Technology, CN=www.farecompare.com"]}, "2ea71c367d178c843fd21db4fdb630ba54a20dc5": {"values": ["C=US, O=thawte, Inc., CN=thawte SSL CA - G2"]}, "d10050dad40f850c2f84c215929e344ff8c9c552": {"values": ["C=US, ST=California, L=San Jose, O=Altera Corporation, OU=IT, CN=*.altera.com.cn"]}}}, "172.228.24.10": {"certificates": ["4b948bf1b5852e1fc0a4ffd73a4087c967e2c968", "780a06f6e9b4061cad0c6502710606eb535f1c26", "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212"], "subjects": {"4b948bf1b5852e1fc0a4ffd73a4087c967e2c968": {"values": ["serialNumber=votSFS5N71H6C8XC9xvyFnfXnCbjfirr, C=GB, ST=London, L=London, O=News Group Newspapers Ltd, CN=join.thesun.co.uk"]}, "780a06f6e9b4061cad0c6502710606eb535f1c26": {"values": ["C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA"]}, "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212": {"values": ["C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"]}}}, "172.228.24.11": {"certificates": ["780a06f6e9b4061cad0c6502710606eb535f1c26", "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212", "542ff5a0a035c1e2f0845fd0ed54ccf9bee2517c"], "subjects": {"780a06f6e9b4061cad0c6502710606eb535f1c26": {"values": ["C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA"]}, "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212": {"values": ["C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"]}, "542ff5a0a035c1e2f0845fd0ed54ccf9bee2517c": {"values": ["serialNumber=Y8t0npKVp3Fpoq45a6WRSh/ZdY9/FX3r, C=US, ST=California, L=San Diego, O=INTUIT INC., OU=Tech_Ops, CN=quickbase.intuit.com"]}}}, "172.228.24.12": {"certificates": ["c53e73073f93ce7895de7484126bc303dab9e657", "503006091d97d4f5ae39f7cbe7927d7d652d3431", "3209cc3ce4f1c22ab64b2e4284100b0022ad2739", "aca9789a735eb253b410ccb979bb35e5e7dcdea9", "4d34ea92764b3a3149119952f41930ca11348361", "43b31c858772f17f87235272cf339c29160727c7"], "subjects": {"c53e73073f93ce7895de7484126bc303dab9e657": {"values": ["C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C"]}, "503006091d97d4f5ae39f7cbe7927d7d652d3431": {"values": ["O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"]}, "3209cc3ce4f1c22ab64b2e4284100b0022ad2739": {"values": ["C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1"]}, "aca9789a735eb253b410ccb979bb35e5e7dcdea9": {"values": ["C=US, ST=WA, L=Seattle, O=Getty Images, Inc., OU=iStockphoto, CN=secure.istockphoto.com"]}, "4d34ea92764b3a3149119952f41930ca11348361": {"values": ["C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"]}, "43b31c858772f17f87235272cf339c29160727c7": {"values": ["C=US, ST=Georgia, L=Atlanta, O=The Home Depot, CN=kdlms.homedepot.com"]}}}, "172.228.24.13": {"certificates": ["780a06f6e9b4061cad0c6502710606eb535f1c26", "1a7d8d6e58caeb72bb4237ffc1c04e8d368c913a"], "subjects": {"780a06f6e9b4061cad0c6502710606eb535f1c26": {"values": ["C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA"]}, "1a7d8d6e58caeb72bb4237ffc1c04e8d368c913a": {"values": ["serialNumber=dVn4HhED532-1HQOwGkA/TovT-JtOEMN, C=US, ST=California, L=Rancho Dominguez, O=Onestop Internet Inc., OU=Onestop Internet, CN=www.onestop.com"]}}}, "172.228.24.14": {"certificates": ["1ae8aaddeb4e27392c4a549a7df2d6aef4e95e7a", "30d1fd4a296ab1a8831cd56b4110a227f557bfff", "ac8f7c5bc86ef1896f2d161c32a57aab37d364da", "4136bb45dd375b8cba5f430d0a03e50edbe7410a", "4d34ea92764b3a3149119952f41930ca11348361"], "subjects": {"1ae8aaddeb4e27392c4a549a7df2d6aef4e95e7a": {"values": ["C=US, ST=SOUTH CAROLINA, L=Hilton Head Island, O=Hilton Head Island-Bluffton Chamber of Commerce, OU=IT, CN=*.hiltonheadisland.org"]}, "30d1fd4a296ab1a8831cd56b4110a227f557bfff": {"values": ["O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA"]}, "4d34ea92764b3a3149119952f41930ca11348361": {"values": ["C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"]}, "4136bb45dd375b8cba5f430d0a03e50edbe7410a": {"values": ["C=DE, ST=Baden-Wuerttemberg, L=Walldorf, O=SAP SE, OU=Cloud Infrastructure Delivery, CN=pilot.support.sap.com"]}, "ac8f7c5bc86ef1896f2d161c32a57aab37d364da": {"values": ["C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G4"]}}}, "172.228.24.15": {"certificates": ["780a06f6e9b4061cad0c6502710606eb535f1c26", "afe5fac5f3dae7523b7e2948d72f95f80a5b0e42"], "subjects": {"780a06f6e9b4061cad0c6502710606eb535f1c26": {"values": ["C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA"]}, "afe5fac5f3dae7523b7e2948d72f95f80a5b0e42": {"values": ["serialNumber=2Fr160kmOjBTWTTIe/pv4hmFm0kiNYOP, C=US, ST=California, L=Ventura, O=Patagonia, OU=Ventura, CN=www.patagonia.com"]}}}}

Query value in cquery is the SHA1 fingerprint of a certificate:

https://www.circl.lu/v2pssl/cquery/c46fed822dadac3f31f9bb4d1a78a1d9eae4567b

and returns a list of seen IP addresses for the requested certificate:

1{"seen": ["149.13.33.13", "149.13.33.11", "149.13.33.4", "149.13.33.9"], "hits": 4, "certificate": "7c552ab044c76d1df4f5ddf358807bfdcd07fa57"}

The X509 certificate can be requested by its fingerprint:

https://www.circl.lu/v2pssl/cfetch/7c552ab044c76d1df4f5ddf358807bfdcd07fa57

the raw certificate will be returned, including its readable output:

 1{
 2  "icsi": {
 3    "last_seen": "16596",
 4    "times_seen": "5",
 5    "validated": "1",
 6    "version": "1",
 7    "first_seen": "16469"
 8  },
 9  "pem": "-----BEGIN CERTIFICATE-----\nMIIFvDCCBKSgAwIBAgIDBivRMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkxV\nMRYwFAYDVQQKEw1MdXhUcnVzdCBTLkEuMR4wHAYDVQQDExVMdXhUcnVzdCBRdWFs\naWZpZWQgQ0EwHhcNMTQwNzE3MTIyNDE2WhcNMTYwNzE3MTIyNDE2WjCBwDELMAkG\nA1UEBhMCTFUxEzARBgNVBAgTCkx1eGVtYm91cmcxEzARBgNVBAcTCkx1eGVtYm91\ncmcxPTA7BgNVBAoTNENJUkNMIC0gQ29tcHV0ZXIgSW5jaWRlbnQgUmVzcG9uc2Ug\nQ2VudGVyIEx1eGVtYm91cmcxFTATBgNVBAsTDFdlYiBTZXJ2aWNlczETMBEGA1UE\nAxQKKi5jaXJjbC5sdTEcMBoGCSqGSIb3DQEJARYNaW5mb0BjaXJjbC5sdTCCASIw\nDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz26kXiY2TfqHukFJMy9BMvWjyS\nQntEMZc2VV/uWW8nQ9BT43aEVBK0Y7JcLfEPd72oDs7yQrhqyuSiXVLrJzOu7nI9\nLWmEqX/WVZHbS4mdmdo/d2gllirmpClpI6W5v68qUd4zxlSQxrnPzpyVWtmih8Nw\nRHGIo/YttLAqjao37CuGHS3ltRTaAB30ToJgfK5fDWvtOjoomRvjZNhTNO/ZEdaw\nwygsF8NBDoWyOwoSRqNA9UOuBM70Bdu4VJkCyDJVQzaTx0mPbV+iXmKFj33MyfTx\nZMASXiG+e0+Q1ih53X2+GeDWElbM6lv2XKVP3Ueo4qh43CgBtX1El0zCzf8CAwEA\nAaOCAjcwggIzMAwGA1UdEwEB/wQCMAAwYAYIKwYBBQUHAQEEVDBSMCMGCCsGAQUF\nBzABhhdodHRwOi8vb2NzcC5sdXh0cnVzdC5sdTArBggrBgEFBQcwAoYfaHR0cDov\nL2NhLmx1eHRydXN0Lmx1L0xUUUNBLmNydDCCAQAGA1UdIASB+DCB9TCB6AYIK4Er\nAQECBgEwgdswga0GCCsGAQUFBwICMIGgGoGdTHV4VHJ1c3QgU2VydmVyIENlcnRp\nZmljYXRlLiBOb3Qgc3VwcG9ydGVkIGJ5IFNTQ0QsIEtleSBHZW5lcmF0aW9uIGJ5\nIFN1YnNjcmliZXIuIEdUQywgQ1AgYW5kIENQUyBvbiBodHRwOi8vcmVwb3NpdG9y\neS5sdXh0cnVzdC5sdS4gU2lnbmVkIGJ5IGEgUXVhbGlmaWVkIENBLjApBggrBgEF\nBQcCARYdaHR0cDovL3JlcG9zaXRvcnkubHV4dHJ1c3QubHUwCAYGBACPegEDMBEG\nCWCGSAGG+EIBAQQEAwIF4DAOBgNVHQ8BAf8EBAMCBLAwJwYDVR0lBCAwHgYIKwYB\nBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSNkKMH3RoTd5lM\nkqtNQ94/zSlkBTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmx1eHRydXN0\nLmx1L0xUUUNBLmNybDAdBgNVHQ4EFgQUfxT4ZRAbCmnrRK2KZDrE4Dxp7dIwDQYJ\nKoZIhvcNAQEFBQADggEBAIeg9n+bdv0RouFl++1BlotUD3fXRbhURL0Bzpe6w2hy\nRGAFxA1u1AWwtrowQ53Awh6ZJxntHmeYTlchl1Hc79Gt7wHeBI4phack5iTFKJzL\nvdLeGYjj4qJ9LNNt2hNf8Z5u72oMe6xq9naBWJibyzrHQgBsdl/iSMBEQbEkcfXW\nCDpqMrvhHapkL3zJZE0mIOb2wZ+Xqh7XG+9qqfTVjq+Bi/Ihja2ueV8X+TI/cizr\nFU3QrEV4rwIb6FcSX6R5qnlIh8bfm+aDAZCQZXJa9eheeYJw39ibYRxmc6FvR35c\n5zWFlvTe1e7OuPN09CyPJHCxfidIFlBDnQzxAiHBgLs=\n-----END CERTIFICATE-----\n",
10  "info": {
11    "subject": "C=LU, ST=Luxembourg, L=Luxembourg, O=CIRCL - Computer Incident Response Center Luxembourg, OU=Web Services, CN=*.circl.lu/emailAddress=info@circl.lu",
12    "not_before": "2014-07-17T12:24:16+00:00",
13    "issuer": "C=LU, O=LuxTrust S.A., CN=LuxTrust Qualified CA",
14    "fingerprint": "7C552AB044C76D1DF4F5DDF358807BFDCD07FA57",
15    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvPbqReJjZN+oe6QUkzL0\nEy9aPJJCe0QxlzZVX+5ZbydD0FPjdoRUErRjslwt8Q93vagOzvJCuGrK5KJdUusn\nM67ucj0taYSpf9ZVkdtLiZ2Z2j93aCWWKuakKWkjpbm/rypR3jPGVJDGuc/OnJVa\n2aKHw3BEcYij9i20sCqNqjfsK4YdLeW1FNoAHfROgmB8rl8Na+06OiiZG+Nk2FM0\n79kR1rDDKCwXw0EOhbI7ChJGo0D1Q64EzvQF27hUmQLIMlVDNpPHSY9tX6JeYoWP\nfczJ9PFkwBJeIb57T5DWKHndfb4Z4NYSVszqW/ZcpU/dR6jiqHjcKAG1fUSXTMLN\n/wIDAQAB\n-----END PUBLIC KEY-----\n",
16    "keylength": 2048,
17    "not_after": "2016-07-17T12:24:16+00:00",
18    "extension": {
19      "basicConstraints": "CA:FALSE",
20      "subjectKeyIdentifier": "7F:14:F8:65:10:1B:0A:69:EB:44:AD:8A:64:3A:C4:E0:3C:69:ED:D2",
21      "authorityKeyIdentifier": "keyid:8D:90:A3:07:DD:1A:13:77:99:4C:92:AB:4D:43:DE:3F:CD:29:64:05\n",
22      "extendedKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection",
23      "crlDistributionPoints": "\nFull Name:\n  URI:http://crl.luxtrust.lu/LTQCA.crl\n",
24      "keyUsage": "Digital Signature, Key Encipherment, Data Encipherment",
25      "certificatePolicies": "Policy: 1.3.171.1.1.2.6.1\n  User Notice:\n    Explicit Text: LuxTrust Server Certificate. Not supported by SSCD, Key Generation by Subscriber. GTC, CP and CPS on http://repository.luxtrust.lu. Signed by a Qualified CA.\n  CPS: http://repository.luxtrust.lu\nPolicy: 0.4.0.2042.1.3\n",
26      "nsCertType": "SSL Client, SSL Server, S/MIME",
27      "authorityInfoAccess": "OCSP - URI:http://ocsp.luxtrust.lu\nCA Issuers - URI:http://ca.luxtrust.lu/LTQCA.crt\n"
28    }
29  }
30}
31

In addition to the certificate, the ICSI SSL Notary Service is added in the JSON output (icsi key).

Old API (version 1)

The old Passive SSL API with /pssl for version 1 will be deactivated on 1st October 2015. Passive SSL client must move to version 2 of the API as described above. Passive SSL authentication will remain the same.

Access to CIRCL Passive SSL

Access to CIRCL Passive SSL is allowed to partners including security researchers or incident analysts worldwide. Contact us if you would like to obtain access.

Python Library to access CIRCL Passive SSL

There is a Python Library called pypssl in order to access CIRCL Passive SSL. The library supports version 1 and version 2 of the API.

You can install the pypssl via PIP.

pip install pypssl