smeukinou
commented
1 month ago LOgs from a debug implant:
2024/05/15 16:24:08 mtls.go:168: Unable to connect: x509: certificate has expired or is not yet valid: current time 2024-05-15T16:24:08+02:00 is after 2024-05-15T10:28:09Z 2024/05/15 16:24:08 sliver.go:152: [session] failed to establish connection: x509: certificate has expired or is not yet valid: current time 2024-05-15T16:24:08+02:00 is after 2024-05-15T10:28:09Z 2024/05/15 16:24:08 sliver.go:132: Reconnect sleep: 1m0s
And that is after I regenerated a mtls-implant cert on the server keeping the same private key, using the following openssl command:
openssl req -x509 -new -key mtls-server-ca-key.pem -out mtls-server-ca-key-cert.pem -days 3650
And restarted the C2. Seems that the cert is embedded in the implant, and so it's a death sentence for all implants generated until now. Am I right ?
moloch--
Not a bug, but a quite annoying problem.
It seems that my mtls-server-ca-cert.pem certificate expired during a very long operation.
And none of the current implants can connect (from sliver.log) to the C2: [31mERRO^[[0m[2024-05-15T12:59:08+02:00] [sliver/server/c2/mtls.go:103] Socket read error remote error: tls: bad certificate ^[[36mINFO^[[0m[2024-05-15T12:59:53+02:00] [sliver/server/c2/mtls.go:85] Accepted incoming connection: [::1]:58088 ^[[31mERRO^[[0m[2024-05-15T12:59:53+02:00] [sliver/server/c2/mtls.go:165] Socket error (read msg-length): remote error: tls: bad certificate
Is there a way to recover from this ? Either by editing sliver.db or changing the code to remove ssl validation somewhere ? (btw for future release, a warning a few weeks before expiration would be nice)
Sliver: 1.5.39 if it matters