TLS certificate invalid der (Signal self-signed certificate)

[sengork]

• I have searched open and closed issues for duplicates
• I am submitting a bug report for existing functionality that does not work as intended
• I have read https://github.com/signalapp/Signal-Android/wiki/Submitting-useful-bug-reports
• This isn't a feature request or a discussion topic

---

Bug description

Signal's live servers utilise certificate which is blocked by Suricata rule (this did not occur in the past using the same setup):
GID:SID 1:2230027
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid der"; flow:established; app-layer-event:tls.certificate_invalid_der; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230027; rev:1;)
This is related to rules in https://github.com/OISF/suricata/blob/master/rules/tls-events.rules

Steps to reproduce

• Send message on Signal on Android
• Observe Suricata IDS rules start blocking multiple IP addresses on *.awsglobalaccelerator.com associated with Signal client-server network flows (eg. ac88393aca5853df7.awsglobalaccelerator.com)
• Disabling the rule fixes the issue immediately

Actual result: Messages are not sent/received
Expected result: Messages should be sent/received successfully

Screenshots

N/A

Device info

Android version: 10
Signal version: 6.0.6

Link to debug log

$ openssl s_client -connect ac88393aca5853df7.awsglobalaccelerator.com:443
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger

[cody-signal]

Looks like an issue on their side, trying using their fix?

https://forum.suricata.io/t/suricata-tls-certificate-invalid-der/2681/3
OISF/suricata#7740