headers
Martin Wilck | 10 Feb 10:22

SSL decryption breaks after retransmission

Hello,

I just stumbled upon the known problem "SSL decryption breaks after
retransmission"
(http://www.wireshark.org/lists/wireshark-dev/200805/msg00067.html) with
wireshark 1.6.5.

I wonder if a patch for this issue is available? Is anybody working on this?

Martin

--

-- 
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck@...
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
(Continue reading)

Permalink | Reply |
headers
Max Dmitrichenko | 10 Feb 12:13
Picon

Re: SSL decryption breaks after retransmission

2012/2/10 Martin Wilck <martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
Hello,

I just stumbled upon the known problem "SSL decryption breaks after
retransmission"
(http://www.wireshark.org/lists/wireshark-dev/200805/msg00067.html) with
wireshark 1.6.5.

I wonder if a patch for this issue is available? Is anybody working on this?


I have made a patch and put it into the bug tracker about half a year ago. Now I think it could be implemented better than it is, but I have not discussed it with core developers and I've made it in a way to not break anything existing. It is done in the  TCP desegment layer but needs some assistance from upper layer.

--
Max
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply |
headers
Martin Wilck | 10 Feb 12:50

Re: SSL decryption breaks after retransmission

On 02/10/2012 12:13 PM, Max Dmitrichenko wrote:

> I have made a patch and put it into the bug tracker about half a year
> ago.

Thanks - I assume you're talking about
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5971 ?

Martin

-- 
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck@...
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply |
headers
Max Dmitrichenko | 10 Feb 13:09
Picon

Re: SSL decryption breaks after retransmission


2012/2/10 Martin Wilck <martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
On 02/10/2012 12:13 PM, Max Dmitrichenko wrote:

> I have made a patch and put it into the bug tracker about half a year
> ago.

Thanks - I assume you're talking about
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5971 ?

Yep!

--
Max 
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply |
headers
Martin Wilck | 10 Feb 13:37

Re: SSL decryption breaks after retransmission

On 02/10/2012 01:09 PM, Max Dmitrichenko wrote:
>     Thanks - I assume you're talking about
>     https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5971 ?
> Yep!

I built wireshark with this patch applied, but it didn't solve my
problem. I still need to tell wireshark manually to ignore the
retransmitted packets in order to get proper SSL decryption of the
follow-up SSL stream.

Martin

-- 
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck@...
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply |
headers
Max Dmitrichenko | 10 Feb 14:31
Picon

Re: SSL decryption breaks after retransmission

2012/2/10 Martin Wilck <martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
On 02/10/2012 01:09 PM, Max Dmitrichenko wrote:
>     Thanks - I assume you're talking about
>     https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5971 ?
> Yep!

I built wireshark with this patch applied, but it didn't solve my
problem. I still need to tell wireshark manually to ignore the
retransmitted packets in order to get proper SSL decryption of the
follow-up SSL stream.

It will not work "out of the box". A higher level dissector has to assist this and needs a patch.

Actually the problem is that TCP is not a datagram but stream protocol. A subdissector for any protocol over TCP should not ignore this fact.

In general, there are following cases.

0) Any TCP based dissector should be prepared to receive a TVB containing more than one logical PDU.

1) tvb contains a full logical PDU. Nothing to be done.
2) tvb contains the first part of logical PDU. Desegmentation needed. Currently TCP-desegmentor skips retransmissions of later parts.
3) tvb contains the second (or later) part of logical PDU or the first retransmitted part. Currently this is not handled.

My patch is about to solve 3). You should patch the dissector to detect this situation and request the TCP-desegmentor to do the rest job.

I guess this could be solved in "out of the box" way. But this will break the behavior of existing dissectors - they will not receive and dissect retransmissions which could be of someone's interest.

--
Max
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@...>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@...?subject=unsubscribe
Permalink | Reply |

Gmane