wireshark and malformed ssl

Thu, 26 Oct 2006 15:56:45 -0700

I have been using wireshark(0.99.3) to analyse ssl data flows to try to track down an issue where our SSL server(0.9.7d based) somehow gets corrupted and degrades over a period of time to the point where all ssl handshakes result in fatal alerts of "bad record mac". When analysing a capture taken before the corruption occurs using wireshark it tells me there are a few malformed packets. One such example is: 
data Packet 1 from client:
Secure Socket Layer
   SSLv3 Record Layer: Handshake Protocol: Client Hello
       Content Type: Handshake (22)
       Version: SSL 3.0 (0x0300)
       Length: 97
       Handshake Protocol: Client Hello
           Handshake Type: Client Hello (1)
           Length: 93
           Version: SSL 3.0 (0x0300)
           Random.gmt_unix_time: Oct 17, 2006 14:11:14.000000000
           Random.bytes
           Session ID Length: 32
           Session ID (32 bytes)
           Cipher Suites Length: 22
           Cipher Suites (11 suites)
           Compression Methods Length: 1
           Compression Methods (1 method)
               Compression Method: null (0)

data packet 2, from server:
Secure Socket Layer
   SSLv3 Record Layer: Handshake Protocol: Server Hello
       Content Type: Handshake (22)
       Version: SSL 3.0 (0x0300)
       Length: 74
       Handshake Protocol: Server Hello
           Handshake Type: Server Hello (2)
           Length: 70
           Version: SSL 3.0 (0x0300)
           Random.gmt_unix_time: Oct 17, 2006 14:10:16.000000000
           Random.bytes
           Session ID Length: 32
           Session ID (32 bytes)
           Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
           Compression Method: null (0)
   SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
       Content Type: Change Cipher Spec (20)
       Version: SSL 3.0 (0x0300)
       Length: 1
       Change Cipher Spec Message
   SSLv3 Record Layer: Handshake Protocol: Encrypted Handshake Message
       Content Type: Handshake (22)
       Version: SSL 3.0 (0x0300)
       Length: 56
       Handshake Protocol: Encrypted Handshake Message:

data packet 3 from client (malformed):
Secure Socket Layer
   SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
       Content Type: Change Cipher Spec (20)
       Version: SSL 3.0 (0x0300)
       Length: 1
       Change Cipher Spec Message
   SSLv3 Record Layer: Handshake Protocol: Client Hello
       Content Type: Handshake (22)
       Version: SSL 3.0 (0x0300)
       Length: 56
       Handshake Protocol: Client Hello
           Handshake Type: Client Hello (1)
           Length: 4022620
           Version: Unknown (0xae45)
           Random.gmt_unix_time: Not representable
           Random.bytes
           Session ID Length: 186
[Malformed Packet: SSL]

Can anyone advise the best way to check that the packet really is malformed?

thanks
C

_________________________________________________________________
Windows LiveĀ™ Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to