[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #12 from Gerrit Code Review--- Change 23950 had a related patch set uploaded by Peter Wu: ssl: regression fix for decryption with renegotiation https://code.wireshark.org/review/23950 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #11 from Gerrit Code Review--- Change 23948 had a related patch set uploaded by Peter Wu: ssl: regression fix for decryption with renegotiation https://code.wireshark.org/review/23948 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 Peter Wuchanged: What|Removed |Added Resolution|--- |FIXED Status|CONFIRMED |RESOLVED --- Comment #10 from Peter Wu --- Fixed in v2.5.0rc0-1314-g9d189c7e20 and backported as v2.4.3rc0-6-gf44b280f1d, will be part of the 2.4.3 release. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #8 from Gerrit Code Review--- Change 23929 had a related patch set uploaded by Peter Wu: ssl: assume everything after CCS is encrypted https://code.wireshark.org/review/23929 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #9 from Gerrit Code Review--- Change 23929 merged by Peter Wu: ssl: assume everything after CCS is encrypted https://code.wireshark.org/review/23929 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #7 from Gerrit Code Review--- Change 23900 merged by Alexis La Goutte: ssl: assume everything after CCS is encrypted https://code.wireshark.org/review/23900 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #6 from Gerrit Code Review--- Change 23900 had a related patch set uploaded by Peter Wu: ssl: assume everything after CCS is encrypted https://code.wireshark.org/review/23900 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #5 from Peter Wu--- Created attachment 15886 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15886=edit salesforce pcap misdissected as end_of_early_data (actually nonce_explicit=5) Here is another capture sample. So far I have seen the following nonce_explicit field contents from the server: 04 ... (original capture) 05 ... (attached capture) 06 ... (other session) (with curl+openssl it starts with a randomized value) Reproduced with: curl https://optusinc.my.salesforce.com/ --resolve optusinc.my.salesforce.com:443:136.147.58.15 key log file: CLIENT_RANDOM 8EEED89CAD8D5E11B5C821E8CB8866C5F95E7625B36EC90279B3E255CA70173A 5C5FEA73421593AC8B9FADC1B449F91B21039FE913B9485943F7890F4CC0F0B681B3A4C8319C5302A6209599AE865427 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 Peter Wuchanged: What|Removed |Added Status|INCOMPLETE |CONFIRMED --- Comment #4 from Peter Wu --- It is not really a NewSessionTicket message, but heuristics think that it is one. Notice that in frame 12, a ChangeCipherSpec message is sent by the server. Following that, in frame 13 it should be interpreted as an encrypted handshake message using the AES256-GCM cipher. The handshake record fragment should be interpreted as: 04 00 00 00 00 00 00 00 - 8 bytes nonce_explicit 52 29 db 6b ... - 32 bytes aed-ciphered content It is however interpreted as: 04 - handshake type NewSessionTicket 00 00 00 - handshake message length (offset_end=9) 00 00 00 00 - ticket_lifetime_hint (offset=9+4=13, note: offset_end < offset) 52 29 - length of ticket vector (outside boundaries of handshake msg -> error) Two issues that need to be solved: - heuristics should probably assume encrypted data after ChangeCipherSpec message - malformed packets can trigger the dissection bug. It could have prevented by passing a subset tvb of the handshake, resulting in a "malformed packet" exception while trying to add "ticket_lifetime_hint" rather than blowing up in the "ticket" vector dissection. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #3 from Travis--- Hi Alexis, pcap came from a salesforce.com session. The 0 length session ticket is coming from Salesforce.com. I agree it should be anything but 0, but I think it should not crash Wireshark. Travis -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 Alexis La Gouttechanged: What|Removed |Added Ever confirmed|0 |1 Status|UNCONFIRMED |INCOMPLETE CC||alexis.lagou...@gmail.com, ||pe...@lekensteyn.nl --- Comment #2 from Alexis La Goutte --- Hi Travis, The pcap coming from what ? because New Session Ticket length is 0 (and it is not possible...) There is always a 4bytes (uint32) for ticket_lifetime_hint -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14117] SSL Dissection bug
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14117 --- Comment #1 from Travis--- Created attachment 15882 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=15882=edit Wireshark Debug Console Output This is the output generated upon opening the pcap file. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe