Ethereal-dev: [Ethereal-dev] SSL Dissector - thoughts

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Lyal Collins" <lyal.collins@xxxxxxxxxxxxx>
Date: Sat, 25 Jun 2005 23:51:02 +1000
As an amateur code cutter, and even worse crypto-head, I recently spent many
hours getting Paolo Abeni patch 'working'
http://www.ethereal.com/lists/ethereal-dev/200504/msg00243.html with Openssl
and ethereal 10.10.
I note that a GNUtls version was later released, but have spent no time with
it.

My feedback is (and for ssldump):
- This SSL dissection stuff doesn't work. There is a very limited range of
crypto algorithm support (e.g. SSLv3, DES3-SHA is about the only mode that
would decrypt live and pcap'ed packets).
- TLS, or SSL2 support seems non-existent.  Eg. An SSL2 packet with an TLS
version header is ignored as non-decpryptable
- there is a real need for this, paricularly in one case I'm stuck with.
A test site fails when in SSL traffic is used for a certain sequence of
pages.transacitons.
We can't get at the captured data  due toSSL. We can't investigate the
problem except on by line-by-line analaysis of code for several hundred
thousnd lines.  And we can't reproduce/replay the secquence of events
because we can't 'see' the data invovled in certain transactions (enabling
heavy logging disturbs the application flow enough that nothing ever fails).

Assistance in the community to resolve thse issues by a) supporting a
broader rane of SSL conditions and b) provider better debug/diagnosis
messages would go along way to solving an immediate problem.

Having a good SSL decoding too would also allow IDS/IPS scrutiny of SSL
traffic e.g. snort, bro et al.  Applciation attacks, not network attacks are
the future of criminal and attacker activity.

Just my 3 cents worth

Regards,
Lyal Collins