Wireshark-bugs: [Wireshark-bugs] [Bug 5485] improper decode of TLS 1.2 packet containing both Ce
Date: Mon, 13 Dec 2010 09:55:34 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5485

--- Comment #7 from Sake <sake@xxxxxxxxxx> 2010-12-13 09:55:33 PST ---
(In reply to comment #6)
> (In reply to comment #5)
> > OK... looking at RFC 4346 (TLSv1.1) and RFC 5246 (TLSv1.2) it looks like the
> > CertificateRequest format has changed between these two versions. So the code
> > to dissect the CertificateRequest should use the TLS version to decide how to
> > dissect the CertificateRequest.
> 
> Well, I think wireshark does decode the CertificateRequest message properly
> already.  The problem that it doesn't keep going to decode the ServerHelloDone
> message that immediately follows the CertificateRequest in the same packet. 
> TLS (1.2 at least) allows multiple TLS messages in the same packet.

I'm sorry, but I have to disagree. Please look at the first part of comment 4.
The problem is that the first two bytes of the "DistinguishedNames" in a
pre-TLSv1.2 are a length indicator. And therefor Wireshark interprets the "02
01" as a length and tries to collect 513 bytes of data, which are not there.
Therefor you get the "Unreassembled" or "Malformed" message (depending on
whether SSL decryption support is included in the version of Wireshark that is
used).

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.