Wireshark-bugs: [Wireshark-bugs] [Bug 3303] Problem with fragmentation at the SSL record layer
Date: Mon, 23 Jun 2014 09:18:48 +0000

changed bug 3303

What Removed Added
Status RESOLVED UNCONFIRMED
CC   alex_tan@mail.ru
Resolution FIXED ---
Ever confirmed 1  

Comment # 19 on bug 3303 from
It looks like it is NOT fixed.

I have the following version: Version 1.10.8 (v1.10.8-2-g52a5244 from
master-1.10)

If I open the file attached as "bug3303.cap (26.62 KB,
application/octet-stream)" (bug3303.cap), I still have problems. 

Frame 6 shows a single "TLSv1 Record Layer: Handshake protocol: Server Hello".
This part is correct. But the most interesting part is what it does NOT show.

See attachment "Frame6, Certificate":
1. The correctly displayed "Handshake protocol: Server Hello" message
2. This is where the raw data of the "Server Hello" message starts.
3. And what is TCP segment data "1381 bytes" then? This is what Wireshark DOES
NOT recognize.
4. The selected part in the dump window is the start of this TCP segment.
If I try to decode it it is:
0x16 = 22: SSL Handshake message
0x03 0x01: TLSv1.0 
0x40 0x00: TLSv1 RecordLayer, packet length 0x4000 = 16384
0x0b: Certificate message
0x00 0x4d 0x12: "Certificate" message length, 0x4d12, which is greater than the
lenght of the TLSv1 RecordLayer packet (0x4000)

Now, frame 22, see attachment "Frame22, Encrypted Handshake":
Wireshark correctly recognized TLSv1 Record Layer message (0x4000 = 16384
bytes),
but did not recognize the Handshake protocol "Certificate" message.
One of the reasons is probably because the message is not yet complete:
It's length is 0x4d12 bytes but Wireshark has collected (0x4000 - 4) bytes so
far.

The remaining 0x0d16 (3350) bytes are in frames 24 (1460 bytes), 25 (1460
bytes), 27 (435 bytes),
see attachment "Frame27, Encrypted Handshake"

5. The total length is 3355 bytes.
6. Wireshark correctly sees a TLSv1 RecordLayer packet of 3350 bytes, but DOES
NOT merge
it with the data from frame 22. It should do it, and then decode the resulting
0x4d12 (19730) bytes as a "Certificate" message.
7. Wireshark correctly recognizes "Server Hello Done" message.

But I have a dump where "Server Hello Done" message is not recognized. The
difference is:
In the attached bug3303.cap the "Server Hello Done" message comes as a separate
TLSv1 Record Layer message.
In my dump it comes in the same TLSv1 Record Layer message as the last part of
the "Certificate Request" message.


You are receiving this mail because:
  • You are the assignee for the bug.
  • You are watching all bug changes.