This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Bug fix for Bug 3303

0

I'm new to this list but I have a relatively simple question:

I was wondering when a patch would be available for "Bug 3303 - Problem with fragmentation at the SSL record layer"? Is it targeted at a particular release? If not, is there any beta code that I can test?

I am working on an application where I need to be able to decrypt the traffic from a browser to another server.

I have downloaded the source and have applied the patch for "Bug 3343" but need the fix for 3303 so that I can decrypt the pkts.

Any help would be greatly appreciated.

Thanks,

Tom

asked 14 Oct '10, 15:08

Tom%20S's gravatar image

Tom S
1111
accept rate: 0%

One Answer:

0

Tom,

The problem in bug 3303 occurs only under very rare circumstances. Most references to that bug were actually caused by other things. The most common problems with decryption of SSL traffic are:

  • Wireshark not being able to load the key. Check the ssl-debug file to make sure it loads the key.
  • Wireshark not seeing all packets of the SSL session. If the tracefile only contains part of the SSL session or only a resumed session, then Wireshark does not have all the information needed to decrypt the traffic. Make sure you have the full handshake (a resumed session does not have a "certificate" message from the server).
  • A diffie-hellman(DH) cipher has been chosen. Since DH uses keys that are generated on the fly to transport the pre-master-secret, Wireshark is unable to decrypt this traffic. For successful decryption, a RSA key exchange must be used where the pre-master-secret must be encrypted with the public key of the server. Wireshark can then decrypt this with the provided private key of the server. To determine if a DH is used, look for the ServerHello message and check the cipher in it. If it contains DH or DHE, DH is used. You can restrict the list of acceptable ciphers to not use DH ciphers on either the client or the server as a workaround

Please have a look at a presentation I gave at Sharkfest (PPT or Video) about troubleshooting SSL for more information. If you still feel you are running into bug 3303, please attach a tracefile to the bugreport and if possible, attach the key there as well.

answered 14 Oct '10, 22:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you for the response.

From looking at the Server Hello, it appears that the cipher being used is TLS_RSA_WITH_RC4_128_MD5.

From talking to one of the other engineers here, we had already disabled the DH ciphers for the reasons you mentioned above.

I have not had a chance to watch the video but I will do so when I have time.

Not sure if I am running into 3303 or something else. I will post the trace and the keys later today.

Thanks,

Tom

(15 Oct '10, 08:44) Tom S