This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Non-Standard TLS Packets?

0

TL;DR: How can I verify which TLS library a local client is using with a remote server?

I have a client going through a Firewall then hitting a Web Server. The issue arrose when the client could not successfully upload a file onto the Web Server's file sharing application (custom site on some type of *Nix platform). Took me a couple hours to figure out that a key TLS response from the server was never making it back to the client after the data was uploaded. I told the firewall guys to disable any type of Deep Packet Inspection, and all was good. Re-enable, and it broke.

So something about how this mystery server crafts its TLS1.0 packets causes the Packet Inspection feature of multiple brands of firewalls to trigger an alarm and drop. While all other packets in this TLS session appear to be okay (we do form a valid session).

I do not have access to this Web Server nor will I be able to get too many details out of it. Is there any way to get to the bottom of this? My guess is that it's using a custom, or non-standard, TLS protocol? How can I verify this? I haven't messed around much with decrypting SSL session traffic with Wireshark, but would this do it? If I only have access to client side?

Any tips with this matter would be appreciated. Right now the solution is just to disable Packet Inspection for this server.

Thank you,

asked 31 May '16, 04:22

synthetiq's gravatar image

synthetiq
11114
accept rate: 0%


One Answer:

1

Using Wireshark you can capture the traffic at the client, but you may not be able to decrypt it as you don't have the server's private key.

If the encryption is performed with a suitable algorithm you might be able to get the client to emit a pre-master secret to use for decryption, see the Wiki SSL page for more info.

The capture, even if not decryptable may still show useful info about the TLS session so if possible you should upload the capture to a public file share, e.g. Cloudshark, Google Drive, Dropbox etc. and edit your question with a link back to the capture.

answered 31 May '16, 04:48

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you for the suggestion, Graham.

Unfortunately I cannot get the PCAP to a public server, so I'll have to go down the pre-master secret route.

Thanks again!

(31 May '16, 04:53) synthetiq

I'm going to mark this comment as the answer as I've just managed to decrypt my own TLS traffic to Gmail using the links you provided above.

I can carry this knowledge to the problem network and at least make progress (hopefully)!

Thanks again for your response!

(31 May '16, 05:51) synthetiq