diff options
| author | Peter Wu <lekensteyn@gmail.com> | 2013-10-01 23:02:53 +0200 |
|---|---|---|
| committer | Peter Wu <lekensteyn@gmail.com> | 2013-10-01 23:02:53 +0200 |
| commit | 1927a4fa8d871188842cddde7755f4d34f804dd2 (patch) | |
| tree | c52264a0d88559401ce288b662476551d2863917 /notes.txt | |
| parent | 7bb3df540d659fe6c674a26b9a10704629a9bf6f (diff) | |
| download | wireshark-notes-1927a4fa8d871188842cddde7755f4d34f804dd2.tar.gz | |
generate-wireshark-cs: fix ECDH, add PSK, drop SIG_
ssl_get_keyex_alg.txt contains the current supported list of cipher
suites for key exchange by the ssl_get_keyex_alg() function.
It was generated with:
awk -F '[ :;\t]+' '/^gint ssl_get_keyex_alg/{p=1}
/case/{if(p)a[$3]=0} /return/{for(i in a)print i, $3;delete a} /^}
/{if(p)exit}' packet-ssl-utils.c
This file can then be converted and sorted with:
while read num name; do echo $((num)) $name;
done < ssl_get_keyex_alg.txt | sort -n > /tmp/1
To get the current cipher suites list:
awk -F '[ {,]+' '/,KEX_/{print $2, $3}' packet-ssl-utils.c > /tmp/2
Check which cipher suites are missing or have an incorrect key exchange:
diff -y /tmp/[12]
It turned out that the ECDH cipher suites were incorrectly marked as
DH (tested on top of SVN rev 52320). Therefore adjust the
generate-wireshark-cs file.
Diffstat (limited to 'notes.txt')
| -rw-r--r-- | notes.txt | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -1,5 +1,15 @@ /tmp/wireshark/configure --prefix=/tmp/wsroot --with-ssl --with-gtk2 --without-gtk3 +# libgcrypt RC2 fixing +# Fix compile issue (missing fig2dev in doc, Makefile.in in tests is not +# generated (Makefile/autotools of the repo too old?)) +sed '/SUBDIRS/s/ doc tests//' -i Makefile.am && ./autogen.sh +mkdir build && cd build +../configure --disable-static --disable-padlock-support --prefix=/tmp/libgcrypt/prefix +make install +# for libgcrypt-config test in wireshark ./configure +PATH=/tmp/libgcrypt/prefix/bin:$PATH + # find which suites are not supported yet (unsupported.txt) awk -vsrc=/tmp/wireshark/epan/dissectors/packet-ssl-utils.c -F'[ {,]+' 'BEGIN{while(getline <src)if(/^ *\{.*,KEX_/)a[$2]=1}{if(!a[$1])print}' suites.txt # find which ciphers openssl supports @@ -87,6 +97,12 @@ http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-paramete - ARIA - mode CCM +libgcrypt RC2 (40-bit keys) implementation is named "RFC2268_40". This does not +seem to work with TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 though. I think that the +unimplemented RFC2268_128 algo should be used. As mentioned in RFC 2246 (TLS +1.0), section 6.3.1. Export key generation example, this RC2 cipher suite has a +final_client_write_key length of 128 bits. + # Generate RSA stuff openssl genrsa -out server.pem openssl req -new -x509 -key server.pem -out server.crt -days 3650 -subj "/CN=*.local.al.lekensteyn.nl" |