Age | Commit message (Collapse) | Author | Files | Lines |
|
* generate-wireshark-cs: fix key sizes for export ciphers
* notes, openssl-{connect,listen}: support more cipher suites,
including NULL.
|
|
Fixes:
Unknown kex in 0x0060 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (tmp=RSA_EXPORT1024)
Unknown kex in 0x0061 TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 (tmp=RSA_EXPORT1024)
Unknown kex in 0x0062 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (tmp=RSA_EXPORT1024)
Unknown kex in 0x0064 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (tmp=RSA_EXPORT1024)
But to be honest, is there any implementation that actually use these
cipher suites...?
|
|
This is used in some export ciphers
|
|
These are no official cipher suites, but they are used somewhere.
Sources:
- (96-102) "0x00,0x60-0x66 Reserved to avoid conflicts with widely
deployed implementations" [1]
- (96-97) Disabled in OpenSSL 0.9.8c, from a commit message on 14 June
2006: "the latter two [0x00,0x61 and 0x00,0x60 cipher suites] were
purpotedly from draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do
not really appear there" [3]
- (98-102) An (expired) IETF draft on 56-bit cipher suites defines
cipher suites 0x00,0x62-66 [2]
[1]: http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
[2]: http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
[3]: http://marc.info/?l=openssl-cvs&m=115030750911430
[ Peter: added sources ]
|
|
|
|
This applies some fixes for CCM to the cipher suite generation script.
There are some special cases for CCM ciphers: the iv blocksize is
always 4, it does not have a digest and the mode should be CCM or CCM_8.
[ Peter: basically restructure (indent+case) and fix CCM block size.
I removed the digest as that was already covered and diglen=0; is not
meaningful ]
|
|
Stream cipher RC4 (and block cipher NULL) do not have a IV. The
packet-ssl-utils code needs to be fixed up for this, but this
generator can already be created. Revert this patch until the
block to iv_size rename is complete.
|
|
Previously, everything was concatenated,
making it more difficult to spot errors.
|
|
|
|
|
|
Example usage, assuming 'premaster.txt' in corrent directory:
./run-ws /tmp/wsbuild/tshark dump.pcapng
Example, with filtering for SSL record type Application Data (23):
./run-ws /usr/bin/wireshark dump.pcapng.gz \
-Y ssl.record.content_type==23
|
|
The CLIENT_RANDOM is applicable to clients only, so remove it from
ServerHello. Also update notes with cmake+gcrypt instructions.
|
|
See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9499
|
|
|
|
|
|
|
|
Requested by [aspirin] on #wireshark, this script adds a percentage
number to the tshark statistics output. Adding a percentage bar can also
be done, but is an exercise for later at the moment.
|
|
|
|
I previously mentioned that nobody seems to support AES CCM for PSK, but
then I noticed that bug 8567 uses this for a DTLS capture. I might need
to add some of these missing cases to the ssl_get_keyex_alg function.
[1]: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8567
|
|
The new ssl_get_keyex_alg.txt.diff has been generated with the
following patches applied:
- (unrelated) ssl: Support PSK larger than 16 octets
- Use correct key exchange type for ECDHE ciphers
- (unrelated) ssl: drop unused SIG_ field and constants
- Add more PSK and Camellia ciphers
- Simplify determining key exchange algorithm, more PSK support
|
|
ssl_get_keyex_alg.txt contains the current supported list of cipher
suites for key exchange by the ssl_get_keyex_alg() function.
It was generated with:
awk -F '[ :;\t]+' '/^gint ssl_get_keyex_alg/{p=1}
/case/{if(p)a[$3]=0} /return/{for(i in a)print i, $3;delete a} /^}
/{if(p)exit}' packet-ssl-utils.c
This file can then be converted and sorted with:
while read num name; do echo $((num)) $name;
done < ssl_get_keyex_alg.txt | sort -n > /tmp/1
To get the current cipher suites list:
awk -F '[ {,]+' '/,KEX_/{print $2, $3}' packet-ssl-utils.c > /tmp/2
Check which cipher suites are missing or have an incorrect key exchange:
diff -y /tmp/[12]
It turned out that the ECDH cipher suites were incorrectly marked as
DH (tested on top of SVN rev 52320). Therefore adjust the
generate-wireshark-cs file.
|
|
|
|
|
|
Wireshark already supports these suites, yay :)
|
|
Sent to gcrypt-devel@gnupg.org.
|
|
I stopped when I had the thousandth dependency issue after
crypt/libairpdcap.la, this time (again) some broken headers (wsutil
something if I remember correctly? Or was it something related to LUA?)
|
|
|
|
Making assumptions about ClientHello is very fragile, but since we are
controlling the client, it should not be a big deal.
|
|
|
|
RC2 is a block, not a stream. I thought I fixed this some time ago...
|
|
This makes it easier to see relations in plaintext (if any).
|
|
|
|
This is removed because it is redundant, see
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9144#c16
|
|
|
|
|
|
./openssl-listen /tmp/test-certs
dumpcap -f '(host ::1 or host 127.0.0.1) and tcp portrange 4430-4433' \
-i lo -w all/dump.pcapng
./openssl-connect < all/ciphers-without-SRP-PSK.txt > all/premaster.txt
# kill dumpcap
Check with:
wireshark -o ssl.keylog_file:$PWD/premaster.txt dump.pcapng \
-o http.ssl.port:4430-4433 -o ssl.debug_file:debug.txt
debug.txt is not added because it is a 5.8 MiB file (1.3 MiB gzipped).
|
|
This allows for something like:
openssl ciphers -V | grep -v \ SRP- | ./openssl-connect /tmp/test-certs
|
|
|
|
|
|
And also support reading suites.txt (generated from IANA's CSV[1]).
Not supported are SRP, KRB5, PSK, ARIA and CCM. Suggested usage:
grep -vE '_(SRP|KRB5|PSK|ARIA)_|_CCM(_|$)' suites.txt |
./generate-wireshark-cs
[1]: http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv
|
|
|
|
|
|
|