/tmp/wireshark/configure --prefix=/tmp/wsroot --with-ssl --with-gtk2 --without-gtk3 # CMake rocks! CC=clang CXX=clang++ \ cmake -DCMAKE_INSTALL_PREFIX=/tmp/wsroot -DENABLE_GTK3=0 -DENABLE_PORTAUDIO=0 -DENABLE_QT5=0 -DENABLE_GEOIP=0 -DENABLE_KERBEROS=0 -DENABLE_SMI=0 -DCMAKE_BUILD_TYPE=Debug /tmp/wireshark -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address -DCMAKE_EXPORT_COMPILE_COMMANDS=1 # Do not set CMAKE_C_FLAGS_DEBUG, it breaks (missing symbols) #clang-check -p /tmp/wsbuild epan/dissectors/packet-whois.c -ast-dump v1.99.0-rc1-578-gdbd409d clang cmake: 15s; make -j16: 1m34s v1.99.0-rc1-588-gc9694dc gcc cmake: 13.6s; make -j16: 1m37s # libgcrypt RC2 fixing (accepted in git # http://lists.gnupg.org/pipermail/gcrypt-devel/2013-October/002428.html) # Fix compile issue (missing fig2dev in doc, Makefile.in in tests is not # generated (Makefile/autotools of the repo too old?)) sed '/^tests\/Makefile$/d' -i configure.ac && sed '/SUBDIRS/s/ doc tests//' -i Makefile.am && ./autogen.sh mkdir build && cd build ../configure --disable-static --disable-padlock-support --prefix=/tmp/libgcrypt/prefix make install # for libgcrypt-config test in wireshark ./configure PATH=/tmp/libgcrypt/prefix/bin:$PATH # for cmake add: -DGCRYPT_INCLUDE_DIR=/tmp/libgcrypt/prefix/include -DGCRYPT_LIBRARY=/tmp/libgcrypt/prefix/lib/libgcrypt.so # Build cyassl for AES-CCM testing patch -p1 < cyassl-Implement-SSLKEYLOGFILE-support-for-ClientRandom.patch autoreconf -fiv ./configure --enable-{opensslextra,dtls,ipv6,sniffer,aes{c,g}cm,camellia,md2,dsa,ecc,psk,webserver,sni} make examples/server/server -p 4433 SSLKEYLOGFILE=premaster.txt examples/client/client -l AES256-SHA -p 4433 see also cyassl-test (in this repo) for testing all supported ciphers # Show a list of cipher suite from ServerHello and the HTTP version (or the # number of the ServerHello if decryption failed). /tmp/wsbuild/tshark -r cyassl-tcp.pcapng.gz -ohttp.ssl.port:4430-4433 \ -ossl.keylog_file:premaster.txt -ossl.psk:1a2b3c4d -Tfields \ -e frame.number -e ssl.handshake.ciphersuite -e http.request.version \ -Y 'ssl.handshake.type==2||ssl.record.content_type==23' | awk '$2~/0x/{if(n)print n;printf("%s ",$2);n=$1}$2=="HTTP/1.0"{print $2;n=""}END{if(n)print n}' # create suites.txt from http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv gawk -n -F '[,"]+' '$4~/^TLS/{print int($2)*0x100+int($3), $4}' tls-parameters-4.csv > suites.txt # find which suites are not supported yet (unsupported.txt) gawk -n -vsrc=/tmp/wireshark/epan/dissectors/packet-ssl-utils.c -F'[ {,]+' 'BEGIN{while(getline openssl-supported-ciphers.txt # find which ciphers are not yet supported (unsupported-new is from above) grep -E "$(cut -d' ' -f1 unsuppported-new.txt openssl-supported-ciphers.txt | sort | uniq -d | tr '\n' '|' | sed 's/|$//')" unsuppported-new.txt -w # Get keys from NSS applications: SSLKEYLOGFILE=premaster.txt firefox # command to use key file from NSS /tmp/wsroot/bin/wireshark -o ssl.keylog_file:$PWD/s_client-keys.txt s_client.capng -o http.ssl.port:4433 -o ssl.debug_file:s_client-debug.txt # Command to look for relation between cipher and mode (stream vs cbc) grep epan/dissectors/packet-ssl-utils.c -e '^ *{.*,KEX' | column -s, -t | sort -k 4,4 -k 11,11 # pipe openssl stdbuf -oL openssl s_server -CAfile server.crt -cert server.crt -key server.pem -www -cipher ALL 2>&1 | awk '/ACCEPT/{print (++n) " " $0}!/ACCEPT/{print}{fflush()}' openssl ciphers | tr : '\n' > ciphers.txt # trigger tests: openssl ciphers|tr : '\n' | while read i;do echo;echo $i;curl --cacert /tmp/snif/pki/server.crt https://localhost:4433 -o /dev/null --ciphers $i -v;done # "fail" file is above output awk 'BEGIN{while(getline<"fail"){if(/ACCEPT/){n=$1}else if(/error/){fails[n]=1}}} {if(!fails[NR])print}' ciphers.txt # convert CipherSuite from RFC to code xsel | ./generate-wireshark-cs | sed s/{/,/ | sort -t, -n -k2,2 | sed s/,/{/ # check for differences between existing ciphers and new ones from X clipboard ssort(){ sed s/{/,/ | sort -n -t, -k2,2 | sed s/,/{/; } grep ,KEX_ packet-ssl-utils.c | ssort > 1;(cat 1; xsel) | sort -k1,1 -t} -u | ssort > 2; colordiff -u 1 2 # command to sort by Au(th) and show official TLS names openssl ciphers -V | sort -k6,6 | gawk '{split($1,a,",");$1=strtonum(a[1])*256+strtonum(a[2])}{print}' | sort -k6,6 | ./number-to-name.awk -vcmd='cat suites.txt' | column -t | less # dump CLIENT_RANDOM for every cipher openssl ciphers|tr : '\n' | grep -vE '^(PSK|SRP|ECDHE-ECDSA|ECDH)-|-DSS-' | while read cipher; do (echo 'GET / HTTP/1.0';sleep .1) | openssl s_client -connect localhost:4433 -cipher $cipher -msg 2>&1 | awk '/Master-Key:/{key=$2} {b=1;e=16;if(l==3)b=7;if(l==1)e=6;for(i=b;i<=e;i++)s=s$i;if(l--==1)r[s]=1}/ ClientHello|ServerHello$/{l=3;s=""} END{for(rnd in r)print "CLIENT_RANDOM",rnd,key}';done > all/s_client-keys.txt # dump CLIENT_RANDOM for every cipher for *.local.al.lekensteyn.nl with TLS disabled for url in $(grep -E '/(IDEA-CBC-SHA|EXP-RC2-CBC-MD5)\.' -i ssl3/ok.txt); do host="${url##*/}"; (printf "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";sleep .2) | openssl s_client -connect "$host" -CApath /etc/nginx/certs -no_tls1 -msg 2>&1 | awk '/Master-Key:/{key=$2} {b=1;e=16;if(l==3)b=7;if(l==1)e=6;for(i=b;i<=e;i++)s=s$i;if(l--==1)r[s]=1}/ ClientHello|ServerHello$/{l=3;s=""} END{for(rnd in r)print "CLIENT_RANDOM",rnd,key}'; done >> /tmp/snif/ssl3/premaster.txt # fetch a list of hosts to visit urls.txt # Get good and bad cipher suites wrt web server certs rm ok.txt nok.txt;time while read url; do curl -ks "$url" -o /dev/null && echo $url >> ok.txt || echo $url >> nok.txt;done < urls.txt # same as above, but restrict to OpenSSL ciphers during request rm ok.txt nok.txt;time while read url; do cipher="${url%%.*}";cipher="${cipher##*/}";curl -ks "$url" -o /dev/null --ciphers "${cipher^^}" && echo $url >> ok.txt || echo $url >> nok.txt;done < urls.txt # same test, but using openssl instead of curl for url in $(cat res/ok.txt); do host="${url##*/}"; echo;echo;echo _____ $host;(printf "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";sleep .2) | openssl s_client -connect "$host" -CApath /etc/nginx/certs; done 2>&1 | tee s_client-all-res-ok.txt The following OpenSSL cipher suites do not connect to nginx (obsolete): EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA PSK-RC4-SHA PSK-3DES-EDE-CBC-SHA PSK-AES128-CBC-SHA PSK-AES256-CBC-SHA ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA SRP-RSA-3DES-EDE-CBC-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-256-CBC-SHA SRP-DSS-AES-256-CBC-SHA ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 ECDH-RSA-AES128-GCM-SHA256 ECDH-RSA-AES256-GCM-SHA384 Groupable to: - EXP-EDH-{DSS,RSA} - PSK - ECDH-RSA (obsolete, it is supported with correct cert) - SRP Not supported by GnuTLS (source: http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/) - TLS-SRP (Secure Remote Password) - PSK (Pre-Shared Key) - ECDH-{RSA,ECDSA} (not ECDHE-RSA) (source: wikipedia) Missing cipher suite support (from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4): - SRP - KRB5 - PSK - ARIA - mode CCM libgcrypt RC2 (40-bit keys) implementation is named "RFC2268_40". This does not seem to work with TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 though. I think that the unimplemented RFC2268_128 algo should be used. As mentioned in RFC 2246 (TLS 1.0), section 6.3.1. Export key generation example, this RC2 cipher suite has a final_client_write_key length of 128 bits. # Generate RSA stuff openssl genrsa -out server.pem openssl req -new -x509 -key server.pem -out server.crt -days 3650 -subj "/CN=*.local.al.lekensteyn.nl" # Generate dsa params, privkey and signed pubkey openssl dsaparam 1024 -out dsaparam.pem openssl gendsa dsaparam.pem -out dsa.pem openssl req -new -key dsa.pem -x509 -days 3650 -out dsa.crt -subj "/CN=*.local.al.lekensteyn.nl" # Generete EC params (secp112r1 cert does not work, "no shared cipher" error) # secp256r1 is supported by chromium (and secp{384,521}r1 too) openssl ecparam -name prime192v1 -out ec.pem -genkey openssl req -new -key ec.pem -x509 -days 3650 -out ec.crt -subj "/CN=*.local.al.lekensteyn.nl/OU=EC" http://wiki.wireshark.org/SampleCaptures?action=AttachFile // Find all extensions $('a[href*="do=get"]').toArray().map(function (e){ var m=e.href.match(/\.([^.?]+(\.gz|bz2)?)$/); return m?m[1]:"";}).reduce(function (prev, cur){ if(prev.indexOf(cur)==-1)prev.push(cur);return prev;}, []) // Find all extensions, count per extension $('a[href*="do=get"]').toArray().map(function (e){ var m=e.href.match(/\.([^.?]+(\.gz|bz2)?)$/); return m?m[1]:"";}).reduce(function (prev, cur){ if(cur in prev)prev[cur]++;else prev[cur]=1;return prev;},{}) # Download captures wget -e robots=off -nc -r -l 1 --accept-regex='.*do=get.*(p?cap|pcapng)(\.gz)?$' --ignore-case http://wiki.wireshark.org/SampleCaptures?action=AttachFile # Symlink files (retains original name for easier updates) mkdir captures && cd captures && ln -s ../wiki.wireshark.org .; find wiki.wireshark.org/ -name '*target=*' | php -r 'while ($line = fgets(STDIN)) { $line = trim($line); symlink($line, urldecode(preg_replace("#.*target=#", "", $line))); }' # Find duplicates, list by md5, mtime, size, filename md5sum * | sort | uniq -w32 -D | while read sum file; do echo $sum $(date +"%Y-%m-%d %H:%M" -r "$file") "$(du -hD "$file")"; done # Archive captures/ (537M uncompressed, 223M gz, 177M xz) time tar cJhf captures.tar.xz --owner=root --group=root --exclude=wiki.wireshark.org captures/ # Save capture files from remote save(){ local d="pc:/tmp/wireshark-caps"; rsync -vasL "$d/captures/$1" "$d/tshark-${2:-1}/$1."{out,err} ./"${1%.*}/";} # Retrieve 2724 attachments (509MB) from https://www.wireshark.org/~darkjames/capture-files.txt time cut -d: -f2 ../capture-files.txt | sed 's,^,https:,' | xargs wget -a ../capture-files-wget.txt -nv --content-disposition # Rename the captured files such that attachment id is included time grep id= ../capture-files-wget.txt | sed 's/.*attachment.cgi?id=\([0-9]*\) \[[0-9/]*\] -> "/\1 /;s/" \[[12]\]$//' | while read id name; do mv "$name" -vi "$id-${name%.[0-9]}" ;done # Rename name that wget could not handle mv '4993-=?UTF-8?Q?PPP=2D=E8=BD=AC=E6=8D=A2=E5=90=8E=E6=96=87=E4=BB=B6=2D=E6=89=93=E5=BC=80=E6=95=B0=E6=8D=AE=E5=8C=85=E6=97=A0=E6=98=BE=E7=A4=BA=2Ecap?=' '4993-PPP-转换后文件-打开 数据包无显示.cap' # logcat testing for file in logcat-v*.txt;do for type in logcat logcat-brief logcat-process logcat-tag logcat-time logcat-thread logcat-threadtime logcat-long;do /tmp/wsbuild/run/tshark -r "$file" -F $type -w out/$file-$type.txt;done;done ASN.1 dissectors (make the "export" file first): asn1/x509sat$ ../../tools/asn2wrs.py -E -b -r Syntax -p x509sat -c ./x509sat.cnf -D . SelectedAttributeTypes.asn asn1/x509if$ ../../tools/asn2wrs.py -b -p x509if -c ./x509if.cnf -s ./packet-x509if-template -D . -O ../../epan/dissectors InformationFramework.asn ServiceAdministration.asn This solves this error: :0: UserWarning: Missing tag information for imported type DirectoryString from SelectedAttributeTypes (SelectedAttributeTypes) # Find all headers mentioning "fmt" or "fmt" pointers, but without attribute grep --exclude=\*.c -Hnr -e '\* *\(fmt\|format\) *\([,)]\|$\)' -C2 --color=always | awk '{s=s $0"\n"}/^[0-9m\[K\x1b]*--/{ if(!att){print s} att=0;s="" } /GNUC_PRINTF/{ att=1 }'