Ethereal-dev: [Ethereal-dev] Re: SSL Dissector - thoughts

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Sat, 25 Jun 2005 17:31:58 -0400
Hi,

SSL support would be very very useful in ethereal, however,
the OpenSSL library is not compatible with GPL with affects people
distributing Ethereal.

In essence, it seems probable that ethereal can not be distributed
linked with OpenSSL for the windows platform, which is the majority of
users.
While these users could install OpenSSL themself and recompile,  the
process of recompiling the tool is outside the realms of most windows
users.


A much much better solution would be to implement the SSL decryption
by hand inside ethereal just using the basic primitives we already
have in ethereal and not linking with openssl at all.



On 6/25/05, Lyal Collins <lyal.collins@xxxxxxxxxxxxx> wrote:
> As an amateur code cutter, and even worse crypto-head, I recently spent
> many
> hours getting Paolo Abeni patch 'working'
> http://www.ethereal.com/lists/ethereal-dev/200504/msg00243.html with
> Openssl
> and ethereal 10.10.
> I note that a GNUtls version was later released, but have spent no time
> with
> it.
> 
> My feedback is (and for ssldump):
> - This SSL dissection stuff doesn't work. There is a very limited range of
> crypto algorithm support (e.g. SSLv3, DES3-SHA is about the only mode that
> would decrypt live and pcap'ed packets).
> - TLS, or SSL2 support seems non-existent.  Eg. An SSL2 packet with an TLS
> version header is ignored as non-decpryptable
> - there is a real need for this, paricularly in one case I'm stuck with.
> A test site fails when in SSL traffic is used for a certain sequence of
> pages.transacitons.
> We can't get at the captured data  due toSSL. We can't investigate the
> problem except on by line-by-line analaysis of code for several hundred
> thousnd lines.  And we can't reproduce/replay the secquence of events
> because we can't 'see' the data invovled in certain transactions (enabling
> heavy logging disturbs the application flow enough that nothing ever
> fails).
> 
> Assistance in the community to resolve thse issues by a) supporting a
> broader rane of SSL conditions and b) provider better debug/diagnosis
> messages would go along way to solving an immediate problem.
> 
> Having a good SSL decoding too would also allow IDS/IPS scrutiny of SSL
> traffic e.g. snort, bro et al.  Applciation attacks, not network attacks
> are
> the future of criminal and attacker activity.
> 
> Just my 3 cents worth
> 
> Regards,
> Lyal Collins
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>