http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1586
Summary: Problems with reassembly for proxied SSL connections
Product: Wireshark
Version: 0.99.5
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: jsmall@xxxxxxxxxxxx
Build Information:
Version 0.99.5 (SVN Rev 20677)
Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.10.7, with GLib 2.12.7, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1,
with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio
PortAudio V19-devel, with AirPcap.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0
(packet.dll version 4.0.0.755), based on libpcap version 0.9.5, without
AirPcap.
Built using Microsoft Visual C++ 6.0 build 8804
--
Reproducible - Yes, consistently reproducible for any SSL session through this
proxy.
Error - SSL sessions (Browsers/SSL Tunnel Client) through a Proxy
(172.24.101.100:3128) consistently show up as Malformed and do not decode.
Interestingly - when I shipped the same libpcap trace to a friend with a
current version of Sniffer Pro, he reported to me that the trace decoded
correctly with no errors.
Effort to date - Sake Blok [sake[at]euronet.nl] has been looking at this and
submitted some patches for proxied/SSL connections. However, he would like
another developer who is fluent with the internals of wireshark to take a look
at this problem.
Sake believes there may be problems with the reassembly for SSL connections
through a Proxy. As you can see from the attached trace, there are numerous
Malformed packet errors for SSL packets. However, I do not believe there is
anything in fact wrong with the packets. The browser session to
https://mail.yahoo.com works fine and there are no lost packets as I am
capturing this directly from the originating workstation.
172.24.101.100 is a St. Bernard Proxy (up to date on patches) configured in
Proxy mode on TCP/3128 using NT Domain (NTLM) Authentication.
Please let me know if you have any questions or need additional information.
--Jim
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.