Wireshark-bugs: [Wireshark-bugs] [Bug 1586] New: Problems with reassembly for proxied SSL connec

Date: Fri, 4 May 2007 03:00:03 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1586

           Summary: Problems with reassembly for proxied SSL connections
           Product: Wireshark
           Version: 0.99.5
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jsmall@xxxxxxxxxxxx


Build Information:
Version 0.99.5 (SVN Rev 20677)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.7, with GLib 2.12.7, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1,
with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio
PortAudio V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0
(packet.dll version 4.0.0.755), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804

--
Reproducible - Yes, consistently reproducible for any SSL session through this
proxy.

Error - SSL sessions (Browsers/SSL Tunnel Client) through a Proxy
(172.24.101.100:3128) consistently show up as Malformed and do not decode. 
Interestingly - when I shipped the same libpcap trace to a friend with a
current version of Sniffer Pro, he reported to me that the trace decoded
correctly with no errors.

Effort to date - Sake Blok [sake[at]euronet.nl] has been looking at this and
submitted some patches for proxied/SSL connections.  However, he would like
another developer who is fluent with the internals of wireshark to take a look
at this problem.

Sake believes there may be problems with the reassembly for SSL connections
through a Proxy.  As you can see from the attached trace, there are numerous
Malformed packet errors for SSL packets.  However, I do not believe there is
anything in fact wrong with the packets.  The browser session to
https://mail.yahoo.com works fine and there are no lost packets as I am
capturing this directly from the originating workstation.

172.24.101.100 is a St. Bernard Proxy (up to date on patches) configured in
Proxy mode on TCP/3128 using NT Domain (NTLM) Authentication.

Please let me know if you have any questions or need additional information.

--Jim


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.