Wireshark-bugs: [Wireshark-bugs] [Bug 4652] Unable to decode IBM's Websphere MQ traffic

Date: Thu, 20 May 2010 13:26:59 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4652

--- Comment #6 from Andre Luyer <wiresharkbug@xxxxxxxxxxxxxxxxx> 2010-05-20 22:26:53 CEST ---
It turns out that the MQ traffic in the sample is used within SSL. Because it
is not encrypted I did not recognize it as such. The "encryption" used is
NULL-SHA to add a check-sum to the MQ traffic to prevent message tampering
(plus authentication, with a low CPU overhead).

The SSL dissector has a "RSA keys list" option the decrypt and pass the data on
to the next dissector - in this case MQ. But that poses a problem:
It is hard to catch the initial SSL handshake because MQ sessions can stay
active for many hours. Without it, this doesn't work.
Also getting the required private key is very hard because of security and also
a bit silly because the traffic not not actually encrypted.

I think the best (general) solution would be to add a feature to the SSL
dissector to handle (incomplete) traces with NULL-SHA - without requiring the
real private key - and still pass the data on to the next dissector.
(For now skipping the 5 byte 'SSL Application Data' works fine.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.