Hi,
It seems to me that the way Wireshark handles some aspects of the SSL
communication is wrong or at least inconsistent. Let us take a packet
where the server furnishes its certificate. If we select the string
"Certificate: 3082..." in the middle window, corresponding bytes will
be automatically selected in the lower one. Export in the CER-file by
means of the context menu must leave us with a valid certificate.
However, its signature turns out to be invalid. What is the reason? To
get a right X.509 DER certificate we must add to the selected bytes
four preceding ones. By the way, the first two them are also 30 82,
which could be the origin of the confusion.
Windows XP SP2
Wireshark 0.99.4 (SVN Rev 19757)
I know that my version of Wireshark is far from being new. Yet it
should be quite easy for you to test this behavior on whatever version
you may have in mind. Looks like it has not changed since Ethereal
times. One sample packet is attached to this message.
--
Best regards,
LON mailto:lon@xxxxxxxxxxxx
Attachment:
Sample.rar
Description: Binary data