ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] CertificateRequestdoesn'tseem properly displayed

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Wed, 17 Sep 2008 18:18:28 +0200
With my version of Wireshark (Version 1.0.99-SVN-26006) packet 39 shows "Change Cipher Spec, Encrypted Handshake Message". If your Ethereal 1.1.0 is showing this as "Certificate Request", then you must have added the private key to your ssl preferences to let it decode the encrypted data. Do you have the same key configured in your Wireshark 1.0.3 installation?
What the trace tells me is that there is a full SSL negotiation, then some application data request on which the SSL server starts renegotiating the SSL session. I have seen this before when the HTTP-server protects only specific pages with SSL client authentication.
Is this a test-setup for which you can provide the private key of the server? Or is this production? 

Cheers,
    Sake
----- Original Message ----- From: "Ryerse, Mike (DIS)" <MikeRy@xxxxxxxxxx> 
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, September 17, 2008 5:42 PM
Subject: Re: [Wireshark-users] CertificateRequestdoesn'tseem properly displayed 


It displays the same for me with or without the whole negotiation.  Here
is the whole capture.  Packet 39 is the packet that Ethereal 1.1.0 is
saying contains a certificate request, but Wireshark 1.0.3 does not.


Thanks,

Michael Ryerse


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Tuesday, September 16, 2008 10:52 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Certificate Requestdoesn'tseem properly
displayed

Mike,

The small capture file that you attached to your e-mail only one the
packet
in it. For Wirshark to be able to dissect the ssl session properly, it
needs
to see the whole ssl-negotiation. So we need at least all packets from
this
ssl-session up to the packet showing "[malformed]".

Cheers,
      Sake
----- Original Message ----- From: "Jaap Keuter" <jaap.keuter@xxxxxxxxx> 
To: "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, September 17, 2008 7:25 AM
Subject: Re: [Wireshark-users] Certificate Request doesn'tseem properly
displayed


Hi,

If this is so you should open a bugreport on https://bugs.wireshark.org.
Describe what you see and attach the capture there, so it won't be
forgotten
and
a fix can be tested.

Thanx,
Jaap

Guy Harris wrote:

On Sep 16, 2008, at 4:56 PM, Ryerse, Mike (DIS) wrote:


Wireshark 1.0.3 is displaying a specific SSLv3 packet as "Change
Cipher Spec, Encrypted Handshake Message", while Ethereal 1.1.0
displays it as "Change Cipher Spec, Certificate Request[Malformed
Packet]".

Normally I would think the newer software is showing it correctly.


I assume that

1) you meant "Wireshark 1.1.0", not "Ethereal 1.1.0" (the last
release that had the name "Ethereal" rather than "Wireshark" was

0.99.1)


and therefore that

2) Wireshark 1.1.0 is the newer software.

Is that the case?


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



--------------------------------------------------------------------------------



_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube