Wireshark · Wireshark-dev: Re: [Wireshark-dev] SSL + DTLS

["authesserre samuel" <sauthess@xxxxxxxxx>]

hi,

in wiki you could make :

Secure Socket Layer (SSL)

SSL provides communication security between two hosts. It provides
integrity, authentification and confidentiality. It is used most of
time in web navigator but can be used for any protocol under TCP.

History

SSL is originally a Netscape project in association of MasterCard,
Bank of America, MDI & Silicon Graphics. First version SSLv1 wasn't
released, SSLv2 was replaced by SSLv3 in 1999 because of security
problem.
At this time, SSL became a standard so IETF bougth patent and create
TLS in 2001 (standard actually used and a derivation of SSLv3).

PS : correct my english ... (I'm a little bad ;) )

In the wireshark section I would say that decryption work only for RSA
key exchange ("if the RSA encryption key can be provided.")

part external link  :

http://en.wikipedia.org/wiki/Secure_Sockets_Layer

link to understand basics cryptographic concept of ssl
http://eventhelix.com/RealtimeMantra/Networking/SSL.pdf

PPS : I have tried to change directly in wiki but it doesn't work (and
I think it's a good idea that person verify that I am writing isn't
full of mistakes ;))

regards,

On 6/29/06, authesserre samuel <sauthess@xxxxxxxxx> wrote:
> ok,
>
> so we will make a parallele dev on dtls and  ssl ;)
>
> I have no time this week I'll start to correct preferences and others
> stuff in dtls dissector from monday.
> I'll inform you ....
>
> regards,
>
> Samuel
>
> PS: what is the things that are missing in ssl dissector (I have
> stopped dev because I tought that all was done....) thanks for your
> answer....
>
> On 6/29/06, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > ah, a misunderstanding.
> >
> > ok.    so the dtls stuff does not require linking with openssl then
> > there wont be any problem at all.
> >
> > thanks for clarifying.
> >
> >
> >
> > please also see   wiki.wireshark.org/SSL
> > i just checked in a change to the preference syntax that is not
> > backward compatible for ssl decryption.
> >
> > i think it makes it better.   please mimic these changes in dtls
> > dissector   (i have little interest in dtls personally now   but great
> > interest in ssl decryption)
> >
> >
> > i will do more changes and refactoring to ssl decryption over time.
> >
> >
> >
> >
> >
> > On 6/29/06, authesserre samuel <sauthess@xxxxxxxxx> wrote:
> > > hi,
> > >
> > >
> > > I was talking about modifying directly openssl implementation allowing
> > > me to make test on dtls dissector implementation.
> > > In ethereal I can use (its the fact actually) gnutls because the only
> > > usefull fonction to realize dissector is the cryptographics ones no
> > > the send or receive one (based on tcp) that's why I choose to continue
> > > with modifying dtls dissector in the same scheme as ssl one and
> > > modifying openssl dtls implementation to have a complete dtls
> > > implementation (and dissection with wireshark ;) )
> > > so I can make mistake but the dtls dissector can be added on win32
> > > version (like ssl?), the fact is dtls ans ssl dissectors use the same
> > > functions in packet-ssl-utils.h so I think there is no problem (dtls
> > > dissector don't use openssl at all).
> > > tell me if I am right
> > >
> > > regards,
> > >
> > > samuel
> > >
> > >
> > > On 6/29/06, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > > > it would just mean that dtls decryption would not work out of the box
> > > > for win32 users since we can not ship win32 versions of ethereal
> > > > linked with openssl.
> > > >
> > > > no drama.   if there is enough interest in the feature someone will
> > > > implement the required gnutls magic if you dont have time.    if not
> > > > it just mean there is no interest.
> > > >
> > > >
> > > > i have associates that need the ssl decryption feature now so dont
> > > > worry about ssl.    ill do the updates required to ssl.
> > > > (beware     preference breaking update/change estimated to go in in 10
> > > minutes)
> > > >
> > > > please ty to follow the ssl changes i do to svn for your dtls code.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 6/29/06, authesserre samuel <sauthess@xxxxxxxxx> wrote:
> > > > > hi,
> > > > >
> > > > > it isn't compatible  at all(bsd licence), and i have already posted on
> > > > > gnutls mailing list to propose a dtls implementation.
> > > > > in a first time i think it could be a good idea to have an
> > > > > implementation that work correctly and in a second time another to
> > > > > test interoperability
> > > > > I have only one month to consacrate to project i don't think that i
> > > > > could make gnutls implementation in this time....(i will do all i can
> > > > > because i would like a gpl'ed implementation)
> > > > > gnutls have the advantage that it implement TLS 1.1 but in other side
> > > > > it have to change a lot of things for UDP adaptation
> > > > >
> > > > > I will try to finish openssl implem and in a second time i will look
> > > > > at gnutls (if you are ready to help me  ;) )
> > > > >
> > > > > regards,
> > > > >
> > > > > samuel
> > > > >
> > > > > On 6/28/06, Joerg Mayer <jmayer@xxxxxxxxx> wrote:
> > > > > > On Wed, Jun 28, 2006 at 11:31:28AM +0200, authesserre samuel wrote:
> > > > > > > but dtls work on openssl version 0.9.b who contains many errors (I
> > > > > > > have listed them on openssl-dev mailing list and correct 2 of them)
> > > > > > > but in current time i havent time to finish implementation of dtls
> > > > > > > (i'll try to correct it during july and dtls dissector in the same
> > > > > > > time)
> > > > > >
> > > > > > Would it be feasible to use another lib than openssl (gnutls + gcrypt)
> > > > > > instead? I'm still not really convinced that the way we provide
> > > openssl
> > > > > > is really compatible with gpl (and especially distros enabling it).
> > > > > >
> > > > > >  Ciao
> > > > > >       Joerg
> > > > > > --
> > > > > > Joerg Mayer
> > > <jmayer@xxxxxxxxx>
> > > > > > We are stuck with technology when what we really want is just stuff
> > > that
> > > > > > works. Some say that should read Microsoft instead of technology.
> > > > > > _______________________________________________
> > > > > > Wireshark-dev mailing list
> > > > > > Wireshark-dev@xxxxxxxxxxxxx
> > > > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Authesserre Samuel
> > > > > 12 rue de la défense passive
> > > > > 14000 CAEN
> > > > > FRANCE
> > > > > 06-27-28-13-32
> > > > > sauthess@xxxxxxxxx
> > > > > _______________________________________________
> > > > > Wireshark-dev mailing list
> > > > > Wireshark-dev@xxxxxxxxxxxxx
> > > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > > > >
> > > > _______________________________________________
> > > > Wireshark-dev mailing list
> > > > Wireshark-dev@xxxxxxxxxxxxx
> > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > > >
> > >
> > >
> > > --
> > > Authesserre Samuel
> > > 12 rue de la défense passive
> > > 14000 CAEN
> > > FRANCE
> > > 06-27-28-13-32
> > > sauthess@xxxxxxxxx
> > > _______________________________________________
> > > Wireshark-dev mailing list
> > > Wireshark-dev@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
>
> --
> Authesserre Samuel
> 12 rue de la défense passive
> 14000 CAEN
> FRANCE
> 06-27-28-13-32
> sauthess@xxxxxxxxx


--
Authesserre Samuel
12 rue de la défense passive
14000 CAEN
FRANCE
06-27-28-13-32
sauthess@xxxxxxxxx