Wireshark-dev: Re: [Wireshark-dev] [PATCH] Fix false malformed SSL handshakemessages (Was: Catc
From: "Kukosa, Tomas" <[email protected]>
Date: Mon, 16 Apr 2007 07:48:00 +0200
Hi,

I think your solution is not workaround but quite standard solution in
Wireshark.
As it is not guaranteed that you have captured whole SSL session it is
better to have good heuristic than to relay upon state information.


Mailcode: NdD2sKHg
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Sake Blok
Sent: Saturday, April 14, 2007 8:20 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] [PATCH] Fix false malformed SSL
handshakemessages (Was: Catch 22 in SSL dissector?)

On Sat, Apr 14, 2007 at 10:58:18AM -0700, Stephen Fisher wrote:
> On Sat, Apr 14, 2007 at 02:35:31PM +0200, Sake Blok wrote:
> 
> > Although I'm still interested in a theoretical answer to the problem

> > of keeping state info on a per packet basis (see below), here is a 
> > workaround for the bug.
> 
> Would this be better fixed using per-packet state information?

Uhmm... well, with this workaround there is still a (very slim)
chance that the first 4 octets of an encrypted handshake message 
look like an unencrypted handshake message.

I guess the simpleness of this workaround has it's advantages over
trying to solve it through per-packet state recording. My suggestion
will be to use this patch for now and I will look into solving it
with state information.

I guess it's a trade-off between being practical and being exact :)

Cheers,


Sake
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev