Wireshark-dev: [Wireshark-dev] Wireshark bug?
From: LON <[email protected]>
Date: Fri, 10 Aug 2007 02:34:07 +0500

It  seems to me that the way Wireshark handles some aspects of the SSL
communication  is wrong or at least inconsistent. Let us take a packet
where  the  server  furnishes its certificate. If we select the string
"Certificate:  3082..." in the middle window, corresponding bytes will
be  automatically selected in the lower one. Export in the CER-file by
means  of  the  context  menu  must leave us with a valid certificate.
However, its signature turns out to be invalid. What is the reason? To
get  a  right  X.509 DER certificate we must add to the selected bytes
four  preceding  ones.  By the way, the first two them are also 30 82,
which could be the origin of the confusion.

Windows XP SP2
Wireshark 0.99.4 (SVN Rev 19757)

I  know  that  my  version  of Wireshark is far from being new. Yet it
should be quite easy for you to test this behavior on whatever version
you  may  have  in  mind. Looks like it has not changed since Ethereal
times. One sample packet is attached to this message.

Best regards,
 LON                          mailto:[email protected]

Attachment: Sample.rar
Description: Binary data