Wireshark · Wireshark-dev: Re: [Wireshark-dev] Decrypting SSL in dissector

[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

OK, sorry, I really shouldn't start talking about things I haven't a 
clue about.  I was thinking the UAT was going to send you down a path 
similar to decode-as which I guess it is.

Anyway, I think the answer is on the SSL wiki:

http://wiki.wireshark.org/SSL#start_tls

(Of course you'd also have to look into the LDAP dissector to figure out 
how it deals with starting TLS.)  It does appear there was some 
discussion about it somewhat recently:

https://www.wireshark.org/lists/wireshark-dev/201306/msg00246.html

On 01/10/2014 04:05 PM, Rob Napier wrote:
> So make a separate RSA key table within the amp protocol preferences?
> And then pass that along to SSL when the protocol goes encrypted?
>
> I assume the same issue impacts LDAP/TLS and XMPP?
>
> -Rob
>
>
> On Fri, Jan 10, 2014 at 11:51 AM, Jeff Morriss
> <jeff.morriss.ws@xxxxxxxxx <mailto:jeff.morriss.ws@xxxxxxxxx>> wrote:
>
>     I think for that you can't enter the encryption keys in the UAT but
>     rather your amp dissector would need to register for the SSL after
>     the negotiation.
>
>
>     On 01/09/14 11:55, Rob Napier wrote:
>
>         That was exactly it. Thank you!
>
>         I'm now seeing a much less critical issue:
>
>         The amp protocol starts off unencrypted, and then switches to
>         SSL after
>         some negotiation. When I first start wireshark (without providing a
>         decryption key), I see the two AMP negotiation packets, and then
>         SSLv3
>         packets. When I add the decryption key, the initial two handshake
>         packets get re-decoded as "SSL Continuation Data" and I lose the
>         unencrypted handshake information. The encrypted traffic then
>         dissects
>         correctly.
>
>         Is this expected? Is it possible to view both the encrypted and
>         unencrypted portions of the protocol on the same port?
>
>         -Rob
>
>
>         On Thu, Jan 9, 2014 at 11:38 AM, Dirk Jagdmann <doj@xxxxxxxxx
>         <mailto:doj@xxxxxxxxx>
>         <mailto:doj@xxxxxxxxx <mailto:doj@xxxxxxxxx>>> wrote:
>
>              do you have a new_register_dissector("amp", ...) in the
>              proto_register_amp()
>              function? Otherwise the SSL dissector can not match the
>         "amp" string
>              to a
>              dissector handle/function.
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>               mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe