Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] CertificateRequestdoesn'tseem properly displayed

From: "Ryerse, Mike (DIS)" <MikeRy@xxxxxxxxxx>
Date: Wed, 17 Sep 2008 10:56:10 -0700
I haven't added a private key to either application.  Could Ethereal be
making an assumption that there is a certificate request based on
previous packets of the SSL negotiation?  It seems to me like packet 39
is not encrypted and no assumption is made, and even the first byte of
the "encrypted handshake message" is 0d, or 13, which is how Ethereal is
recognizing this as a certificate request.

The IIS server is setup so that it is only protecting certain sites on
the same listener with required client certificate authentication.
There are other sites on the same listener that do not require client
certificate authentication.  I think it makes sense because by the time
the SSL negotiation takes place, IIS does not know exactly what site
(URI) is being requested.  It only knows the hostname/port (listener).
So if you have some sites on the same listener that require client
certificate authentication, and some that don't or are optional, it
needs to let all clients negotiate an SSL session without requiring a
client certificate, and when it gets to the point where the URI is
passed, then the server initiates a new SSL negotiation that requires a
client certificate, and this request could be encrypted, not allowing
Wireshark to see the certificate request.  This still seems odd to me
though because other http servers would do the same thing by issuing a
client certificate (packet 6 in my capture).  So I think this is just a
Microsoft way of doing things.

It is a test system, so I can get the private key of the server for a
new capture.  It'll take me a while to get the key correctly loaded into
Wireshark, and hopefully we're using RSA because it seems that is all
Wireshark support.


Thanks,

Michael Ryerse

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Wednesday, September 17, 2008 9:18 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users]CertificateRequestdoesn'tseem properly
displayed

With my version of Wireshark (Version 1.0.99-SVN-26006) packet 39 shows 
"Change Cipher Spec, Encrypted Handshake Message". If your Ethereal
1.1.0 is 
showing this as "Certificate Request", then you must have added the
private 
key to your ssl preferences to let it decode the encrypted data. Do you
have 
the same key configured in your Wireshark 1.0.3 installation?

What the trace tells me is that there is a full SSL negotiation, then
some 
application data request on which the SSL server starts renegotiating
the 
SSL session. I have seen this before when the HTTP-server protects only 
specific pages with SSL client authentication.

Is this a test-setup for which you can provide the private key of the 
server? Or is this production?

Cheers,
     Sake

----- Original Message ----- 
From: "Ryerse, Mike (DIS)" <MikeRy@xxxxxxxxxx>
To: "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, September 17, 2008 5:42 PM
Subject: Re: [Wireshark-users] CertificateRequestdoesn'tseem properly 
displayed


It displays the same for me with or without the whole negotiation.  Here
is the whole capture.  Packet 39 is the packet that Ethereal 1.1.0 is
saying contains a certificate request, but Wireshark 1.0.3 does not.


Thanks,

Michael Ryerse


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Tuesday, September 16, 2008 10:52 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Certificate Requestdoesn'tseem properly
displayed

Mike,

The small capture file that you attached to your e-mail only one the
packet
in it. For Wirshark to be able to dissect the ssl session properly, it
needs
to see the whole ssl-negotiation. So we need at least all packets from
this
ssl-session up to the packet showing "[malformed]".

Cheers,
       Sake


----- Original Message ----- 
From: "Jaap Keuter" <jaap.keuter@xxxxxxxxx>
To: "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, September 17, 2008 7:25 AM
Subject: Re: [Wireshark-users] Certificate Request doesn'tseem properly
displayed


Hi,

If this is so you should open a bugreport on https://bugs.wireshark.org.
Describe what you see and attach the capture there, so it won't be
forgotten
and
a fix can be tested.

Thanx,
Jaap

Guy Harris wrote:
> On Sep 16, 2008, at 4:56 PM, Ryerse, Mike (DIS) wrote:
>
>> Wireshark 1.0.3 is displaying a specific SSLv3 packet as "Change
>> Cipher Spec, Encrypted Handshake Message", while Ethereal 1.1.0
>> displays it as "Change Cipher Spec, Certificate Request[Malformed
>> Packet]".
>>
>> Normally I would think the newer software is showing it correctly.
>
> I assume that
>
> 1) you meant "Wireshark 1.1.0", not "Ethereal 1.1.0" (the last
> release that had the name "Ethereal" rather than "Wireshark" was
0.99.1)
>
> and therefore that
>
> 2) Wireshark 1.1.0 is the newer software.
>
> Is that the case?

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



------------------------------------------------------------------------
--------


> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
> 


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users