Hi
Not sure if it is correct maillist.
After debugging problem of whatsapp detection (it is now over port 5222
and using TLS handshake), i noticed that program doesn't catch server
side certificates at all on openssl s_client simulation, and also
doesn't detect whatsapp at all too.
What i found:
As i remember we can find certificate or name of server over two ways:
1) SNI (optional)
2) Server certificate
For now i concentrated on server certificate:
1)We check total_len specified in TLS packet, if it is more than total
packet length we intercepted. If it is more than packet - we just don't
check anything.
if (total_len > packet->payload_packet_len)
total_len = packet->payload_packet_len;
if(total_len <= packet->payload_packet_len) {
On my opinion it is wrong, we can truncate total_len, and check "what is
available", and it is very common case, certificate often doesn't fit in
one packet, but name most probably will be seen, so i add before that
lines (and condition can be removed maybe).
/* Truncate total len, search at least in incomplete packet */
if (total_len > packet->payload_packet_len)
<------>total_len = packet->payload_packet_len;
2) if(handshake_protocol == 0x02 /* Server Hello */) {
handshake_protocol probably misleading, at this offset (0x5) usually
located "message type", which is for certificate 11 (0xb). So i added
"|| handshake_protocol == 0xb" in condition
After that it successfully detected server certificate of whatsapp.
Should i supply it as a patch, if this way is ok?
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
