Denys ok for 1) and 2) but for regression testing I would like you to provide me a pcap file I can use for testing future changes.
You can either provide me the patch or I can provide you SVN write access. Thanks Luca On 07 Nov 2013, at 07:07, Denys Fedoryshchenko <[email protected]> wrote: > Hi > > Not sure if it is correct maillist. > After debugging problem of whatsapp detection (it is now over port 5222 and > using TLS handshake), i noticed that program doesn't catch server side > certificates at all on openssl s_client simulation, and also doesn't detect > whatsapp at all too. > > What i found: > As i remember we can find certificate or name of server over two ways: > 1) SNI (optional) > 2) Server certificate > > For now i concentrated on server certificate: > 1)We check total_len specified in TLS packet, if it is more than total packet > length we intercepted. If it is more than packet - we just don't check > anything. > if (total_len > packet->payload_packet_len) > total_len = packet->payload_packet_len; > > if(total_len <= packet->payload_packet_len) { > > On my opinion it is wrong, we can truncate total_len, and check "what is > available", and it is very common case, certificate often doesn't fit in one > packet, but name most probably will be seen, so i add before that lines (and > condition can be removed maybe). > /* Truncate total len, search at least in incomplete packet */ > if (total_len > packet->payload_packet_len) > <------>total_len = packet->payload_packet_len; > > > 2) if(handshake_protocol == 0x02 /* Server Hello */) { > handshake_protocol probably misleading, at this offset (0x5) usually located > "message type", which is for certificate 11 (0xb). So i added "|| > handshake_protocol == 0xb" in condition > > After that it successfully detected server certificate of whatsapp. > > Should i supply it as a patch, if this way is ok? > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
