Re: [Ntop-misc] nDPI, ssl detection, server certificate

Wed, 06 Nov 2013 22:37:06 -0800

Also i checked, it detects with my patch SSL handshake, but whatsapp seems using unencrypted traffic now, and not all clients are detected. I prefer if you will review this patch, i started to work with nDPI only today. If everything will be ok (coding style and etc), and i will be able to contribute more, then i think worth to get svn write access. 

Also i forgot to mention, another strange thing i changed
-<----->for(i=total_len; i < packet->payload_packet_len-3; i++) {
Is a bit strange, it start to check for "magic" bytes AFTER tls handshake message. It might work if ServerHello and Certificate split in one packet by some luck (but with GRO it is possible i think), but it is not reliable at all IMHO. 

Still i will have to check how well SNI works.

I attached patch, and pcap file for test.
I tested them over pcapReader in examples.


P.S. Is there any way i can do regression tests after patching? I didn't 
found anything in nDPI.


On 2013-11-07 08:13, Luca Deri wrote:

Denys
ok for 1) and 2) but for regression testing I would like you to
provide me a pcap file I can use for testing future changes.


You can either provide me the patch or I can provide you SVN write 
access.


Thanks Luca

On 07 Nov 2013, at 07:07, Denys Fedoryshchenko
<[email protected]> wrote:


Hi

Not sure if it is correct maillist.

After debugging problem of whatsapp detection (it is now over port 
5222 and using TLS handshake), i noticed that program doesn't catch 
server side certificates at all on openssl s_client simulation, and 
also doesn't detect whatsapp at all too.


What i found:
As i remember we can find certificate or name of server over two ways:
1) SNI (optional)
2) Server certificate

For now i concentrated on server certificate:

1)We check total_len specified in TLS packet, if it is more than total 
packet length we intercepted. If it is more than packet - we just 
don't check anything.

   if (total_len > packet->payload_packet_len)
       total_len = packet->payload_packet_len;

   if(total_len <= packet->payload_packet_len) {


On my opinion it is wrong, we can truncate total_len, and check "what 
is available", and it is very common case, certificate often doesn't 
fit in one packet, but name most probably will be seen, so i add 
before that lines (and condition can be removed maybe).

  /* Truncate total len, search at least in incomplete packet */
   if (total_len > packet->payload_packet_len)
<------>total_len = packet->payload_packet_len;


2)      if(handshake_protocol == 0x02 /* Server Hello */) {

handshake_protocol probably misleading, at this offset (0x5) usually 
located "message type", which is for certificate 11 (0xb). So i added 
"|| handshake_protocol == 0xb" in condition


After that it successfully detected server certificate of whatsapp.

Should i supply it as a patch, if this way is ok?

_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Index: src/lib/protocols/ssl.c
===================================================================
--- src/lib/protocols/ssl.c	(revision 6937)
+++ src/lib/protocols/ssl.c	(working copy)
@@ -110,19 +110,26 @@
   /* Nothing matched so far: let's decode the certificate with some heuristics */
   if(packet->payload[0] == 0x16 /* Handshake */) {
     u_int16_t total_len  = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */;
-    u_int8_t handshake_protocol = packet->payload[5];
+    u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
 
     memset(buffer, 0, buffer_len);
 
-    if(total_len <= packet->payload_packet_len) {
+
+    /* Truncate total len, search at least in incomplete packet */
+    if (total_len > packet->payload_packet_len)
+	total_len = packet->payload_packet_len;
+
+    /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */
+    if(total_len > 4) {
       int i;
 
-      if(handshake_protocol == 0x02 /* Server Hello */) {
+      if(handshake_protocol == 0x02 || handshake_protocol == 0xb /* Server Hello and Certificate message types are interesting for us */) {
 	u_int num_found = 0;
 	
 	flow->l4.tcp.ssl_seen_server_cert = 1;
 
-	for(i=total_len; i < packet->payload_packet_len-3; i++) {
+	/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
+	for(i = 9; i < packet->payload_packet_len-3; i++) {
 	  if(((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x0c))
 	     || ((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03))) {
 	    u_int8_t server_len = packet->payload[i+3];



Attachment:
test_whatsapp_server_cert.pcap

Description: application/vnd.tcpdump.pcap


_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc






















					Reply via email to