Re: [Ntop-misc] nDPI, ssl detection, server certificate

[Denys Fedoryshchenko]

Can you please let me know if this patches ok or there is something 
fundamentally wrong?

Btw i obtained this test dump over running:
openssl s_client -host 173.192.219.134 -port 5222
and intercepting it's traffic

On 2013-11-07 08:13, Luca Deri wrote:
Denys
ok for 1) and 2) but for regression testing I would like you to
provide me a pcap file I can use for testing future changes.

You can either provide me the patch or I can provide you SVN write 
access.

Thanks Luca

On 07 Nov 2013, at 07:07, Denys Fedoryshchenko
<nuclear...@nuclearcat.com> wrote:

Hi

Not sure if it is correct maillist.
After debugging problem of whatsapp detection (it is now over port 
5222 and using TLS handshake), i noticed that program doesn't catch 
server side certificates at all on openssl s_client simulation, and 
also doesn't detect whatsapp at all too.

What i found:
As i remember we can find certificate or name of server over two ways:
1) SNI (optional)
2) Server certificate

For now i concentrated on server certificate:
1)We check total_len specified in TLS packet, if it is more than total 
packet length we intercepted. If it is more than packet - we just 
don't check anything.
   if (total_len > packet->payload_packet_len)
       total_len = packet->payload_packet_len;

   if(total_len <= packet->payload_packet_len) {

On my opinion it is wrong, we can truncate total_len, and check "what 
is available", and it is very common case, certificate often doesn't 
fit in one packet, but name most probably will be seen, so i add 
before that lines (and condition can be removed maybe).
  /* Truncate total len, search at least in incomplete packet */
   if (total_len > packet->payload_packet_len)
<------>total_len = packet->payload_packet_len;


2)      if(handshake_protocol == 0x02 /* Server Hello */) {
handshake_protocol probably misleading, at this offset (0x5) usually 
located "message type", which is for certificate 11 (0xb). So i added 
"|| handshake_protocol == 0xb" in condition

After that it successfully detected server certificate of whatsapp.

Should i supply it as a patch, if this way is ok?

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc