Denys as zoo as I have time I will check the code Thanks for providing us a patch
Luca On 07 Nov 2013, at 22:38, Denys Fedoryshchenko <[email protected]> wrote: > Can you please let me know if this patches ok or there is something > fundamentally wrong? > > Btw i obtained this test dump over running: > openssl s_client -host 173.192.219.134 -port 5222 > and intercepting it's traffic > > > On 2013-11-07 08:13, Luca Deri wrote: >> Denys >> ok for 1) and 2) but for regression testing I would like you to >> provide me a pcap file I can use for testing future changes. >> You can either provide me the patch or I can provide you SVN write access. >> Thanks Luca >> On 07 Nov 2013, at 07:07, Denys Fedoryshchenko >> <[email protected]> wrote: >>> Hi >>> Not sure if it is correct maillist. >>> After debugging problem of whatsapp detection (it is now over port 5222 and >>> using TLS handshake), i noticed that program doesn't catch server side >>> certificates at all on openssl s_client simulation, and also doesn't detect >>> whatsapp at all too. >>> What i found: >>> As i remember we can find certificate or name of server over two ways: >>> 1) SNI (optional) >>> 2) Server certificate >>> For now i concentrated on server certificate: >>> 1)We check total_len specified in TLS packet, if it is more than total >>> packet length we intercepted. If it is more than packet - we just don't >>> check anything. >>> if (total_len > packet->payload_packet_len) >>> total_len = packet->payload_packet_len; >>> if(total_len <= packet->payload_packet_len) { >>> On my opinion it is wrong, we can truncate total_len, and check "what is >>> available", and it is very common case, certificate often doesn't fit in >>> one packet, but name most probably will be seen, so i add before that lines >>> (and condition can be removed maybe). >>> /* Truncate total len, search at least in incomplete packet */ >>> if (total_len > packet->payload_packet_len) >>> <------>total_len = packet->payload_packet_len; >>> 2) if(handshake_protocol == 0x02 /* Server Hello */) { >>> handshake_protocol probably misleading, at this offset (0x5) usually >>> located "message type", which is for certificate 11 (0xb). So i added "|| >>> handshake_protocol == 0xb" in condition >>> After that it successfully detected server certificate of whatsapp. >>> Should i supply it as a patch, if this way is ok? >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
