Ethereal-dev: Re: [Ethereal-dev] SSL decryption patch for ethereal 0.10.13

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Tomas Kukosa <tomas.kukosa@xxxxxxxxxxx>
Date: Fri, 25 Nov 2005 07:30:04 +0100
Hi,

if it is accepted for Linux/UNIX platforms I can adapt it for Win32.

I guess standard dissector table should be used instead of ssl_dissectors[].

Tom

Paolo Abeni wrote:
hi all,

The attached patch is an updated version of the previous one I posted
some time ago. I reworked a large part of the code. It links against
gnutls and support also the AES encryption algorithm. The patch modify
some autoconf related files, so you need to invoke 'autogen.sh' after
applying the patch.
A few notes:

You need the gnutls and libgcrypt devel package to compile the patched
version of ethereal.

To activate the decryption:

- start ethereal
- edit the preference - search and select the SSL item in the Protocol list
- put into the 'RSA private keys list' field the private key information
in the following format:
<1# host IP>:<port>:<RSA private key file used from ssl>[, <IP>:KEY]
- start the capture

Even with the private key, only RSA key exchange can 'opened'/decrypted.
To be sure that your apache web server use only RSA Key Exchange, find
the SSLCipherSuite diirective in the configuration file and add at the
end of that line: ':!DH:!EDH:!ADH' (without the quote ').
If your configuration does not contain the SSLCiperSuite directive (and
thus you are using the default value), simply add the following line to
your config file:

SSLCipherSuite ALL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:!DH:!
EDH:!ADH

This will disable all non RSA key exchange.

Find the SSLCertificateKeyFile directive. That will tell you the path of
the RSA private key. Copy it on the host where ethereal is installed.
If you can't find the SSLCertificateKeyFile directive, look for the
SSLCertificateFile directive.
The full path of the key file on the host running ethereal is what you
need to put into the 'RSA private keys list' in SSL protocol preference
(see above).

SSLv2 record are just ignored by the decryption code: it's possible to
decrypt only SSLv3/TLS1 sessions.

best regards,

Paolo Abeni

--
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
  Vuoi bere tanta acqua pura e risparmiare ben 495 euro all'anno?
* Con BeviSano avrai finito di comprare acqua in bottiglia - clicca qui Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=3628&d=24-11