Wireshark-bugs: [Wireshark-bugs] [Bug 5963] New: TLS Session Resumption break ssl decryption
Date: Fri, 27 May 2011 04:03:44 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5963

           Summary: TLS Session Resumption break ssl decryption
           Product: Wireshark
           Version: 1.6.0
          Platform: All
        OS/Version: Windows 7
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mcclown@xxxxxxxxx


Created an attachment (id=6409)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6409)
TLS session tickets disabled, capture

Build Information:
Version 1.6.0rc1 (SVN Rev 37186 from /trunk-1.6)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
May
16 2011), with AirPcap.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022
--
Hi,

I've been looking at captures made with a debug build of Firefox that dumps the
pre-master-secrets of ssl sessions. Wireshark now supports working with these
dumps since the patch in #4349 was applied.

I've noticed as a result of this an issue in Wireshark with decrypting SSL
sessions where "TLS Session Resumption" is enabled in Firefox and the server.
This can be turned on or off in about:config with
security.enable_tls_session_tickets (true by default). This was implemented
according to RFC5077 as far as I can tell.

When this is false, everything decrypts fine as can be seen with my capture and
ssl key files (tls_session_tickets_disabled) which are attached. These are
taken for https://www.google.com

The problem pops up when this setting is set to true(which is the default
value). The first part of the new TLS session is decrypted fine, but further
down in the capture a TLS session tries to be resumed and Wireshark can't
decrypt the application data from here. I've attached the capture and ssl key
file again (tls_session_tickets_enabled). This is also a capture from
https://www.google.com

I started looking at fixing this a while ago but I didn't have the time then to
go any further with it. Also it was going a bit beyond my knowledge level. 

Anyone have any thoughts?

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.