Wireshark-dev: Re: [Wireshark-dev] SSL/DTLS: allow setting of app data dissector when using key
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Tue, 24 Feb 2015 00:25:21 +0100
On Mon, Feb 23, 2015 at 10:49:55PM +0100, Peter Wu wrote:
> On Mon, Feb 23, 2015 at 03:32:48PM +0100, Gianrico wrote:
> 
> I propose to make one or more of these changes:
> 
>  - Call the heuristics dissector only for the first data frame.

I forgot to mention the 1/n-1 splitting which is nowadays commonly done
for SSL dissectors to mitigate BEAST. New-style dissectors could return
"-1" ("I want more data") if they need more than the first byte.

>  - Decouple the list of valid protocols from
>    transport_proto/addr/server_port->appdata_proto/keyfile
>    associations. This allows for multiple valid protocols while linking
>    one unique key per transport_proto/address/server_port tuple.
>    (Jeff, comments?)
>  - Allow a wildcard protocol name in the UAT dialog just to set the key,
>    not the protocol ("any", "*" or the empty string?).
>  - Select an appdata protocol in this order: STARTTLS hint, heuristics,
>    associations, (first available) dissector hint.
> 
> Why the suggested protocol selection order?
> 
>  - STARTTLS hint is quite strong.
>  - Good heuristics can do "the right thing" automatically.
>  - Associations are entered by the user.
>  - For protocols such as SMTP, there is one clear choice which is great.
>    For port 443, the best guess is HTTP (which should have been caught
>    by the heuristics dissector) but others are possible.

-- 
Kind regards,
Peter Wu
https://lekensteyn.nl