Wireshark-dev: Re: [Wireshark-dev] Supported GnuTLS/glib/libgcrypt versions?
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Wed, 14 Oct 2015 20:25:57 +0200
On Mon, Oct 12, 2015 at 02:02:18PM -0400, Jeff Morriss wrote:
> On 10/11/15 17:32, Peter Wu wrote:
> >Hi,
> >
> >Michal reported to me that a recent change in the SSL dissector was not
> >compatible with older GnuTLS versions[1].
> >
> >The changes introduced the use of functions gnutls_pubkey_import and
> >gnutls_pubkey_import_rsa_raw which were introduced with GnuTLS 2.12.0 in
> >2011-03-24 (2.11.3 development). Michal is using (RHEL6?) GnuTLS 2.8.5
> >(released in November 2009).
> >
> >Since the minimum Qt4 version for upcoming Wireshark 2.0 is already
> >higher than what RHEL6 ships, would you mind if the GnuTLS version is
> >also bumped?
> 
> Since GnuTLS is optional [and I don't do decryption very often ;-)] I don't
> really mind.  I can't say that I know how much the rest of the RHEL 6 world
> uses decryption though.

Looks like GnuTLS is only needed if you have to supply a RSA private
key. When using the SSL keylog file, having just libgcrypt is
sufficient. Currently the SSL dissector requires both to be present for
decryption, but that is an unnecessary restriction. I'll move code
around so that at least decryption with a SSL keylog file can be
supported.

> But you do raise a good point: I should start doing test compiles of the 2.0
> rc on RHEL 6.  I hadn't realized my users would have to continue using the
> Gtk+ GUI.  Too bad...

I have started testing with cmake + CentOS 6, it is not doing bad. At
least these fixes are needed to fix the build:
https://code.wireshark.org/review/10916
https://code.wireshark.org/review/11041

GnuTLS needs more work, for now it RHEL6 support for decryption with a
RSA private key will be dropped. Maybe I'll find a solution later.
The version check is updated at https://code.wireshark.org/review/11044.

> >Speaking of bumping library versions, can we also bump the glib and
> >libgcrypt versions? Current versions are glib 2.14 and libgcrypt
> >1.1.92. If we could go to glib 2.28 (Feb 2011) and gcrypt 1.5.0 (Jun
> >2011), it would enable us to use newer functions such as
> >g_list_free_full.
> 
> The glib change is OK for me (for RHEL 6) but it does appear to mean we'd
> lose support for all SLES versions; I'd tend to think that would be a bad
> thing.

I made a mistake, SLES 12 includes glib2 2.38.2, the wiki is now updated
to reflect that. For now the minimum gcrypt version is 1.4.2
(https://code.wireshark.org/review/11043).
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl