ssldump icon indicating copy to clipboard operation
ssldump copied to clipboard
verified publisher icon adulau

TLSv1.3 garbage in flow fix and segmentation fault fix

Open infokek opened this issue 10 months ago • 1 comments

Hi! I suggest to change:

  1. ssldecode code because of segmentation fault on this one pcap: https://app.any.run/tasks/90ff9de3-440f-4f5a-8f01-edd8d219def8 image-1
  2. sslprint code because of TLSv1.3 garbage in flow after decryption (TLS and decrypted traffic mix). This problem is caused by possible bug of ct getting. Maybe @lord8266 will correct me. https://app.any.run/tasks/db11da7d-817c-4364-a15a-38011f8e5129 image1

Changes:

  1. Cause of segfault in ssldecode image2 Resolved: image3
  2. After decryption TCP stream now not have unnecessary data (like TLS and SSL certificates and bytes that are not related to the original decrypted information): image9

I tested these changes on many pcaps and these problems no longer appeared.

infokek avatar Feb 22 '25 09:02 infokek

I also tested these changes for TLSv1.3 decryption on pcaps that have been provided by @lord8266 (samples/).

I assume that the problem with mixing streams after decryption of TLSv1.3 was accidentally left, because in this case, with this small change, the algorithm works more correctly and leaves nothing superfluous after decryption. I would like to note that I also checked these changes on HTTP 2 traffic and got quite a high-quality decryption that can be parsed by Zeek and other DPIs.

If required, I can provide pcaps from the any.run sandbox examples that I had provided in the message above.

infokek avatar Feb 24 '25 07:02 infokek

+1000 for merging this, I ran a few tests and TLS 1.3 captures are now super clean. Thanks so much for fixing this! 🎉

pmarrapese avatar Jun 20 '25 20:06 pmarrapese

Thank you very much!

adulau avatar Jun 21 '25 04:06 adulau