In Hello_request scenario, unsniff is not capable of decrypting the Change cipher Spec,Finished packet from either the server or client. This change cipher spec and finished packet fails at the renegotiation process after hello request.

The thing is that , the server and client had accepted the new security parameters after the hello request. That is I am getting the web page after hello request. So the Hello request hand shake was successful, but unsniff has the problem.

Check the Handshake ID 0x14 in the decrypted finished in hello request, it wont be available in unsniff.

Iam using unsniff 1.0.1.1230:ohmy:

Thanks for the report,

What is the new cipher spec that has been negotiated ?

1) Can you set the API trace level to Info ?
2) Do a View->Log Window

Then re-import the capture file. Do you see any messages in the log about an unsupported cipher ?

Regards,
Vivek Rajan

There is no "Unsupported Cipher Entry" in the log. The log level had already been set to info. the cipher suite selected by server in server hello is TLS_RSA_WITH_RC4_128_MD5 (Cipher ID 0x00,0x04). Upto the server done, the decryption is ok. But after the server done (Handshake in Hello request scenario), the packets are not decrypted properly. Unsniff attempts to decrypt with a wrong key.

Ashok,

This seems to be a bug, it should continue decrypting with the new sec params.


Are you testing on a production machine ? If we cannot reproduce it, it would be of great help if you can install a test server certificate (I can send you one or you can create one using Openssl). Then send me the capture file. If you are testing on a dev/test machine, send me the capture file and key via email. We can destroy the key after the problem is fixed.

If you are unable to share. We will try to replicate it if possible in the lab. What server/proxy/client are you using ?

Can you email me at vivek (at] unleashnetworks ?

Thanks for the report,
Vivek Rajan

Hi vivek,
I had sent you a mail carrying the logs and key as attachment.For ease of testing i had performed the test with just two machines connected using PEER to PEER cable. Hence there will be no issues withrespectto proxy. Please read the ReadMe file for details.

Regards,
C.Ashok kumar:)

Hi Ashok,

I got your email but without the attachment . I have replied to your mail yesterday.

Thanks,

Vivek Rajan
Unleash Networks