Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unknown or invalid cipher suite type X #587

Closed
HugooB opened this issue Jun 14, 2021 · 7 comments
Closed

Unknown or invalid cipher suite type X #587

HugooB opened this issue Jun 14, 2021 · 7 comments
Assignees
@obormot

Comments

@HugooB
Copy link

HugooB commented Jun 14, 2021

Describe the bug
Parsing HTTPS packets results in the following error: dpkt.ssl.SSL3Exception: Unknown or invalid cipher suite type X. There is a similar issue on the Salesforce JA3 git: salesforce/ja3#59 . Downgrading to 1.9.2 solves the issue.

To Reproduce

  1. Get the PCAP from https://www.malware-traffic-analysis.net/2021/06/03/index.html
  2. Install dpkt latest version (1.9.6)
  3. Try to generate JA3 hashes by using Salesforce's JA3 python implementation
  4. Get the error

Expected behavior
It should work

Details(please complete the following information):

  • OS: MacOS 11.4
  • Python 3.8.1

Additional context
salesforce/ja3#59
@obormot
Copy link
Collaborator

obormot commented Jun 14, 2021
edited
Loading

Relevant piece of the ja3 code here: https://github.com/salesforce/ja3/blob/master/python/ja3.py#L177
Pcap with only tcp/443 packets issue_587.pcap.gz

@obormot
Copy link
Collaborator

obormot commented Jun 14, 2021

Looks like dpkt's SSL decoder fails to recognize one of the reserved GREASE cipher suite values (0x6a6a) present in the pcap. These cipher suites are defined here: https://datatracker.ietf.org/doc/html/rfc8701#section-2

This code block raises an exception if the given cipher suite is not known (i.e. not defined in ssl_ciphersuites.py)
https://github.com/kbandla/dpkt/blob/master/dpkt/ssl.py#L300

I think dpkt should have more permissive logic - i.e. it should not abort parsing the TLS record when it encounters an unknown (to dpkt) cipher suite. I will submit a fix for this

@obormot obormot self-assigned this Jun 14, 2021
@HugooB
Copy link
Author

HugooB commented Jun 15, 2021

Thanks for this quick reaction! Looking forward to the fix!

@HugooB HugooB mentioned this issue Jun 15, 2021
Open
@coveralls coveralls mentioned this issue Jun 15, 2021
Merged
@obormot
Copy link
Collaborator

obormot commented Jun 15, 2021

PR #588 is up

obormot added a commit that referenced this issue Jun 15, 2021
@obormot
Merge branch 'master' into fix-#587
438acca
@obormot
Copy link
Collaborator

obormot commented Jun 17, 2021

@HugooB I've now merged the fix into master. Please see if it helps resolve the issue (you'll need to install dpkt from master).
Once we publish a new release I'll update the ja3 issue.

obormot added a commit that referenced this issue Jun 17, 2021
@obormot
Fix #587 (#588)
3e46913 
Improvements to TLS ClientHello and ServerHello parsing:
  * return an "Unknown" CipheSsuite instead of raising an exception;
  * add codes for RFC8701, GREASE ciphersutes;
  * CipherSuite __repr__ now includes the numerical code;
  * rename some attributes to align between ClientHello and ServerHello classes, original names still supported.
@LouAlbano
Copy link

1.9.4 doesn't produce this error, 1.9.5 and 1.9.6 both do.

related: salesforce/ja3#59

@obormot
Copy link
Collaborator

obormot commented Aug 25, 2021

@LouAlbano this was fixed in 1.9.7 (latest release). I will double check and comment on the ja3 issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obormot obormot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@obormot @LouAlbano @HugooB