tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

RFC: TLS in rpcaps

From: Ryan Castellucci via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 05 Jul 2022 00:49:34 +0100
--- Begin Message --- From: Ryan Castellucci <tcpdump-workers-9455 () ryanc org>
Date: Tue, 05 Jul 2022 00:49:34 +0100
Hi,
I volunteered to add proper TLS certificate validation to libpcap and tcpdump back in September, and now that I'm funemployed, I've felt compelled to have a go at it. I've actually got it mostly working.
Before I get too deep into a patchset, I wanted to share a few thoughts, opinions, and ramblings for feedback:
1) TLS compression support is a foot-bazooka, is exploitable in practice, and should be removed. A modified version of the CRIME[1] attack should be completely feasible. I can't imagine any remotely feasible mitigation. Fortunately, I don't see any reason why removing it (perhaps making the rpcapd option that turns it on do nothing) would cause any compatibility issues.
2) What should the default verification behavior be? I worry about breaking people's installs if suddenly it's enabled in enforcing mode by default, but also most people are never going to bother to set things up properly without incentive. A middle ground could be to have soft failures by default - print a warning to stderr which can be turned of by passing a command line option such as --insecure, with a --tls-verify flag to make it a hard failure.
3) libpcap seems to lose track of the hostname between establishing the control connection. Path of least resistance seems to be adding `char *rmt_hostname` to `struct pcap_rpcap`, saved via strdup. Is this going to upset anyone?
4) What level of control should be exposed for the tls settings within libpcap?
5) If control over cipher suites is provided, standard tools don't change TLSv1.3 settings via cipher suite list. I'm inclined to add some cipher suite code that does sensible handling of TLSv1.3 cipher suites alongside legacy config. Thoughts?
6) Would anyone be willing to hand-hold a bit on the "active" mode? It seems a bit weird, and I'm not confident I understand what's going on. 

Thanks,
Ryan

1. https://en.wikipedia.org/wiki/CRIME

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: