From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Jan 18 08:40:02 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37FD01065670 for ; Sun, 18 Jan 2009 08:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 13DF88FC14 for ; Sun, 18 Jan 2009 08:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0I8e10q078301 for ; Sun, 18 Jan 2009 08:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0I8e1xA078300; Sun, 18 Jan 2009 08:40:01 GMT (envelope-from gnats) Resent-Date: Sun, 18 Jan 2009 08:40:01 GMT Resent-Message-Id: <200901180840.n0I8e1xA078300@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dale Lindskog Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6BAB106566B for ; Sun, 18 Jan 2009 08:31:14 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id A559E8FC17 for ; Sun, 18 Jan 2009 08:31:14 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0I8VEha009341 for ; Sun, 18 Jan 2009 08:31:14 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n0I8VEON009340; Sun, 18 Jan 2009 08:31:14 GMT (envelope-from nobody) Message-Id: <200901180831.n0I8VEON009340@www.freebsd.org> Date: Sun, 18 Jan 2009 08:31:14 GMT From: Dale Lindskog To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/130680: net/wireshark cannot decrypt ssl after upgraded to use libgcrypt-1.4.3 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 08:40:02 -0000 >Number: 130680 >Category: ports >Synopsis: net/wireshark cannot decrypt ssl after upgraded to use libgcrypt-1.4.3 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 18 08:40:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Dale Lindskog >Release: 7.0-RELEASE >Organization: >Environment: FreeBSD testbox.no.domain 7.0-RELEASE-p8 FreeBSD 7.0-RELEASE-p8 #0: Wed Jan 7 22:02:19 MST 2009 dale@testbox.no.domain:/usr/obj/usr/src/sys/DALE_KERNEL2 amd64 >Description: After upgrading tshark-lite to use libgcrypt-1.4.3, ssl decryption (with private key) is broken. Using portdowngrade(1), I reverted back to libgcrypt-1.4.1_1, and got ssl decryption working again. Here's the versions of the relevant ports where ssl decryption DOES NOT work: $ pkg_info | egrep 'libgcrypt|gnutls|tshark' gnutls-2.6.3 GNU Transport Layer Security library libgcrypt-1.4.3 General purpose crypto library based on code used in GnuPG tshark-lite-1.0.5 A powerful network analyzer/capture tool (lite package) And here's the versions of the relevant ports where ssl decryption DOES work: $ pkg_info | egrep 'libgcrypt|gnutls|tshark' gnutls-2.4.2_1 GNU Transport Layer Security library libgcrypt-1.4.1_1 General purpose crypto library based on code used in GnuPG tshark-lite-1.0.5 A powerful network analyzer/capture tool (lite package) Also, the specific problem with ssl decryption that I had is basically identical to the one described in the following URL: http://wireshark.osmirror.nl/lists/wireshark-dev/200707/msg00244.html >How-To-Repeat: As far as I know, it should be repeatable provided one installs tshark-lite (or tshark, or wireshark) from a currently up-to-date ports tree. I ran tests on two amd64 machines (one 7.0-RELEASE, one 7.1-RELEASE), and provided tshark-lite was build to use libgcrypt-1.4.2, ssl decryption broke. >Fix: Use portdowngrade(1) to downgrade libgcrypt to 1.4.1_1, gnutls to 2.4.2_1, and tshark-lite to 1.0.5 (before wireshark port was bumped to use libgcrypt-1.4.3). >Release-Note: >Audit-Trail: >Unformatted: