Parsing ServerKeyExchange message in SSL

Question

I'm building a Java parser to read and handle SSL Handshake message. Perietf spec, the ServerKeyExchange message is represented as follows:

struct {
      select (KeyExchangeAlgorithm) {
          case dh_anon:
              ServerDHParams params;
          case dhe_dss:
          case dhe_rsa:
              ServerDHParams params;
              digitally-signed struct {
                  opaque client_random[32];
                  opaque server_random[32];
                  ServerDHParams params;
              } signed_params;
          case rsa:
          case dh_dss:
          case dh_rsa:
              struct {} ;
             /* message is omitted for rsa, dh_dss, and dh_rsa */
          /* may be extended, e.g., for ECDH -- see [TLSECC] */
      };
  } ServerKeyExchange;

..whereas the ServerDHParams is defined as follows:

struct {
   opaque dh_p<1..2^16-1>;
   opaque dh_g<1..2^16-1>;
   opaque dh_Ys<1..2^16-1>;
} ServerDHParams;     /* Ephemeral DH parameters */

Now when I use the wireshark to look at a sample trace containing an instance of Server Key Exchange, I see a format that does not fit the definition above:

How can I use the ietf definition to parse such a Server Key Exchange message?

Answer 1

They are both correct. DHE and ECDHE are different algorithms. The struct definition from RFC 5246 specifies message format for DHE, while in Wireshark what you see is ECDHE key exchange. For ECDHE, you can find its definition in RFC 4492, which is the same as what you see in WireShark:

ec_diffie_hellman: Indicates the ServerKeyExchange message contains an ECDH public key.

    select (KeyExchangeAlgorithm) {
        case ec_diffie_hellman:
            ServerECDHParams    params;
            Signature           signed_params;
    } ServerKeyExchange;

    struct {
        ECParameters    curve_params;
        ECPoint         public;
    } ServerECDHParams;