[openssl-users] Pre-TLS Handshake Data

Matt Caswell matt at openssl.org
Fri Apr 20 08:20:49 UTC 2018



On 20/04/18 04:26, Gary Johnson wrote:
> Hey Folks,
> 
> I'm trying to figure out what this data is that is being sent pre-handshake:
> 
> $ openssl s_client -connect google.com:443 <http://google.com:443>
> -debug -state -msg
> CONNECTED(00000005)
> SSL_connect:before/connect initialization
> write to 0x7ff53bc07c20 [0x7ff53c002e00] (318 bytes => 318 (0x13E))
> 0000 - 16

This indicates SSL/TLS record is a handshake packet

> 03 01

The record has version TLSv1.0

> 01 39

The record has this length

> 01

Now we start the body of the message contained inside the record. This
indicates this is a ClientHello message

> 00 01-35

This is the length of the message

> 03 03

The maximum supported TLS version this client is willing to negotiate is
TLSv1.2

> 3e d2 76 71 98   ....9...5..>.vq.
> 0010 - 9a 32 40 29 cf 4a ad 40-86 12 61 1b 44 97 3f 35   .2@).J. at ..a.D.?5
> 0020 - e2 fd 43 83 d2 4d 6a 18-32 30 0d

This is the client random value


> 00

There is no session id

> 00 98

This is the length of the list of available ciphersuites.

The remaining data is the list of ciphersuites, any compression methods
and extensions that are present.

See RFC5246 section7.4.1.2

Matt

> cc 14   ..C..Mj.20......
> 0030 - cc 13 cc 15 c0 30 c0 2c-c0 28 c0 24 c0 14 c0 0a   .....0.,.(.$....
> 0040 - 00 a3 00 9f 00 6b 00 6a-00 39 00 38 ff 85 00 c4   .....k.j.9.8....
> 0050 - 00 c3 00 88 00 87 00 81-c0 32 c0 2e c0 2a c0 26   .........2...*.&
> 0060 - c0 0f c0 05 00 9d 00 3d-00 35 00 c0 00 84 c0 2f   .......=.5...../
> 0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67   .+.'.#.........g
> 0080 - 00 40 00 33 00 32 00 be-00 bd 00 45 00 44 c0 31   . at .3.2.....E.D.1
> 0090 - c0 2d c0 29 c0 25 c0 0e-c0 04 00 9c 00 3c 00 2f   .-.).%.......<./
> 00a0 - 00 ba 00 41 c0 11 c0 07-c0 0c c0 02 00 05 00 04   ...A............
> 00b0 - c0 12 c0 08 00 16 00 13-c0 0d c0 03 00 0a 00 15   ...............
> 00c0 - 00 12 00 09 00 ff 01 00-00 74 00 0b 00 04 03 00   .........t......
> 00d0 - 01 02 00 0a 00 3a 00 38-00 0e 00 0d 00 19 00 1c   .....:.8........
> 00e0 - 00 0b 00 0c 00 1b 00 18-00 09 00 0a 00 1a 00 16   ................
> 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05   ................
> 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11   ................
> 0110 - 00 23 00 00 00 0d 00 26-00 24 06 01 06 02 06 03   .#.....&.$......
> 0120 - ef ef 05 01 05 02 05 03-04 01 04 02 04 03 ee ee   ................
> 0130 - ed ed 03 01 03 02 03 03-02 01 02 02 02 03         ..............
> 
> I've looked through the github code repo but nothing stands out to me.
> Although I do noticed those first 11 bytes seem to repeat no matter what
> domain I call.
> Any help or guidance in the right direction as to the answer would be
> appreciated. Thanks.
> 
> -- 
> Gary Johnson
> 
> 


More information about the openssl-users mailing list