[openssl-users] Pre-TLS Handshake Data

Curt Johansson curt at strategix.se
Fri Apr 20 08:32:51 UTC 2018


This is a client hello message in the TLS protocol sent from the client. Full spec is found on https://www.ietf.org/rfc/rfc5246.txt and
I suggest using Wireshark to analyze network traffic but basically your message is described by  



16 		Content type (handshake) 
03 01 	TLS version (1.0)
01 39 	Length of message

The rest is the Handshake message

01 		Client Hello message
00 01 35  Message length
03 03 	Client requested TLS version (1.2)
3e .. 71	Unix time GMT (4 bytes)
98 ...  0d	Random (28 bytes)
00		Session id length (no session id) 
00 98	Length of cipher suite list the client accepts (76 cipher suites) 
cc 14	First ciphersuite - ECDHE-ECDSA-CHACHA20-POLY1305
..
00 ff 	Last cipher suite - TLS_EMPTY_RENEGOTIATION_INFO_SCSV actually not a "real" cipher suite but a flag to signal client is ready to handle renegotiation
01		Number of compression methods
00 		Compression method (no compression) 
00 74	Extensions length
00 0b 00 04 03 00 01 02 First extension (ec_point_format) 

following by others. 


Hope this help you get started. 

Curt

> On 20 Apr 2018, at 5:26 , Gary Johnson <garycjohnso at gmail.com> wrote:
> 
> Hey Folks,
> 
> I'm trying to figure out what this data is that is being sent pre-handshake:
> 
> $ openssl s_client -connect google.com:443 -debug -state -msg
> CONNECTED(00000005)
> SSL_connect:before/connect initialization
> write to 0x7ff53bc07c20 [0x7ff53c002e00] (318 bytes => 318 (0x13E))
> 0000 - 16 03 01 01 39 01 00 01-35 03 03 3e d2 76 71 98   ....9...5..>.vq.
> 0010 - 9a 32 40 29 cf 4a ad 40-86 12 61 1b 44 97 3f 35   .2@).J. at ..a.D.?5
> 0020 - e2 fd 43 83 d2 4d 6a 18-32 30 0d 00 00 98 cc 14   ..C..Mj.20......
> 0030 - cc 13 cc 15 c0 30 c0 2c-c0 28 c0 24 c0 14 c0 0a   .....0.,.(.$....
> 0040 - 00 a3 00 9f 00 6b 00 6a-00 39 00 38 ff 85 00 c4   .....k.j.9.8....
> 0050 - 00 c3 00 88 00 87 00 81-c0 32 c0 2e c0 2a c0 26   .........2...*.&
> 0060 - c0 0f c0 05 00 9d 00 3d-00 35 00 c0 00 84 c0 2f   .......=.5...../
> 0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67   .+.'.#.........g
> 0080 - 00 40 00 33 00 32 00 be-00 bd 00 45 00 44 c0 31   . at .3.2.....E.D.1
> 0090 - c0 2d c0 29 c0 25 c0 0e-c0 04 00 9c 00 3c 00 2f   .-.).%.......<./
> 00a0 - 00 ba 00 41 c0 11 c0 07-c0 0c c0 02 00 05 00 04   ...A............
> 00b0 - c0 12 c0 08 00 16 00 13-c0 0d c0 03 00 0a 00 15   ................
> 00c0 - 00 12 00 09 00 ff 01 00-00 74 00 0b 00 04 03 00   .........t......
> 00d0 - 01 02 00 0a 00 3a 00 38-00 0e 00 0d 00 19 00 1c   .....:.8........
> 00e0 - 00 0b 00 0c 00 1b 00 18-00 09 00 0a 00 1a 00 16   ................
> 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05   ................
> 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11   ................
> 0110 - 00 23 00 00 00 0d 00 26-00 24 06 01 06 02 06 03   .#.....&.$......
> 0120 - ef ef 05 01 05 02 05 03-04 01 04 02 04 03 ee ee   ................
> 0130 - ed ed 03 01 03 02 03 03-02 01 02 02 02 03         ..............
> 
> I've looked through the github code repo but nothing stands out to me. Although I do noticed those first 11 bytes seem to repeat no matter what domain I call.
> Any help or guidance in the right direction as to the answer would be appreciated. Thanks.
> 
> -- 
> Gary Johnson
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



More information about the openssl-users mailing list