On 20/04/18 04:26, Gary Johnson wrote: > Hey Folks, > > I'm trying to figure out what this data is that is being sent pre-handshake: > > $ openssl s_client -connect google.com:443 <http://google.com:443> > -debug -state -msg > CONNECTED(00000005) > SSL_connect:before/connect initialization > write to 0x7ff53bc07c20 [0x7ff53c002e00] (318 bytes => 318 (0x13E)) > 0000 - 16 This indicates SSL/TLS record is a handshake packet > 03 01 The record has version TLSv1.0 > 01 39 The record has this length > 01 Now we start the body of the message contained inside the record. This indicates this is a ClientHello message > 00 01-35 This is the length of the message > 03 03 The maximum supported TLS version this client is willing to negotiate is TLSv1.2 > 3e d2 76 71 98 ....9...5..>.vq. > 0010 - 9a 32 40 29 cf 4a ad 40-86 12 61 1b 44 97 3f 35 .2@).J.@..a.D.?5 > 0020 - e2 fd 43 83 d2 4d 6a 18-32 30 0d This is the client random value > 00 There is no session id > 00 98 This is the length of the list of available ciphersuites. The remaining data is the list of ciphersuites, any compression methods and extensions that are present. See RFC5246 section7.4.1.2 Matt > cc 14 ..C..Mj.20...... > 0030 - cc 13 cc 15 c0 30 c0 2c-c0 28 c0 24 c0 14 c0 0a .....0.,.(.$.... > 0040 - 00 a3 00 9f 00 6b 00 6a-00 39 00 38 ff 85 00 c4 .....k.j.9.8.... > 0050 - 00 c3 00 88 00 87 00 81-c0 32 c0 2e c0 2a c0 26 .........2...*.& > 0060 - c0 0f c0 05 00 9d 00 3d-00 35 00 c0 00 84 c0 2f .......=.5...../ > 0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67 .+.'.#.........g > 0080 - 00 40 00 33 00 32 00 be-00 bd 00 45 00 44 c0 31 .@.3.2.....E.D.1 > 0090 - c0 2d c0 29 c0 25 c0 0e-c0 04 00 9c 00 3c 00 2f .-.).%.......<./ > 00a0 - 00 ba 00 41 c0 11 c0 07-c0 0c c0 02 00 05 00 04 ...A............ > 00b0 - c0 12 c0 08 00 16 00 13-c0 0d c0 03 00 0a 00 15 ............... > 00c0 - 00 12 00 09 00 ff 01 00-00 74 00 0b 00 04 03 00 .........t...... > 00d0 - 01 02 00 0a 00 3a 00 38-00 0e 00 0d 00 19 00 1c .....:.8........ > 00e0 - 00 0b 00 0c 00 1b 00 18-00 09 00 0a 00 1a 00 16 ................ > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 ................ > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................ > 0110 - 00 23 00 00 00 0d 00 26-00 24 06 01 06 02 06 03 .#.....&.$...... > 0120 - ef ef 05 01 05 02 05 03-04 01 04 02 04 03 ee ee ................ > 0130 - ed ed 03 01 03 02 03 03-02 01 02 02 02 03 .............. > > I've looked through the github code repo but nothing stands out to me. > Although I do noticed those first 11 bytes seem to repeat no matter what > domain I call. > Any help or guidance in the right direction as to the answer would be > appreciated. Thanks. > > -- > Gary Johnson > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
