This is a client hello message in the TLS protocol sent from the client. Full spec is found on https://www.ietf.org/rfc/rfc5246.txt and I suggest using Wireshark to analyze network traffic but basically your message is described by 16 Content type (handshake) 03 01 TLS version (1.0) 01 39 Length of message The rest is the Handshake message 01 Client Hello message 00 01 35 Message length 03 03 Client requested TLS version (1.2) 3e .. 71 Unix time GMT (4 bytes) 98 ... 0d Random (28 bytes) 00 Session id length (no session id) 00 98 Length of cipher suite list the client accepts (76 cipher suites) cc 14 First ciphersuite - ECDHE-ECDSA-CHACHA20-POLY1305 .. 00 ff Last cipher suite - TLS_EMPTY_RENEGOTIATION_INFO_SCSV actually not a "real" cipher suite but a flag to signal client is ready to handle renegotiation 01 Number of compression methods 00 Compression method (no compression) 00 74 Extensions length 00 0b 00 04 03 00 01 02 First extension (ec_point_format) following by others. Hope this help you get started. Curt > On 20 Apr 2018, at 5:26 , Gary Johnson <garycjohnso@xxxxxxxxx> wrote: > > Hey Folks, > > I'm trying to figure out what this data is that is being sent pre-handshake: > > $ openssl s_client -connect google.com:443 -debug -state -msg > CONNECTED(00000005) > SSL_connect:before/connect initialization > write to 0x7ff53bc07c20 [0x7ff53c002e00] (318 bytes => 318 (0x13E)) > 0000 - 16 03 01 01 39 01 00 01-35 03 03 3e d2 76 71 98 ....9...5..>.vq. > 0010 - 9a 32 40 29 cf 4a ad 40-86 12 61 1b 44 97 3f 35 .2@).J.@..a.D.?5 > 0020 - e2 fd 43 83 d2 4d 6a 18-32 30 0d 00 00 98 cc 14 ..C..Mj.20...... > 0030 - cc 13 cc 15 c0 30 c0 2c-c0 28 c0 24 c0 14 c0 0a .....0.,.(.$.... > 0040 - 00 a3 00 9f 00 6b 00 6a-00 39 00 38 ff 85 00 c4 .....k.j.9.8.... > 0050 - 00 c3 00 88 00 87 00 81-c0 32 c0 2e c0 2a c0 26 .........2...*.& > 0060 - c0 0f c0 05 00 9d 00 3d-00 35 00 c0 00 84 c0 2f .......=.5...../ > 0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a2 00 9e 00 67 .+.'.#.........g > 0080 - 00 40 00 33 00 32 00 be-00 bd 00 45 00 44 c0 31 .@.3.2.....E.D.1 > 0090 - c0 2d c0 29 c0 25 c0 0e-c0 04 00 9c 00 3c 00 2f .-.).%.......<./ > 00a0 - 00 ba 00 41 c0 11 c0 07-c0 0c c0 02 00 05 00 04 ...A............ > 00b0 - c0 12 c0 08 00 16 00 13-c0 0d c0 03 00 0a 00 15 ................ > 00c0 - 00 12 00 09 00 ff 01 00-00 74 00 0b 00 04 03 00 .........t...... > 00d0 - 01 02 00 0a 00 3a 00 38-00 0e 00 0d 00 19 00 1c .....:.8........ > 00e0 - 00 0b 00 0c 00 1b 00 18-00 09 00 0a 00 1a 00 16 ................ > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 ................ > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................ > 0110 - 00 23 00 00 00 0d 00 26-00 24 06 01 06 02 06 03 .#.....&.$...... > 0120 - ef ef 05 01 05 02 05 03-04 01 04 02 04 03 ee ee ................ > 0130 - ed ed 03 01 03 02 03 03-02 01 02 02 02 03 .............. > > I've looked through the github code repo but nothing stands out to me. Although I do noticed those first 11 bytes seem to repeat no matter what domain I call. > Any help or guidance in the right direction as to the answer would be appreciated. Thanks. > > -- > Gary Johnson > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
