Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/meek/SampleClientHellos.md
View page @ a1a4b621
This is a collection of TLS client hellos that were studied while trying to give [[meek]] a TLS signature like a browser. See #11183.
{{{
```
tshark -V -2 -R ssl.handshake.ciphersuites -r file.pcap
}}}
```
Old versions of Firefox: https://ftp.mozilla.org/pub/firefox/releases/
[[PageOutline(1-6,Contents,inline,unnumbered)]]
== meek-client f748701c (2014-02-08)
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -72,10 +72,10 @@ Secure Sockets Layer
Type: signature_algorithms (0x000d)
Length: 10
Data (10 bytes)
}}}
```
== Chrome 33.0.1750.152 Mac OS X 10.9.2 (03/31/2014)
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -169,10 +169,10 @@ Secure Sockets Layer
Type: Unknown (0x0012)
Length: 0
Data (0 bytes)
}}}
```
== Chromium 31.0.1650.63 Debian jessie/sid (238485).
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -260,11 +260,11 @@ Secure Sockets Layer
Type: signature_algorithms (0x000d)
Length: 18
Data (18 bytes)
}}}
```
== GoAgent 3.1.5 [https://github.com/goagent/goagent/commit/6287469afd3b84fb1a4dda69a33d26108e7246a6 6287469afd] (2014-02-28)
Note that no server_name extension is sent. The ciphersuite list is defined [https://github.com/goagent/goagent/blob/6287469afd3b84fb1a4dda69a33d26108e7246a6/local/proxy.py#L802 here], but it doesn't seem to be used unless the [https://github.com/goagent/goagent/blob/6287469afd3b84fb1a4dda69a33d26108e7246a6/local/proxy.py#L871 obfuscate option is set]. If obfuscate is set, it randomly throws out half the ciphers in expectation. Weird stuff: TLSv1.1 (most everything else is either TLSv1.0 or TLSv1.2), large list of supported elliptic curves.
{{{
== GoAgent 3.1.5 [6287469afd](https://github.com/goagent/goagent/commit/6287469afd3b84fb1a4dda69a33d26108e7246a6) (2014-02-28)
Note that no server_name extension is sent. The ciphersuite list is defined [here](https://github.com/goagent/goagent/blob/6287469afd3b84fb1a4dda69a33d26108e7246a6/local/proxy.py#L802), but it doesn't seem to be used unless the [obfuscate option is set](https://github.com/goagent/goagent/blob/6287469afd3b84fb1a4dda69a33d26108e7246a6/local/proxy.py#L871). If obfuscate is set, it randomly throws out half the ciphers in expectation. Weird stuff: TLSv1.1 (most everything else is either TLSv1.0 or TLSv1.2), large list of supported elliptic curves.
```
Secure Sockets Layer
TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -373,11 +373,11 @@ Secure Sockets Layer
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
}}}
```
== flashproxy-reg-appspot 1.6 (02-20-2014)
flashproxy-reg-url uses httplib and OpenSSL through M2Crypto.
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -492,10 +492,10 @@ Secure Sockets Layer
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
}}}
```
== Iceweasel 24.4.0
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -584,15 +584,15 @@ Secure Sockets Layer
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
}}}
```
== PhantomJS 1.9.7
Looks like OpenSSL, not NSS? SSLv3.0 without extensions.
{{{
```
var page = require('webpage').create();
page.open("https://meek-reflect.appspot.com", function(status) { console.log("status", status); });
}}}
{{{
```
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -662,11 +662,11 @@ Secure Sockets Layer
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
}}}
```
== PhantomJS 1.9.7 using TLSv1.0
You can get TLSv1.0 by running the command `phantomjs --ssl-protocol=TLSv1`.
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -791,10 +791,10 @@ Secure Sockets Layer
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
}}}
```
== Tor Browser 3.5.2.1 (Firefox 24.3.0)
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -879,10 +879,10 @@ Secure Sockets Layer
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
}}}
```
== meek-http-helper in Iceweasel 24.3.0
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -971,11 +971,11 @@ Secure Sockets Layer
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
}}}
```
== meek-http-helper running in TB 3.5.2.1
With attachment:Don-t-prohibit-name-lookups-with-socks_remote_dns-tr.patch:ticket:11183. Seems to differ from Iceweasel only in the "SessionTicket TLS" extension (see #4099).
{{{
With [Don-t-prohibit-name-lookups-with-socks_remote_dns-tr.patch:ticket:11183.](None/Don-t-prohibit-name-lookups-with-socks_remote_dns-tr.patch:ticket:11183.) Seems to differ from Iceweasel only in the "SessionTicket TLS" extension (see #4099).
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1060,11 +1060,11 @@ Secure Sockets Layer
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
}}}
```
== [https://gitweb.torproject.org/user/dcf/tor-browser-bundle.git/tag/74106067ae570daedfa9252903d97e32eae4becf Tor Browser 3.5.2.1-meek-4]
== [Tor Browser 3.5.2.1-meek-4](https://gitweb.torproject.org/user/dcf/tor-browser-bundle.git/tag/74106067ae570daedfa9252903d97e32eae4becf)
Uses a separate browser instance to run the extension as suggested in comment:12:ticket:11183. It matches Iceweasel 24. The only difference is in the client randomness.
{{{
```
Length: 165
Version: TLS 1.0 (0x0301)
Random
......@@ -1075,9 +1075,9 @@ Uses a separate browser instance to run the extension as suggested in comment:12
Session ID Length: 0
Cipher Suites Length: 70
Cipher Suites (35 suites)
}}}
```
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1166,10 +1166,10 @@ Secure Sockets Layer
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
}}}
```
== [https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released Tor Browser 4.0-alpha-1], afflicted with #12766 (2014-08-15)
{{{
== [Tor Browser 4.0-alpha-1](https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released), afflicted with #12766 (2014-08-15)
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1262,11 +1262,11 @@ Secure Sockets Layer
Type: signature_algorithms (0x000d)
Length: 18
Data (18 bytes)
}}}
```
== [https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released Tor Browser 4.0-alpha-1] with `security.tls.version.max=1` (2014-08-15)
== [Tor Browser 4.0-alpha-1](https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released) with `security.tls.version.max=1` (2014-08-15)
Limiting SSL version to TLSv1.0.
{{{
```
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1355,10 +1355,10 @@ Secure Sockets Layer
Extension: next_protocol_negotiation
Type: next_protocol_negotiation (0x3374)
Length: 0
}}}
```
== Iceweasel 31.1.0 (2014-10-26)
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1470,11 +1470,11 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== [https://blog.torproject.org/blog/tor-browser-40-released Tor Browser 4.0] (2014-10-26)
== [Tor Browser 4.0](https://blog.torproject.org/blog/tor-browser-40-released) (2014-10-26)
It's [[comment:1:ticket:13442|missing the SessionTicket TLS extension]].
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1582,11 +1582,11 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== [https://blog.torproject.org/blog/tor-browser-40-released Tor Browser 4.0] with `security.ssl.disable_session_identifiers=false` (2014-10-26)
== [Tor Browser 4.0](https://blog.torproject.org/blog/tor-browser-40-released) with `security.ssl.disable_session_identifiers=false` (2014-10-26)
Restores the SessionTicket TLS extension.
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1698,11 +1698,11 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== [https://download-installer.cdn.mozilla.net/pub/firefox/releases/38.8.0esr/linux-x86_64/en-US/ Firefox 38.8.0esr] on Debian stretch/sid (2016-05-20)
== [Firefox 38.8.0esr](https://download-installer.cdn.mozilla.net/pub/firefox/releases/38.8.0esr/linux-x86_64/en-US/) on Debian stretch/sid (2016-05-20)
Including two consecutive client hellos because the second one has a Padding extension.
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -1955,11 +1955,11 @@ Secure Sockets Layer
Padding Data: 000000000000000000000000000000000000000000000000...
Padding length: 0
Padding Data: <MISSING>
}}}
```
== [https://download-installer.cdn.mozilla.net/pub/firefox/releases/45.0.2esr/linux-x86_64/ Firefox 45.0.2esr] on Debian stretch/sid (2016-05-20)
== [Firefox 45.0.2esr](https://download-installer.cdn.mozilla.net/pub/firefox/releases/45.0.2esr/linux-x86_64/) on Debian stretch/sid (2016-05-20)
Including two consecutive client hellos because the second one has a Padding extension.
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2200,10 +2200,10 @@ Secure Sockets Layer
Padding Data: 000000000000000000000000000000000000000000000000...
Padding length: 0
Padding Data: <MISSING>
}}}
```
== [https://blog.torproject.org/blog/tor-browser-60a5-released Tor Browser 6.0a5] (based on Firefox 45 ESR) with meek-client on Debian stretch/sid (2016-05-20)
{{{
== [Tor Browser 6.0a5](https://blog.torproject.org/blog/tor-browser-60a5-released) (based on Firefox 45 ESR) with meek-client on Debian stretch/sid (2016-05-20)
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2320,12 +2320,12 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== Tor Browser 6.5a3 (based on Firefox 45.4.0 ESR) on Debian jessie (2015-10-28)
Identical to [[#Firefox45.2.0esronDebianjessie2016-10-28|Firefox 45.2.0]] (but not [[#Firefox45.2.0esronDebianjessie2016-10-28|Firefox 45.4.0]]).
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2442,12 +2442,12 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== [https://ftp.mozilla.org/pub/firefox/releases/45.2.0esr/linux-x86_64/en-US/ Firefox 45.2.0esr] on Debian jessie (2016-10-28)
== [Firefox 45.2.0esr](https://ftp.mozilla.org/pub/firefox/releases/45.2.0esr/linux-x86_64/en-US/) on Debian jessie (2016-10-28)
Identical to [[#TorBrowser6.5a3basedonFirefox45.4.0ESRonDebianjessie2015-10-28|Tor Browser 6.5a3]].
Differs from [[#Firefox45.4.0esronDebianjessie2016-10-28]] in that it has one fewer signature hash algorithm.
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2564,11 +2564,11 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== [https://ftp.mozilla.org/pub/firefox/releases/45.4.0esr/linux-x86_64/en-US/ Firefox 45.4.0esr] on Debian jessie (2016-10-28)
== [Firefox 45.4.0esr](https://ftp.mozilla.org/pub/firefox/releases/45.4.0esr/linux-x86_64/en-US/) on Debian jessie (2016-10-28)
Differs from [[#Firefox45.2.0esronDebianjessie2016-10-28]] in that it has one more signature hash algorithm.
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2688,7 +2688,7 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
}}}
```
== Tor Browser 7.0.1 (based on Firefox 52.2.0esr) on Windows 7 (2017-06-22)
......@@ -2697,7 +2697,7 @@ Same as
* [[#TorBrowser7.0.1basedonFirefox52.2.0esronDebianstretch2017-06-22]]
* [[#Firefox52.2.0esronDebianstretch2017-06-22]]
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2824,16 +2824,16 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
}}}
```
== [https://ftp.mozilla.org/pub/firefox/releases/52.2.0esr/win64/en-US/ Firefox 52.2.0esr] on Windows 7 (2017-06-22)
== [Firefox 52.2.0esr](https://ftp.mozilla.org/pub/firefox/releases/52.2.0esr/win64/en-US/) on Windows 7 (2017-06-22)
Same as
* [[#TorBrowser7.0.1basedonFirefox52.2.0esronWindows72017-06-22]]
* [[#TorBrowser7.0.1basedonFirefox52.2.0esronDebianstretch2017-06-22]]
* [[#Firefox52.2.0esronDebianstretch2017-06-22]]
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -2960,7 +2960,7 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
}}}
```
== Tor Browser 7.0.1 (based on Firefox 52.2.0esr) on Debian stretch (2017-06-22)
......@@ -2969,7 +2969,7 @@ Same as
* [[#Firefox52.2.0esronWindows72017-06-22]]
* [[#Firefox52.2.0esronDebianstretch2017-06-22]]
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -3096,16 +3096,16 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
}}}
```
== [https://ftp.mozilla.org/pub/firefox/releases/52.2.0esr/linux-x86_64/en-US/ Firefox 52.2.0esr] on Debian stretch (2017-06-22)
== [Firefox 52.2.0esr](https://ftp.mozilla.org/pub/firefox/releases/52.2.0esr/linux-x86_64/en-US/) on Debian stretch (2017-06-22)
Same as
* [[#Firefox52.2.0esronWindows72017-06-22]]
* [[#Firefox52.2.0esronWindows72017-06-22]]
* [[#TorBrowser7.0.1basedonFirefox52.2.0esronDebianstretch2017-06-22]]
{{{
```
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
......@@ -3232,4 +3232,4 @@ Secure Sockets Layer
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
}}}
\ No newline at end of file
```
\ No newline at end of file