Analyzing HTTPS SSL/TLS traffic
Use wireshark to capture network packet. Use Curl to communicate to https://adamjordan.id (172.217.194.121, port 443)
1
$ curl https://adamjordan.id
Copied!

1. Client -> Server: Client Hello

Client connect to server and initiate the SSL Handshake negotiation. Client send "Client Hello" message. It contains client-supported cipher suites, compression methods, and extensions.
1
No Time Source Destination Protocol Length Info
2
34 2.524442 10.2.210.183 172.217.194.121 TLSv1.2 290 Client Hello
3
4
0000 84 b8 02 66 87 5c 8c 85 90 32 c5 fc 08 00 45 00 ...f.\...2....E.
5
0010 01 14 00 00 40 00 40 06 ed d7 0a 02 d2 b7 ac d9 [email protected]@.........
6
0020 c2 79 dc 9e 01 bb 86 84 7a af 8a 86 7a 40 80 18 [email protected]
7
0030 08 04 c2 f1 00 00 01 01 08 0a 2d 5b 6f 8d 29 bb ..........-[o.).
8
0040 65 53 16 03 01 00 db 01 00 00 d7 03 03 3d 62 84 eS...........=b.
9
0050 77 23 2f 13 f1 2a 46 59 d5 2c 5f 9d fa b9 f4 63 w#/..*FY.,_....c
10
0060 92 cb 44 4b 5d 3a 87 1c bc dc fd 07 c5 00 00 54 ..DK]:.........T
11
0070 cc a9 cc a8 cc aa c0 30 c0 2c c0 28 c0 24 c0 14 .......0.,.(.$..
12
0080 c0 0a 00 9f 00 6b 00 39 ff 85 00 c4 00 88 00 81 .....k.9........
13
0090 00 9d 00 3d 00 35 00 c0 00 84 c0 2f c0 2b c0 27 ...=.5...../.+.'
14
00a0 c0 23 c0 13 c0 09 00 9e 00 67 00 33 00 be 00 45 .#.......g.3...E
15
00b0 00 9c 00 3c 00 2f 00 ba 00 41 c0 12 c0 08 00 16 ...<./...A......
16
00c0 00 0a 00 ff 01 00 00 5a 00 00 00 12 00 10 00 00 .......Z........
17
00d0 0d 61 64 61 6d 6a 6f 72 64 61 6e 2e 69 64 00 0b .adamjordan.id..
18
00e0 00 02 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 ................
19
00f0 00 0d 00 1c 00 1a 06 01 06 03 ef ef 05 01 05 03 ................
20
0100 04 01 04 03 ee ee ed ed 03 01 03 03 02 01 02 03 ................
21
0110 00 10 00 0e 00 0c 02 68 32 08 68 74 74 70 2f 31 .......h2.http/1
22
0120 2e 31 .1
23
24
Frame 34: 290 bytes on wire (2320 bits), 290 bytes captured (2320 bits) on interface 0
25
Ethernet II, Src: Apple_32:c5:fc (8c:85:90:32:c5:fc), Dst: Cisco_66:87:5c (84:b8:02:66:87:5c)
26
Internet Protocol Version 4, Src: 10.2.210.183, Dst: 172.217.194.121
27
Transmission Control Protocol, Src Port: 56478, Dst Port: 443, Seq: 1, Ack: 1, Len: 224
28
Secure Sockets Layer
29
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
30
Content Type: Handshake (22)
31
Version: TLS 1.0 (0x0301)
32
Length: 219
33
Handshake Protocol: Client Hello
34
Handshake Type: Client Hello (1)
35
Length: 215
36
Version: TLS 1.2 (0x0303)
37
Random: 3d628477232f13f12a4659d52c5f9dfab9f46392cb444b5d...
38
Session ID Length: 0
39
Cipher Suites Length: 84
40
Cipher Suites (42 suites)
41
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
42
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
43
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
44
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
45
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
46
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
47
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
48
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
49
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
50
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
51
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
52
Compression Methods Length: 1
53
Compression Methods (1 method)
54
Extensions Length: 90
55
Extension: server_name (len=18)
56
Extension: ec_point_formats (len=2)
57
Extension: supported_groups (len=8)
58
Extension: signature_algorithms (len=28)
59
Extension: application_layer_protocol_negotiation (len=14)
Copied!

2. Server -> Client: Server Hello

As a response, Server send "Server Hello" message. It contains ONE (1) cipher suites, and 1 compression method. This cipher suites and compression method will be used along with this TLS session.
1
No Time Source Destination Protocol Length Info
2
36 2.539060 172.217.194.121 10.2.210.183 TLSv1.2 1434 Server Hello
3
4
Frame 36: 1434 bytes on wire (11472 bits), 1434 bytes captured (11472 bits) on interface 0
5
Ethernet II, Src: Cisco_66:87:5c (84:b8:02:66:87:5c), Dst: Apple_32:c5:fc (8c:85:90:32:c5:fc)
6
Internet Protocol Version 4, Src: 172.217.194.121, Dst: 10.2.210.183
7
Transmission Control Protocol, Src Port: 443, Dst Port: 56478, Seq: 1, Ack: 225, Len: 1368
8
Secure Sockets Layer
9
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
10
Content Type: Handshake (22)
11
Version: TLS 1.2 (0x0303)
12
Length: 96
13
Handshake Protocol: Server Hello
14
Handshake Type: Server Hello (2)
15
Length: 92
16
Version: TLS 1.2 (0x0303)
17
Random: 5ced276d9d49a8aa1e5ed946f2db7aa3b9a47f92a6a279dd...
18
Session ID Length: 32
19
Session ID: 4d6ac64edbe1ae430bd6dd2a60e8bf7f2fb73da5719fe8af...
20
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
21
Compression Method: null (0)
22
Extensions Length: 20
23
Extension: renegotiation_info (len=1)
24
Extension: ec_point_formats (len=2)
25
Extension: application_layer_protocol_negotiation (len=5)
Copied!

3. Server -> Client: Certificate

Server then send "Certificate" message. It contains server public key certificates chain.
1
No Time Source Destination Protocol Length Info
2
37 2.539066 172.217.194.121 10.2.210.183 TLSv1.2 1434 Certificate [TCP segment of a reassembled PDU]
3
4
Frame 37: 1434 bytes on wire (11472 bits), 1434 bytes captured (11472 bits) on interface 0
5
Ethernet II, Src: Cisco_66:87:5c (84:b8:02:66:87:5c), Dst: Apple_32:c5:fc (8c:85:90:32:c5:fc)
6
Internet Protocol Version 4, Src: 172.217.194.121, Dst: 10.2.210.183
7
Transmission Control Protocol, Src Port: 443, Dst Port: 56478, Seq: 1369, Ack: 225, Len: 1368
8
[2 Reassembled TCP Segments (2558 bytes): #36(1267), #37(1291)]
9
Secure Sockets Layer
10
TLSv1.2 Record Layer: Handshake Protocol: Certificate
11
Content Type: Handshake (22)
12
Version: TLS 1.2 (0x0303)
13
Length: 2553
14
Handshake Protocol: Certificate
15
Handshake Type: Certificate (11)
16
Length: 2549
17
Certificates Length: 2546
18
Certificates (2546 bytes)
19
Certificate Length: 1366
20
Certificate: 308205523082043aa003020102021203219097d39dd8bfb8... (id-at-commonName=adamjordan.id)
21
signedCertificate
22
version: v3 (2)
23
serialNumber: 0x03219097d39dd8bfb836615f73263593ea5f
24
signature (sha256WithRSAEncryption)
25
issuer: rdnSequence (0)
26
rdnSequence: 3 items (id-at-commonName=Let's Encrypt Authority X3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
27
RDNSequence item: 1 item (id-at-countryName=US)
28
RDNSequence item: 1 item (id-at-organizationName=Let's Encrypt)
29
RDNSequence item: 1 item (id-at-commonName=Let's Encrypt Authority X3)
30
validity
31
notBefore: utcTime (0)
32
utcTime: 19-04-22 21:39:43 (UTC)
33
notAfter: utcTime (0)
34
utcTime: 19-07-21 21:39:43 (UTC)
35
subject: rdnSequence (0)
36
rdnSequence: 1 item (id-at-commonName=adamjordan.id)
37
subjectPublicKeyInfo
38
algorithm (rsaEncryption)
39
subjectPublicKey: 3082010a0282010100cd71f5763a212f09e995c877caca7e...
40
extensions: 9 items
41
algorithmIdentifier (sha256WithRSAEncryption)
42
Padding: 0
43
encrypted: 5d04d4c03d8b322514d992cfa9021a7ebd695c5ff7d702f1...
44
Certificate Length: 1174
45
Certificate: 308204923082037aa00302010202100a0141420000015385... (id-at-commonName=Let's Encrypt Authority X3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
46
signedCertificate
47
version: v3 (2)
48
serialNumber: 0x0a0141420000015385736a0b85eca708
49
signature (sha256WithRSAEncryption)
50
issuer: rdnSequence (0)
51
rdnSequence: 2 items (id-at-commonName=DST Root CA X3,id-at-organizationName=Digital Signature Trust Co.)
52
RDNSequence item: 1 item (id-at-organizationName=Digital Signature Trust Co.)
53
RDNSequence item: 1 item (id-at-commonName=DST Root CA X3)
54
validity
55
notBefore: utcTime (0)
56
utcTime: 16-03-17 16:40:46 (UTC)
57
notAfter: utcTime (0)
58
utcTime: 21-03-17 16:40:46 (UTC)
59
subject: rdnSequence (0)
60
rdnSequence: 3 items (id-at-commonName=Let's Encrypt Authority X3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
61
RDNSequence item: 1 item (id-at-countryName=US)
62
RDNSequence item: 1 item (id-at-organizationName=Let's Encrypt)
63
RDNSequence item: 1 item (id-at-commonName=Let's Encrypt Authority X3)
64
subjectPublicKeyInfo
65
algorithm (rsaEncryption)
66
subjectPublicKey: 3082010a02820101009cd30cf05ae52e47b7725d3783b368...
67
extensions: 7 items
68
algorithmIdentifier (sha256WithRSAEncryption)
69
Padding: 0
70
encrypted: dd33d711f3635838dd1815fb0955be7656b97048a5694727...
Copied!

4. Server -> Client: Server Key Exchange, Server Hello Done

Then server send "Server Key Exchange" message and "Server Hello Done" message. "Server Key Exchange" message contains the keys exchange algorithm for client and server to do symmetric encryption. "Server Hello Done" message marks that the server finishes its part of the handshake negotiation.
1
No Time Source Destination Protocol Length Info
2
38 2.539068 172.217.194.121 10.2.210.183 TLSv1.2 303 Server Key Exchange, Server Hello Done
3
4
Frame 38: 303 bytes on wire (2424 bits), 303 bytes captured (2424 bits) on interface 0
5
Ethernet II, Src: Cisco_66:87:5c (84:b8:02:66:87:5c), Dst: Apple_32:c5:fc (8c:85:90:32:c5:fc)
6
Internet Protocol Version 4, Src: 172.217.194.121, Dst: 10.2.210.183
7
Transmission Control Protocol, Src Port: 443, Dst Port: 56478, Seq: 2737, Ack: 225, Len: 237
8
[2 Reassembled TCP Segments (305 bytes): #37(77), #38(228)]
9
Secure Sockets Layer
10
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
11
Content Type: Handshake (22)
12
Version: TLS 1.2 (0x0303)
13
Length: 300
14
Handshake Protocol: Server Key Exchange
15
Handshake Type: Server Key Exchange (12)
16
Length: 296
17
EC Diffie-Hellman Server Params
18
Curve Type: named_curve (0x03)
19
Named Curve: x25519 (0x001d)
20
Pubkey Length: 32
21
Pubkey: 81543ec207f0694fd8758e8e83b069b33c0564b91a1f1b58...
22
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
23
Signature Length: 256
24
Signature: 9308d1566cf79524a14b5e59801bd04217a27e8df6f603fd...
25
Secure Sockets Layer
26
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
27
Content Type: Handshake (22)
28
Version: TLS 1.2 (0x0303)
29
Length: 4
30
Handshake Protocol: Server Hello Done
31
Handshake Type: Server Hello Done (14)
32
Length: 0
Copied!

5. Client -> Server: Client Key Exchange, Change Cipher Spec, Finished

Client then responds by sending "Client Key Exchange", "Change Cipher Spec", and "Encrypted Handshake" message "Client Key Exchange" contains data for server to generate keys for the symmetric encryption. "Change Cipher Spec" message is sent in order to signal that the symmetric encryption has been activated. The "Encrypted Handshake Message" is an encrypted "Finished" message, which mark that handshake negotiation is finished for client part.
1
No Time Source Destination Protocol Length Info
2
41 2.552896 10.2.210.183 172.217.194.121 TLSv1.2 151 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
3
4
Frame 41: 151 bytes on wire (1208 bits), 151 bytes captured (1208 bits) on interface 0
5
Ethernet II, Src: Apple_32:c5:fc (8c:85:90:32:c5:fc), Dst: Cisco_66:87:5c (84:b8:02:66:87:5c)
6
Internet Protocol Version 4, Src: 10.2.210.183, Dst: 172.217.194.121
7
Transmission Control Protocol, Src Port: 56478, Dst Port: 443, Seq: 225, Ack: 2974, Len: 85
8
Secure Sockets Layer
9
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
10
Content Type: Handshake (22)
11
Version: TLS 1.2 (0x0303)
12
Length: 37
13
Handshake Protocol: Client Key Exchange
14
Handshake Type: Client Key Exchange (16)
15
Length: 33
16
EC Diffie-Hellman Client Params
17
Pubkey Length: 32
18
Pubkey: cf81666eddee37af4e8491dda30f5ab1f2c4b15410e7fd09...
19
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
20
Content Type: Change Cipher Spec (20)
21
Version: TLS 1.2 (0x0303)
22
Length: 1
23
Change Cipher Spec Message
24
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
25
Content Type: Handshake (22)
26
Version: TLS 1.2 (0x0303)
27
Length: 32
28
Handshake Protocol: Encrypted Handshake Message
Copied!

6. Server -> Client: Change Cipher Spec, Finished

Server then respond with similar message: "Change Cipher Spec" and encrypted "Finished" message. After this, the handshake process is considered successful.
1
No Time Source Destination Protocol Length Info
2
42 2.561317 172.217.194.121 10.2.210.183 TLSv1.2 109 Change Cipher Spec, Encrypted Handshake Message
3
4
Frame 42: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0
5
Ethernet II, Src: Cisco_66:87:5c (84:b8:02:66:87:5c), Dst: Apple_32:c5:fc (8c:85:90:32:c5:fc)
6
Internet Protocol Version 4, Src: 172.217.194.121, Dst: 10.2.210.183
7
Transmission Control Protocol, Src Port: 443, Dst Port: 56478, Seq: 2974, Ack: 310, Len: 43
8
Secure Sockets Layer
9
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
10
Content Type: Change Cipher Spec (20)
11
Version: TLS 1.2 (0x0303)
12
Length: 1
13
Change Cipher Spec Message
14
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
15
Content Type: Handshake (22)
16
Version: TLS 1.2 (0x0303)
17
Length: 32
18
Handshake Protocol: Encrypted Handshake Message
Copied!

7. Client <-> Server: Application Data

After TLS Handshake negotiation finished. Server and Client may communicate and send data in ecnrypted format.
1
No Time Source Destination Protocol Length Info
2
44 2.562359 10.2.210.183 172.217.194.121 TLSv1.2 111 Application Data
3
4
0000 84 b8 02 66 87 5c 8c 85 90 32 c5 fc 08 00 45 00 ...f.\...2....E.
5
0010 00 61 00 00 40 00 40 06 ee 8a 0a 02 d2 b7 ac d9 [email protected]@.........
6
0020 c2 79 dc 9e 01 bb 86 84 7b e4 8a 86 86 08 80 18 .y......{.......
7
0030 08 00 c6 a2 00 00 01 01 08 0a 2d 5b 6f ae 29 bb ..........-[o.).
8
0040 65 87 17 03 03 00 28 ab b4 ad 3e 27 36 e0 67 a1 e.....(...>'6.g.
9
0050 65 b8 b1 37 66 9c d3 96 10 05 77 88 83 57 bd 48 e..7f.....w..W.H
10
0060 b0 79 c1 96 c9 13 bc 96 29 e2 f2 cb 75 7b c7 .y......)...u{.
11
12
13
Frame 44: 111 bytes on wire (888 bits), 111 bytes captured (888 bits) on interface 0
14
Ethernet II, Src: Apple_32:c5:fc (8c:85:90:32:c5:fc), Dst: Cisco_66:87:5c (84:b8:02:66:87:5c)
15
Internet Protocol Version 4, Src: 10.2.210.183, Dst: 172.217.194.121
16
Transmission Control Protocol, Src Port: 56478, Dst Port: 443, Seq: 310, Ack: 3017, Len: 45
17
Secure Sockets Layer
18
TLSv1.2 Record Layer: Application Data Protocol: http2
19
Content Type: Application Data (23)
20
Version: TLS 1.2 (0x0303)
21
Length: 40
22
Encrypted Application Data: abb4ad3e2736e067a165b8b137669cd396100577888357bd...
Copied!

8. Done

Done
Last modified 5mo ago
Copy link