malformed clienthello packet

[jsleeio]

I realise this is without warranty but I thought you may or may not be interested...

2017/07/18 17:16:14 Raw Client Hello: [22 242 200 73 146 1 215 23 8 111 32 216 243 107 10 255 231 69 137 133 135 59 170 72 60 180 98 72 93 60 233 200 203 64 84 212 38 75 11 251 21 81 157 7 208 246 174 104 126 18 109 130 138 112 198 25 169 165 124 154 55 92 43 81 86 32 25 35 36 232 154 148 9 58 59 78 8 100 56 67 28 103 155 60 72 233 113 121 67 6 56 9 93 186 238 253 86 125 73 12 25 221 146 26 29 136 178 98 85 182 3 120 226 159 218 51 28 203 109 162 168 165 224 250 187 163 0 214 56 174 215 249 156 10 58 190 85 200 173 81 156 146 94 131 239 115 192 231 5 2 34 93 133 6 30 44 106 237 79 112 137 167 14 167 0 55 55 144 134 229 58 187 82 213 30 236 70 59 105 37 14 242 110 162 106 14 20 124 69 84 187 235 26 200 124 252 80 245 97 198 41 249 193 135 142 92 134 171 140 9 255 199 236 199 162 95 74 168 73 129 160 40 115 83 54 143 184 229 248 160 209 179 123 88 183 225 214 136 158 88 116 161 231 192 141 71 215 209 6 176 20 138 104 127 58 195 169 78 27 142 225 35 68 81 221 126 148 235 53 149 225 149 3 17 86 1 210 231 147 52 67 74 117 161 116 198 214 190 21 222 120 201 146 144 176 117 102 237 191 119 154 122 90 244 176 71 19 151 19 215 185 26 123 164 69 62 84 112 232 176 242 212 253 209 34 92 30 46 208 98 58 219 141 78 242 60 109 72 148 151 27 1 94 255 11 106 50 67 189 116 138 13 184 75 141 6 52 1 243 51 2 137 37 85 53 75 235 189 57 172 238 158 46 149 214 11 138 153 90 233 131 11 167 60 201 80 228 244 220 37 151 150 221 168 137 60 64 100 138 166 45 227 220 163 30 14 20 227 143 166 1 172 32 37 186 183 198 194 21 164 214 230 101 4 27 140 95 40 85 107 240 178 219 46 245 217 95 155 98 18 183 178 151 82 214 168 219 200 8 203 35 131 5 142 249 142 146 117 238 216 38 2 196 40 151 150 75 231 67 133 2 181 11 209 107 72 244 91 131 218 1 27 70 21 71 201 156 90 64 112 180 12 206 6 157 191 161 70 73 84 251 241 151 96 240 251 37 236 137 171 148 30 137 204 186 223 81 238 169 243 116 245 61 105 176 31 178 80 155 100 209 123 107 0 253 9 169 174 26 6 20 53 202 75 71 178 203 150 121 174 8 37 164 253 45 3 139 87 92 64 94 79 189 93 160 189 94 10 158 54 93 120 159 166 157 213 92 169 230 3 144 61 16 246 146 124 213 109 190 131 213 169 59 157 212 227 56 81 63 0 134 188 119 63 196 63 44 159 46 201 248 141 245 48 16 213 17 139 64 57 11 251 207 216 35 123 208 115 113 164 100 74 102 162 91 131 213 42 49 143 247 146 203 85 114 198 208 254 167 208 158 100 211 228 142 220 73 76 114 212 125 190 249 128 254 107 152 181 5 183 237 81 144 238 182 133 124 229 136 3 198 229 232 37 84 3 52 52 19 39 165 172 156 170 32 138 159 228 50 128 229 232 41 183 1 133 206 104 182 197 180 213 150 80 32 118 139 172 114 91 109 112 252 87 88 90 176 116 55 186 123 112 226 112 204 200 143 103 15 164 167 11 71 189 201 121 127 32 132 12 55 253 147 95 113 194 15 16 209 51 235 0 204 241 109 204 173 174 231 111 141 178 26 18 42 2 3 71 240 138 242 242 0 65 98 146 79 115 162 200 192 51 248 232 147 62 162 224 86 221 155 0 45 4 71 6 13 57 115 105 9 224 151 3 230 206 247 114 48 123 233 38 127 44 100 121 42 25 52 124 14 87 1 5 248 148 17 8 38 168 69 171 26 23 113 51 242 63 15 118 213 3 49 178 117 181 150 99 100 179 246 98 29 32 97 21 193 91 107 71 28 239 125 20 73 47 69 212 246 223 186 146 123 25 208 227 20 27 42 8 190 135 26 27 171 75 99 4 199 52 59 6 41 12 64 194 6 98 137 56 244 53 239 69 3 133 94 115 243 129 219 74 163 168 217 101 99 34 76 15 171 38 237 35 12 177 225 57 149 2 80 103 195 226 77 234 67 72 54 65 35 135 55 227 203 14 65 178 98 95 196 25 144 37 111 20 182 179 200 240 224 16 74 252 153 169 68 142 132 108 77 161 197 236 96 91 124 227 110 58 121 135 183 48 238 170 136 222 204 211 189 150 28 127 80 142 12 58 212 18 125 40 139 176 145 171 129 71 154 175 142 175 179 90 69 241 72 11 116 76 197 72 155 173 137 103 79 243 134 233 42 76 239 108 130 62 9 172 187 165 48 200 200 136 41 213 90 208 80 196 148 146 13 187 147 157 167 177 90 62 190 214 225 152 77 201 173 62 148 178 159 84 10 211 58 118 14 187 9 228 66 39 32 44 241 248 134 91 196 229 203 177 58 126 143 115 62 158 60 19 68 139 190 205 228 24 63 127 100 201 154 178 114 180 197 122 176 207 74 207 155 93 81 65 162 85 146 55 24 41 191 238 151 158 111 232 54 159 10 192 28 243 129 139 44 124 55 128 133 170 120 208 170 55 36 230 216 231 21 120 234 184 137 3 189 25 252 154 198 9 76 31 110 10 68 38 46 211 240 247 154 50 141 198 142 133 130 4 174 173 55 63 136 137 225 217 202 100 36 152 105 173 243 123 123 97 138 218 5 121 35 43 57 232 167 183 186 185 134 130 236 99 202 220 1 48 222 68 140 118 97 30 187 23 239 222 239 186 23 3 3 5 114 128 139 192 233 31 108 5 166 151 65 5 225 153 19 58 68 47 22 145 93 237 102 75 215 20 108 84 235 60 12 114 228 56 93 161 43 65 132 191 213 17 104 200 171 202 96 25 161 210 142 2 108 41 213 0 220 131 140 107 188 124 27 98 143 137 27 185 4 156 193 57 174 249 83 243 89 34 178 177 49 41 254 173 149 1 127 175 216 118 244 39 207 249 68 190 59 138 54 89 189 158 66 150 44 251 35 174 247 32 106 248 45 104 147 121 120 161 106 67 159 26 61 10 244 103 99 158 158 63 106 212 123 109 246 244 0 214 156 29 68 236 53 196 112 235 198 243 104 78 35 15 29 235 197 69 167 0 188 218 66 148 194 13 237 157 83 66 45 88 183 254]

[bradleyfalzon]

Thanks, I can take a quick look, but did you happen to see what's wrong?

[jsleeio]

I'm really not sure. I'm using tlsx in a packet capture context... I was wondering was whether it might have received a ClientHello that was split across more than one packet... due to IP fragmentation maybe. I only saw this once in an afternoon of leaving my app running in the background on my laptop while I did other stuff.

I don't yet understand TLS sufficiently to write a stream-reassembling capture app :-(

[bradleyfalzon]

OK, had a quick look, and it doesn't look like a client hello at all. The first byte suggests it's a TLS handshake, but the rest of it doesn't look right at all:

Version: 0xf2c8 (unknown)
Handshake Type: 1
Handshake Version: 0x6f20 (unknown)
SessionID: []byte{0xd0, 0xf6, 0xae, 0x68, 0x7e, 0x12, 0x6d}
Cipher Suites (33418): []
Compression Methods: []
Extensions: map[]
SNI: ""
Signature Algorithms: []uint16(nil)
Groups: []uint16(nil)
Points: []byte(nil)
OSCP: false
ALPNs: []

And I'd expect some readable string in the client hello from SNI, but I'm not seeing any readable text when doing a hex dump. I suspect you're right, in the fact it's a part of a larger stream as the payload is 1424 bytes, which is looking like an almost full frame to me depending on TCP options (I'd expect a standard client hello to be a few hundred bytes, if that).

I'm curious if you find out more about what it is, I'm purely speculating. But I don't think there's too much more I can offer.

[mholt]

There should be some 01000 (hex encoding) in the beginning of the ClientHello... if there is padding, the max length of the ClientHello in hex encoded characters would be 1024.

[bradleyfalzon]

Yeah @mholt the first byte looks OK to me, but the byte immediately after should be a 2 byte version and that doesn't match anything (SSLv3, TLS1.0, 1.1, 1.2 or 1.3), so immediately it's suspicious.