Hi experts, Are there any particular filter for tls1.3 HelloRetryRequest to dispaly? I want to check how HelloRetryRequest looks like and sequence around HelloRetryRequest, so I tested by accessing several https web sites but don't find any HelloRetryRequest so far. If anybody can provide sample pcap data which contains HelloRetryRequest, much appreciated. thanks,
Sample capture attached to issue 12779 - Add TLS 1.3 support:
tls13-22-hrr.pcap: picotls client with boringssl 2fce1bed (draft -22 with HelloRetryRequest)
The implementation of HelloRetryRequest seems to vary by draft version.
In the current Wireshark code, packet-tls-utils.c looks for a magic string:
/**
* Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
* draft 22 and newer, it also checks whether it is a HelloRetryRequest.
*/
void
tls_scan_server_hello(tvbuff_t *tvb, guint32 offset, guint32 offset_end,
guint16 *server_version, gboolean *is_hrr)
{
/* SHA256("HelloRetryRequest") */
static const guint8 tls13_hrr_random_magic[] = {
0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
};
The filter would be:
tls.handshake.random == cf:21:ad:74:e5:9a:61:11:be:1d:8c:02:1e:65:b8:91:c2:a2:11:16:7a:bb:8c:5e:07:9e:09:e2:c8:a8:33:9c
Another approach would be to search the Info column for "Hello Retry Request".
See the filtcols Lua plugin.
Asked: 2022-06-15 13:01:05 +0000
Seen: 565 times
Last updated: Jun 15 '22
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.