Ask Your Question

Filter for tls1.3 HelloRetryRequest

asked 2022-06-15 13:06:12 +0000

anaka gravatar image

Hi experts, Are there any particular filter for tls1.3 HelloRetryRequest to dispaly? I want to check how HelloRetryRequest looks like and sequence around HelloRetryRequest, so I tested by accessing several https web sites but don't find any HelloRetryRequest so far. If anybody can provide sample pcap data which contains HelloRetryRequest, much appreciated. thanks,

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-06-15 14:18:19 +0000

Chuckc gravatar image

Sample capture attached to issue 12779 - Add TLS 1.3 support:
tls13-22-hrr.pcap: picotls client with boringssl 2fce1bed (draft -22 with HelloRetryRequest)

The implementation of HelloRetryRequest seems to vary by draft version.
In the current Wireshark code, packet-tls-utils.c looks for a magic string:

 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
tls_scan_server_hello(tvbuff_t *tvb, guint32 offset, guint32 offset_end,
                      guint16 *server_version, gboolean *is_hrr)
    /* SHA256("HelloRetryRequest") */
    static const guint8 tls13_hrr_random_magic[] = {
        0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
        0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c

The filter would be:

tls.handshake.random == cf:21:ad:74:e5:9a:61:11:be:1d:8c:02:1e:65:b8:91:c2:a2:11:16:7a:bb:8c:5e:07:9e:09:e2:c8:a8:33:9c

Another approach would be to search the Info column for "Hello Retry Request".
See the filtcols Lua plugin.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2022-06-15 13:01:05 +0000

Seen: 31 times

Last updated: Jun 15