Network Working Group Y. Pettersen Internet-Draft Opera Software ASA Expires: December 18, 2006 June 16, 2006 Clientside interoperability experiences for the SSL and TLS protocols draft-pettersen-tls-interop-experience-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 18, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document presents a number of problems encountered when implementing TLS 1.0, TLS 1.0 and TLS Extensions for clients, and their consequences. The problems include servers that refuse to connect with clients supporting newer versions of the protocol, or does not handle such negotiation properly. Other problems encountered are incorrect use of values in the protocol messages. The consequences of these problems range from delayed introduction of new protocol versions and features, to fallback mechanisms that may Pettersen Expires December 18, 2006 [Page 1] Internet-Draft TLS interoperability June 2006 disable protocol security features, to implementations that cannot interoperate with some other implementations. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The SSL v3 to TLS 1.0 transition . . . . . . . . . . . . . . . 4 3. The TLS 1.0 to TLS 1.1 transition . . . . . . . . . . . . . . 5 4. The introduction of TLS Extensions . . . . . . . . . . . . . . 5 5. Incorrect use of Record Protocol version numbers . . . . . . . 6 6. Consequences . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. What should be done? . . . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 11. Normative References . . . . . . . . . . . . . . . . . . . . . 10 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 10 A.1. SSL v3 server refuses TLS 1.0 client(case 1) . . . . . . . 10 A.2. SSL v3 server refuses TLS 1.0 client (case 2) . . . . . . 12 A.3. TLS 1.0 server refuses TLS 1.1 client . . . . . . . . . . 13 A.4. TLS 1.0 server refuses TLS Extensions . . . . . . . . . . 14 A.5. Renegotiation with SSL v3 records over TLS 1.0 connection . . . . . . . . . . . . . . . . . . . . . . . . 15 A.6. Wrong version expected in RSA Client Key Exchange . . . . 20 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 26 Intellectual Property and Copyright Statements . . . . . . . . . . 27 Pettersen Expires December 18, 2006 [Page 2] Internet-Draft TLS interoperability June 2006 1. Introduction One of the basic foundations of the various SSL protocol versions [SSLv2], [SSLv3], and TLS [RFC2246] is that they are supposed to be able to work seamlessly with other implementations of both older versions of the protocol, and newer versions that were not even under consideration at the time the implementation was written. The older versions are not supposed to be able to understand the new protocol versions, but using their version of the protocol, they are supposed to be able to negotiate a connection with the newer version, provided that the newer implementation is willing and able to do so. That ability may depend on both the implementer's willingness to support the older versions due to engineering constraints and known security problems with the older version. But, assuming that both implementations support the same version of the protocol, they should be able to communicate. Over the years it has become an unfortunate reality that while most SSL and TLS implementations do work together in the above mentioned ideal fashion, there are far too many implementations that do not (in particular) properly implement the forward compatibility portions of the specifications. This has caused a number of serious problems which again may have led client vendors to delay implementation or deployment of new TLS-related functionality or versions. Other vendors may have deployed the new features, but have only been able to do so by adding automatic workarounds that in many respects actually disable security features of the protocol. Even if one discounts the fact that SSL v2 and SSL v3 were incompatible at the binary level, with every upgrade since; the migration from SSL v3 to TLS 1.0, the addition of TLS Extensions and the current migration from TLS 1.0 to TLS 1.1, clients have encountered servers that were not willing to accept connections from clients that supported these features. To make matters worse, from the client vendor's viewpoint, many of the sites causing these problems are sites that are vital to their customers, such as banking and shopping sites. This document will present a number of the implementation mistakes that have been observed throughout the author's period as the lead developer of an SSL/TLS client. In most cases one has knowledge only about what happened, not the precise reason why. The cases listed here are not intended as an exhaustive list of problems that have occurred in implementations of the SSL/TLS protocol, but to give an overview of what the situation is. Finally, there will be a short evaluation of what may have caused the Pettersen Expires December 18, 2006 [Page 3] Internet-Draft TLS interoperability June 2006 current situation, and a few suggestions about what may be done to avoid these problems in the future, both for TLS and other protocols. 2. The SSL v3 to TLS 1.0 transition The SSL v3 specification[SSLv3] includes the following version forward compatibility and security features: o A field in the Client Hello that tells the server the highest version the client supports. If the server supports a more recent version than this, it is supposed to use it, otherwise it is to use its highest supported version. o A field in the RSA Client Key Exchange message that contains the highest version the client supports. The server must check this version number against the version number received in the Client Hello. If it is different, somebody may have attempted to reduce the security of the connection by downgrading the negotiated version. These two features were intended to make it possible for implementations using newer SSL/TLS versions to connect to older implementations. Unfortunately, a number of server implementations got at least one of those points wrong. Some SSL v3 servers refuse to even answer when a client using TLS 1.0 or higher tries to establish a connection, others answer, but the negotiation fails after the RSA Client Key Exchange step because they use the negotiated version number, not the received version number, to check the version number in the RSA Key Exchange block. Appendix A.1 and Appendix A.2 contain a couple of examples of the first type of problem, refusal to talk to TLS 1.0 clients. In these cases, the server usually closes down the connection immediately without an error code, although in some cases they do send an error first. In the second type of problem the server correctly chooses SSL v3 as the version, but the last part of the handshake fails because the server assumes that the decrypted RSA Key Exchange message should contain the SSL v3 protocol version, not the TLS 1.0 version number (which is the correct one). In such cases the server also closes the connection. An example of a similar case, involving a TLS 1.1 client and a TLS 1.0 server is found in Appendix A.6. To be able to connect to these servers clients have had to restart Pettersen Expires December 18, 2006 [Page 4] Internet-Draft TLS interoperability June 2006 the negotiation on a new connection, with TLS 1.0 disabled, an action which for the RSA cipher suites mean that the version roll back protection is non-existent. 3. The TLS 1.0 to TLS 1.1 transition TLS 1.0[RFC2246] also contained the same forward compatibility and version roll-back attack protections as SSL v3, and given the more formal specification of TLS 1.0, one might have hoped vendors would have taken better care to implement those specified provisions, so that a future transition from TLS 1.0 to TLS 1.1[RFC4346] would work better. Again, however, a number of TLS server vendors did not implement these aspects properly, and in many cases it is not possible to tell what is causing the problem, the web server, or a gateway server between the client and the web server. Appendix A.3 shows a couple of cases where the server shuts down the connection immediately when it gets a Client Hello containing a TLS 1.1 version number. Similarly to the SSL v3 to TLS 1.0 transition servers using the wrong version number during the Client Key Exchange step have also been observed, as seen in Appendix A.6. While many of the servers just close the connection, there are also some TLS 1.0 servers that fall back to SSL v3 when being contacted by a TLS 1.1 client. 4. The introduction of TLS Extensions [SSLv3], TLS 1.0[RFC2246] , and TLS 1.1[RFC4346] all specify the possibility of an extension of the Client Hello to contain more information. This extension was defined with the TLS Extensions specification[RFC3546]. TLS Extensions defines a field containing a sequence of data items that inform the server about the client's capabilities and/or requirements. Two such fields are the Server Name Extension and the Certificate Status Extension, which can be used, respectively, to tell the server which server the client wants to connect to, allowing virtual server hosting for secure servers, and request that the server provides an OCSP response for the server's certificate. As with the negotiation of version number, not all server implementations have taken these requirements into consideration, and in many cases TLS 1.0 servers will refuse to accept connections from Pettersen Expires December 18, 2006 [Page 5] Internet-Draft TLS interoperability June 2006 clients that send TLS Extensions in the Client Hello, usually indicated by closing the connection without sending any error message. It was already known before work on TLS Extensions started that some SSL v3 servers would not tolerate the extended Client Hello used by TLS Extensions, even though the SSLv3 specification mentions the possibility of such an extension of the protocol. Various scenarios have been observed: o Some servers accept TLS Extensions with TLS 1.0, but refuse to accept them from TLS 1.1 clients o Some servers accept TLS Extensions only from a TLS 1.1 client o Some servers refuse to accept TLS Extensions under any circumstances. In at least one case, the reason for the first scenario seems to be that the server incorrectly used the Record Protocol version number as the negotiation input for version number, not the Client Hello version number field, and for version 3.2 reclassified it as 3.0 (not 3.1, as it should have), and then refused to accept the extended record, even if SSL v3 permits extended records. Similar handling, but with more "graceful" recovery may be the reason for the second scenario. The third case, by far the most common, may be caused by incorrect understanding of the specification, but it may also be the result of misguided efforts at protecting the server from an attack by using data format rules in the firewall that are too restrictive. An indication of the latter is that the server in Appendix A.3 originally only refused to accept connection requests from a TLS 1.1 client, but four weeks after the site was first tested, it was no longer accepting TLS Extension requests ( Appendix A.4). 5. Incorrect use of Record Protocol version numbers Three incorrect uses of the SSL/TLS protocols Record Protocol version numbers has been observed, one server side, and two client side. These have not had much impact until recently (2005) because most SSL and TLS clients have been using the SSL v2 Client Hello to provide backward compatibility with servers that only supports SSL v2. As these servers are being upgraded, the need for this backward compatibility is diminishing, and most clients are now disabling this protocol in their default configuration, and they are therefore starting to use the SSL v3 and later Client Hellos in the initial Pettersen Expires December 18, 2006 [Page 6] Internet-Draft TLS interoperability June 2006 handshake. The first incorrect use concerns which Record Protocol version number to use in the initial connection. A single sentence in Section E of [RFC2246] covers this area, and specifies that "TLS clients who wish to negotiate with SSL 3.0 servers should send client hello messages using the SSL 3.0 record format and client hello structure, sending {3, 1} for the version field to note that they support TLS 1.0". What this implies (in the author's current, revised understanding) is that the client should use the server's highest known version number in the first handshake. At the very least, the author of this document missed the significance of this sentence. It had not had any significance when clients were using SSL v2 handshakes initially, since during future handshakes the client would know which version the server supported. It did however turn out to have some impact on some, but not all, of the problems with TLS 1.1 described above. Changing the negotiation sequence to use SSL v3's 3.0 version number in the initial SSL/TLS record did, however, turn out to reveal another incorrect use of the Record Protocol version number: Some servers use it as the Client's Requested SSL/TLS protocol version- field instead of the Client Hello message field. This means that a client using an SSL v3.0 record to request a TLS 1.0 connection from a TLS 1.0 capable server in some cases actually got an SSL v3 connection instead. Curiously, it does not seem like the RSA Client Key Exchange test for version roll-back triggered, probably because the implementations did use the correct field to retrieve the version number used in that check, but did not check it against the negotiated version number. In other cases, such as in Appendix A.1 a SSL v3 server will not accept the TLS 1.0 version number in the protocol record, and will shut down the connection without any warning. In some cases this use of the Record Protocol field has had some curious effects. In one case, if the client used the TLS 1.1 version number (3.2) while connecting to the server, the server would negotiate SSL v3.0, even though it did support TLS 1.0. This caused (as described above) the server not to accept TLS Extensions when the TLS 1.1 Record Protocol was used. The third case concerned a client with which the author is not associated. This client would negotiate a TLS 1.0 session using a SSL v3 Record Protocol message with a Client Hello requesting TLS Pettersen Expires December 18, 2006 [Page 7] Internet-Draft TLS interoperability June 2006 1.0. Once the TLS session was negotiated, the client sent a new Client Hello, presumably to renegotiate the connection without revealing any of the exchanged information to eavesdroppers. It did this in the TLS 1.0 session, using a 3.0 Record Protocol version. Apparently this worked in many cases, but in the case of two financial websites they returned errors when the client sent their second Client Hello, one of them a normal TLS error code, the other (the same one as in Appendix A.3 and Appendix A.4) actually responded Appendix A.5 with an SSL v2 error code, which the client naturally wasn't able to understand. 6. Consequences As a consequence of the problems detailed above, many mass-market client vendors have had to deploy SSL/TLS implementations that disable protocol features if the server does not understand it. In particular, this was necessary both for the move to TLS 1.0, and to TLS 1.1, but it has also become necessary for TLS Extensions. The reason for this automatic disabling of features is that most of these clients cannot refuse to connect to an SSL/TLS server whose "only" problem is that it refuses to connect to a client that supports a feature it does not support. The consequence, however, is that (at the very least) some security features in the protocol, such as the version roll-back protection (in the RSA-suites), are effectively disabled, because it is impossible for a client to distinguish between a non-compliant server and a malicious attack. A related issue is that only the RSA suites defined in TLS have any version roll-back protection that does not dependent on the message digest functions. As long as SSL v3, TLS 1.0 and TLS 1.1 are as similar as they are, and relying on the same methods, this probably does not reduce the security of the protocol. However, as future versions of TLS are unlikely to rely solely on the same mechanisms as the current versions of TLS due to attacks on those mechanisms becoming more feasible, the possibility of a version roll-back attack becomes more realistic. 7. What should be done? Even though SSL and TLS clearly specified forward compatibility requirements in the specifications, a significant number of implementers did not implement them properly. Similarly, a number of Pettersen Expires December 18, 2006 [Page 8] Internet-Draft TLS interoperability June 2006 implementers got some of the backwards compatibility guidelines wrong. Many of these problems may have been caused by the amount of detail in the specifications, which is unavoidable in any specification of some size, others may have been introduced because of external concerns, such as security. What can be done to improve the situation, for TLS, as well as other protocols? This document will not be able to provide the answer to that, but brings up the following questions: o Should important aspects of a protocol be collected in an implementer's checklist? o Should forward and backward compatibility requirements be better documented, e.g. by examples? o Should specifications include reference implementations? If so, who should develop them? o Should such reference implementations also include tests that break border conditions? o Should the IETF host reference implementations? o Can and should future TLS protocol versions contain Key Exchange- independent version roll-back protection? (Currently only the RSA suites in SSL and TLS have such protection) o Is it feasible for future TLS specifications to require implementations never fall back to an earlier version automatically, in case negotiation fails? 8. IANA Considerations This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC. 9. Security Considerations This document discusses various problems with the implementations of Pettersen Expires December 18, 2006 [Page 9] Internet-Draft TLS interoperability June 2006 the SSL and TLS protocol versions, and the interaction between implementations of newer and older versions of this protocol. The solution to some of the problems discussed can have security implications, such as when a client automatically disables its support for a version of the protocol or a feature in the protocol when it encounters a problem with a server. 10. Acknowledgements Many of the sites exhibiting the problems discussed above and used in some of the examples were originally discovered by external testers of the Opera Browser, such as the Elektrans and those who participated in the September 2004 My Opera TLS 1.1 Scavenger Hunt, and employees of Opera Software ASA 11. Normative References [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 3546, June 2003. [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [SSLv2] Feb18, "The SSL Protocol", Feb 1995, . [SSLv3] "The SSL Protocol Version 3.0", Nov 1996, . Appendix A. Examples A.1. SSL v3 server refuses TLS 1.0 client(case 1) This server accepted connections from TLS 1.0 clients on one of two conditions 1. The Client used an SSL v2 Client Hello record 2. The client used an SSL v3 record protocol record to send the Client Hello with the TLS 1.0 version number. Pettersen Expires December 18, 2006 [Page 10] Internet-Draft TLS interoperability June 2006 A.1.1. Failed connection C: sending 82 bytes 0000 : 16 03 01 00 4d 01 00 00 49 03 01 44 2c 2d 1f 67 ....M...I..D,-.g 0010 : 6c e5 05 a5 88 12 6b 8f a8 d3 e5 9e e0 55 e0 bd l.....k......U.. 0020 : 99 24 dd dc 72 36 8c c7 18 f5 69 00 00 22 00 39 .$..r6....i..".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 .. S: received 14 bytes 0000 : 15 03 00 00 02 02 0a 15 03 00 00 02 01 00 .............. A.1.2. Successful connection C : sending 82 bytes 0000 : 16 03 00 00 4d 01 00 00 49 03 01 44 2c 35 2d 17 ....M...I..D,5-. 0010 : ad 60 c8 4d 8a 51 a5 59 f9 cd bc 3e b1 9c a2 ff .`.M.Q.Y...>.... 0020 : 42 71 33 2f 80 86 3f 4b f6 62 ea 00 00 22 00 39 Bq3/...K.b...".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 .. S : received 47 bytes 0000 : 16 03 00 00 2a 02 00 00 26 03 00 44 2c 35 96 1d ....*...&..D,5.. 0010 : d5 02 df 00 eb 5d fb 32 2e 51 64 42 99 c4 94 c2 .....].2.QdB.... 0020 : 46 61 b3 19 e1 50 28 93 57 a9 e9 00 00 05 00 Fa...P(.W...... A.1.3. Successful Connection C : sending 138 bytes 0000 : 80 88 01 03 01 00 6f 00 00 00 10 00 00 39 00 00 ......o......9.. 0010 : 38 00 00 37 00 00 36 00 00 35 00 00 33 00 00 32 8..7..6..5..3..2 0020 : 00 00 31 00 00 30 00 00 2f 00 00 05 00 00 04 00 ..1..0../....... 0030 : 00 13 00 00 0d 00 00 16 00 00 10 00 00 0a 00 00 ................ 0040 : 12 00 00 0c 00 00 15 00 00 0f 00 00 09 00 00 64 ...............d 0050 : 00 00 62 00 00 11 00 00 0b 00 00 14 00 00 0e 00 ..b............. 0060 : 00 08 00 00 03 00 00 06 01 00 80 07 00 c0 03 00 ................ 0070 : 80 06 00 40 02 00 80 04 00 80 44 2c 36 28 d6 0e ...@......D,6(.. 0080 : d9 20 b8 9c d6 0f ad aa 80 d7 . ........ S : received 47 bytes 0000 : 16 03 00 00 2a 02 00 00 26 03 00 44 2c 36 92 97 ....*...&..D,6.. 0010 : 91 4f 1d b2 e1 96 e2 5c 99 c2 5c 21 8e 91 67 91 .O.....\..\!..g. 0020 : 4b 34 ee e7 78 56 65 7b 7a f0 ad 00 00 05 00 K4..xVe{z...... Pettersen Expires December 18, 2006 [Page 11] Internet-Draft TLS interoperability June 2006 A.2. SSL v3 server refuses TLS 1.0 client (case 2) Date: April 5, 2006 Server: Lotus-Domino/5.0.8 Site: https://www.ecbanking.com.my/ This site refused to connect with any client presenting the TLS 1.0 version number in the Client Hello message A.2.1. Failed connection C : Sending 138 bytes 0000 : 80 88 01 03 01 00 6f 00 00 00 10 00 00 39 00 00 ......o......9.. 0010 : 38 00 00 37 00 00 36 00 00 35 00 00 33 00 00 32 8..7..6..5..3..2 0020 : 00 00 31 00 00 30 00 00 2f 00 00 05 00 00 04 00 ..1..0../....... 0030 : 00 13 00 00 0d 00 00 16 00 00 10 00 00 0a 00 00 ................ 0040 : 12 00 00 0c 00 00 15 00 00 0f 00 00 09 00 00 64 ...............d 0050 : 00 00 62 00 00 11 00 00 0b 00 00 14 00 00 0e 00 ..b............. 0060 : 00 08 00 00 03 00 00 06 01 00 80 07 00 c0 03 00 ................ 0070 : 80 06 00 40 02 00 80 04 00 80 44 33 0c 61 ef 3e ...@......D3.a.> 0080 : 2f 10 6b 09 94 56 cc 7d 5c 18 /.k..V.}\. A.2.2. Successful connection C: Sending 138 bytes 0000 : 80 88 01 03 00 00 6f 00 00 00 10 00 00 39 00 00 ......o......9.. 0010 : 38 00 00 37 00 00 36 00 00 35 00 00 33 00 00 32 8..7..6..5..3..2 0020 : 00 00 31 00 00 30 00 00 2f 00 00 05 00 00 04 00 ..1..0../....... 0030 : 00 13 00 00 0d 00 00 16 00 00 10 00 00 0a 00 00 ................ 0040 : 12 00 00 0c 00 00 15 00 00 0f 00 00 09 00 00 64 ...............d 0050 : 00 00 62 00 00 11 00 00 0b 00 00 14 00 00 0e 00 ..b............. 0060 : 00 08 00 00 03 00 00 06 01 00 80 07 00 c0 03 00 ................ 0070 : 80 06 00 40 02 00 80 04 00 80 44 33 0c 65 18 21 ...@......D3.e.! 0080 : bb 61 ee 4f 1b 7e 16 98 b2 2f .a.O.~.../ S : Received 2560 bytes 0000 : 16 03 00 0b 16 02 00 00 46 03 00 31 05 8d 10 01 ........F..1.... 0010 : 5c 9c 2b f1 88 e8 e4 fa 42 0c 1a ff 95 df 49 a8 \.+.....B.....I. 0020 : a9 3d 74 35 fe 07 9d b3 6f 61 28 20 09 c3 e4 4e .=t5....oa( ...N 0030 : e6 27 d1 90 11 55 19 ec 18 37 92 50 0d af 35 3b .'...U...7.P..5; 0040 : 08 96 0f 53 32 67 e4 65 9e 75 19 62 00 05 00 ...S2g.e.u.b... Pettersen Expires December 18, 2006 [Page 12] Internet-Draft TLS interoperability June 2006 A.2.3. Failed connection C : Sending 110 bytes 0000 : 16 03 00 00 69 01 00 00 65 03 01 44 33 16 76 4f ....i...e..D3.vO 0010 : 90 61 33 15 6a 75 02 2c 23 70 7e f8 03 67 41 c8 .a3.ju.,#p~..gA. 0020 : 1d 30 22 5b ed be 8c 66 d3 bd 66 00 00 3e 00 39 .0"[...f..f..>.9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 00 12 00 0c 00 15 00 0f 00 09 00 64 00 62 00 11 ...........d.b.. 0060 : 00 0b 00 14 00 0e 00 08 00 03 00 06 01 00 .............. S : Received 7 bytes 0000 : 15 03 00 00 02 02 0a ....... A.2.4. Successful connection C : Sending 110 bytes 0000 : 16 03 00 00 69 01 00 00 65 03 00 44 33 16 77 4b ....i...e..D3.wK 0010 : fb 0a 6e d5 55 a7 45 86 95 16 01 a7 d2 c9 45 2c ..n.U.E.......E, 0020 : 42 98 7e 71 59 87 03 72 6f d4 95 00 00 3e 00 39 B.~qY..ro....>.9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 00 12 00 0c 00 15 00 0f 00 09 00 64 00 62 00 11 ...........d.b.. 0060 : 00 0b 00 14 00 0e 00 08 00 03 00 06 01 00 .............. S : Received 2560 bytes 0000 : 16 03 00 0b 16 02 00 00 46 03 00 30 e5 3f e0 52 ........F..0...R 0010 : f1 6a ae 5a a2 5b 51 5e 47 72 3d fa b4 10 0b 80 .j.Z.[Q^Gr=..... 0020 : 8a e1 ee e9 fa bc 72 67 cc 1e d2 20 7c 3b 3d 41 ......rg... |;=A 0030 : 80 77 d2 9f ca 73 81 b8 20 99 97 26 da 52 07 d3 .w...s.. ..&.R.. 0040 : df f1 73 c9 14 e2 98 45 9a d2 e1 4c 00 05 00 ..s....E...L... A.3. TLS 1.0 server refuses TLS 1.1 client Date: April 25, 2006 Gateway: WebSphere Site: https://www.dnbnor.no/ Highest supported version: TLS 1.0 This server shuts down the connection when it gets a connection request from a TLS 1.1 client. According to information provided in private communications with the system administrators this site uses a Lotus Domino WebSphere server as a front-end, and that is where the connection is cut. Pettersen Expires December 18, 2006 [Page 13] Internet-Draft TLS interoperability June 2006 A.3.1. SSL v2 Client Hello C: Sending 138 bytes 0000 : 80 88 01 03 02 00 6f 00 00 00 10 00 00 39 00 00 ......o......9.. 0010 : 38 00 00 37 00 00 36 00 00 35 00 00 33 00 00 32 8..7..6..5..3..2 0020 : 00 00 31 00 00 30 00 00 2f 00 00 05 00 00 04 00 ..1..0../....... 0030 : 00 13 00 00 0d 00 00 16 00 00 10 00 00 0a 00 00 ................ 0040 : 12 00 00 0c 00 00 15 00 00 0f 00 00 09 00 00 64 ...............d 0050 : 00 00 62 00 00 11 00 00 0b 00 00 14 00 00 0e 00 ..b............. 0060 : 00 08 00 00 03 00 00 06 01 00 80 07 00 c0 03 00 ................ 0070 : 80 06 00 40 02 00 80 04 00 80 44 4e 53 a8 24 1b ...@......DNS.$. 0080 : 29 8f 20 17 27 74 46 24 f4 d1 ). .'tF$.. A.3.2. TLS 1.0 Record, TLS 1.1 Client Hello C: 82 bytes 0000 : 16 03 01 00 4d 01 00 00 49 03 02 44 4e 54 c4 e8 ....M...I..DNT.. 0010 : 59 f9 9a e4 35 27 4f 95 b0 4b 82 4a 01 71 ea 8e Y...5'O..K.J.q.. 0020 : c0 29 2d 8e 8e f2 07 81 3d f6 4e 00 00 22 00 39 .)-.....=.N..".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 .. A.4. TLS 1.0 server refuses TLS Extensions Date: April 25, 2006 Gateway: WebSphere Site: https://www.dnbnor.no/ Highest supported version: TLS 1.0 This server (the same as in Appendix A.3) shuts down the connection when it gets a connection request from a TLS 1.0 client with support for TLS Extensions. According to information provided in private communications with the system administrators this site uses a Lotus Domino WebSphere server as a front-end, and that is where the connection is cut. A.4.1. TLS 1.0 with TLS Extensions Pettersen Expires December 18, 2006 [Page 14] Internet-Draft TLS interoperability June 2006 C: 150 bytes 0000 : 16 03 01 00 91 01 00 00 8d 03 01 44 4e 54 c4 90 ...........DNT.. 0010 : 98 a6 83 92 36 a8 79 6c a3 3f f8 dd 78 74 5b 7e ....6.yl....xt[~ 0020 : 8d fa a7 7d 1f ef 60 1e 99 bb 29 00 00 22 00 39 ...}..`...)..".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 00 42 00 00 00 12 00 10 00 00 0d 77 77 77 ...B.........www 0060 : 2e 64 6e 62 6e 6f 72 2e 6e 6f 00 05 00 28 01 00 .dnbnor.no...(.. 0070 : 00 00 23 22 21 30 1f 06 09 2b 06 01 05 05 07 30 ..#"!0...+.....0 0080 : 01 02 04 12 04 10 64 7c 47 2d a1 b1 cb ab ca 36 ......d|G-.....6 0090 : d4 9e a6 64 92 e0 ...d.. A.5. Renegotiation with SSL v3 records over TLS 1.0 connection Date: June 5, 2006 Gateway: WebSphere Site: https://www.dnbnor.no/ Highest supported version: TLS 1.0 This example was created using a specially modified TLS Client that immediately initiate a renegotiation of the TLS session, but does so using SSL v3 as the record protocol version, even over a TLS 1.0 negotiated encrypted connection. This is based on actual observations of a client the author is not associated with. When the renegotiation starts the server responds with an SSL v2 error code, not an SSL v3 or TLS 1.0 error code. At least one other server has been observed throwing TLS errors, as expected, but apparently a number of servers actually accept the type of negotiation performed in this case According to information provided in private communications with the system administrators this site uses a Lotus Domino WebSphere server as a front-end, and that is where the connection is cut. C : Sending 82 bytes (Client Hello) 0000 : 16 03 00 00 4d 01 00 00 49 03 01 44 84 9f de 7c ....M...I..D...| 0010 : f8 51 49 35 31 0a 0e d8 e1 a8 dc 97 dc 1b 22 b5 .QI51.........". 0020 : 96 96 c1 69 7b 5a 34 83 07 0d 5e 00 00 22 00 39 ...i{Z4...^..".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 .. Pettersen Expires December 18, 2006 [Page 15] Internet-Draft TLS interoperability June 2006 S : Received 2520 bytes (Server Hello TLS 1.0, Certificate Part 1) 0000 : 16 03 01 0a 99 02 00 00 46 03 01 00 00 00 44 5c ........F.....D\ 0010 : 1d 7d 6a df 62 f0 f4 4c 74 f7 e5 df 31 e6 d2 43 .}j.b..Lt...1..C 0020 : 14 ee 56 9a 48 e9 90 97 56 b6 c6 20 00 00 51 c7 ..V.H...V.. ..Q. 0030 : 87 47 cd 99 56 93 d3 c5 1b f1 86 bb 19 88 59 e9 .G..V.........Y. 0040 : 58 58 58 58 44 84 9f e5 00 02 9b ae 00 35 00 0b XXXXD........5.. 0050 : 00 0a 47 00 0a 44 00 04 74 30 82 04 70 30 82 03 ..G..D..t0..p0.. 0060 : d9 a0 03 02 01 02 02 10 77 f1 5a 9c af fb 1f 6b ........w.Z....k 0070 : 38 2c 96 5b 53 7b ce aa 30 0d 06 09 2a 86 48 86 8,.[S{..0...*.H. 0080 : f7 0d 01 01 05 05 00 30 81 ba 31 1f 30 1d 06 03 .......0..1.0... 0090 : 55 04 0a 13 16 56 65 72 69 53 69 67 6e 20 54 72 U....VeriSign Tr 00a0 : 75 73 74 20 4e 65 74 77 6f 72 6b 31 17 30 15 06 ust Network1.0.. 00b0 : 03 55 04 0b 13 0e 56 65 72 69 53 69 67 6e 2c 20 .U....VeriSign, 00c0 : 49 6e 63 2e 31 33 30 31 06 03 55 04 0b 13 2a 56 Inc.1301..U...*V 00d0 : 65 72 69 53 69 67 6e 20 49 6e 74 65 72 6e 61 74 eriSign Internat 00e0 : 69 6f 6e 61 6c 20 53 65 72 76 65 72 20 43 41 20 ional Server CA 00f0 : 2d 20 43 6c 61 73 73 20 33 31 49 30 47 06 03 55 - Class 31I0G..U 0100 : 04 0b 13 40 77 77 77 2e 76 65 72 69 73 69 67 6e ...@www.verisign 0110 : 2e 63 6f 6d 2f 43 50 53 20 49 6e 63 6f 72 70 2e .com/CPS Incorp. 0120 : 62 79 20 52 65 66 2e 20 4c 49 41 42 49 4c 49 54 by Ref. LIABILIT 0130 : 59 20 4c 54 44 2e 28 63 29 39 37 20 56 65 72 69 Y LTD.(c)97 Veri 0140 : 53 69 67 6e 30 1e 17 0d 30 35 30 39 30 35 30 30 Sign0...05090500 0150 : 30 30 30 30 5a 17 0d 30 37 30 39 30 35 32 33 35 0000Z..070905235 0160 : 39 35 39 5a 30 81 a8 31 0b 30 09 06 03 55 04 06 959Z0..1.0...U.. 0170 : 13 02 4e 4f 31 0f 30 0d 06 03 55 04 08 13 06 42 ..NO1.0...U....B 0180 : 65 72 67 65 6e 31 10 30 0e 06 03 55 04 07 14 07 ergen1.0...U.... 0190 : 53 61 6e 64 73 6c 69 31 15 30 13 06 03 55 04 0a Sandsli1.0...U.. 01a0 : 14 0c 45 44 42 20 49 54 20 44 72 69 66 74 31 12 ..EDB IT Drift1. 01b0 : 30 10 06 03 55 04 0b 14 09 44 6e 42 4e 4f 52 20 0...U....DnBNOR 01c0 : 49 54 31 33 30 31 06 03 55 04 0b 14 2a 54 65 72 IT1301..U...*Ter 01d0 : 6d 73 20 6f 66 20 75 73 65 20 61 74 20 77 77 77 ms of use at www 01e0 : 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 72 70 .verisign.com/rp 01f0 : 61 20 28 63 29 30 30 31 16 30 14 06 03 55 04 03 a (c)001.0...U.. 0200 : 14 0d 77 77 77 2e 64 6e 62 6e 6f 72 2e 6e 6f 30 ..www.dnbnor.no0 0210 : 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 ..0...*.H....... 0220 : 00 03 81 8d 00 30 81 89 02 81 81 00 b5 b5 b1 17 .....0.......... 0230 : 6d c0 e4 78 64 7d 89 7d e9 fa 62 1b 6b 59 d4 39 m..xd}.}..b.kY.9 0240 : 8e 5a 78 d5 50 2b 5a 3d c7 5b 02 87 df 67 51 0f .Zx.P+Z=.[...gQ. 0250 : b2 d9 43 6e 00 33 c3 88 fb 4e ac 31 85 82 ca a6 ..Cn.3...N.1.... 0260 : 96 84 9c 99 64 fa 44 b6 c5 3e 87 bb 81 72 25 b0 ....d.D..>...r%. 0270 : de a5 27 5d 9d 17 e5 c7 73 6a 08 7e 90 c4 b9 e2 ..']....sj.~.... 0280 : 78 f1 70 b5 06 44 4d 4d 60 fa e8 b8 a0 6b 04 11 x.p..DMM`....k.. 0290 : 7e 4e f2 61 79 57 ad 0f a1 2d b8 b5 1b ea d2 a5 ~N.ayW...-...... 02a0 : 96 28 53 cc 6b f8 f1 4c 15 5b 4b 17 02 03 01 00 .(S.k..L.[K..... 02b0 : 01 a3 82 01 85 30 82 01 81 30 09 06 03 55 1d 13 .....0...0...U.. 02c0 : 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 ..0.0...U....... 02d0 : a0 30 46 06 03 55 1d 1f 04 3f 30 3d 30 3b a0 39 .0F..U....0=0;.9 02e0 : a0 37 86 35 68 74 74 70 3a 2f 2f 63 72 6c 2e 76 .7.5http://crl.v Pettersen Expires December 18, 2006 [Page 16] Internet-Draft TLS interoperability June 2006 02f0 : 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 43 6c 61 73 erisign.com/Clas 0300 : 73 33 49 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 53 s3InternationalS 0310 : 65 72 76 65 72 2e 63 72 6c 30 44 06 03 55 1d 20 erver.crl0D..U. 0320 : 04 3d 30 3b 30 39 06 0b 60 86 48 01 86 f8 45 01 .=0;09..`.H...E. 0330 : 07 17 03 30 2a 30 28 06 08 2b 06 01 05 05 07 02 ...0*0(..+...... 0340 : 01 16 1c 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 ...https://www.v 0350 : 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 72 70 61 30 erisign.com/rpa0 0360 : 34 06 03 55 1d 25 04 2d 30 2b 06 09 60 86 48 01 4..U.%.-0+..`.H. 0370 : 86 f8 42 04 01 06 0a 2b 06 01 04 01 82 37 0a 03 ..B....+.....7.. 0380 : 03 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 ...+.........+.. 0390 : 05 05 07 03 02 30 34 06 08 2b 06 01 05 05 07 01 .....04..+...... 03a0 : 01 04 28 30 26 30 24 06 08 2b 06 01 05 05 07 30 ..(0&0$..+.....0 03b0 : 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 76 ...http://ocsp.v 03c0 : 65 72 69 73 69 67 6e 2e 63 6f 6d 30 6d 06 08 2b erisign.com0m..+ 03d0 : 06 01 05 05 07 01 0c 04 61 30 5f a1 5d a0 5b 30 ........a0_.].[0 03e0 : 59 30 57 30 55 16 09 69 6d 61 67 65 2f 67 69 66 Y0W0U..image/gif 03f0 : 30 21 30 1f 30 07 06 05 2b 0e 03 02 1a 04 14 8f 0!0.0...+....... 0400 : e5 d3 1a 86 ac 8d 8e 6b c3 cf 80 6a d4 48 18 2c .......k...j.H., 0410 : 7b 19 2e 30 25 16 23 68 74 74 70 3a 2f 2f 6c 6f {..0%.#http://lo 0420 : 67 6f 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f go.verisign.com/ 0430 : 76 73 6c 6f 67 6f 2e 67 69 66 30 0d 06 09 2a 86 vslogo.gif0...*. 0440 : 48 86 f7 0d 01 01 05 05 00 03 81 81 00 45 bc 3c H............E.< 0450 : a1 80 f8 f9 30 d4 97 09 dd 21 22 55 13 b1 a7 fd ....0....!"U.... 0460 : b2 c4 7a 13 6a 65 7d 86 f1 5f ec 9a 27 e3 bf da ..z.je}.._..'... 0470 : 0c e7 cc 64 cd b5 21 0e d1 5e 77 80 8f 73 6c b0 ...d..!..^w..sl. 0480 : 1b d9 1b 70 e2 c5 46 22 0a d3 c5 9e 42 6e 16 20 ...p..F"....Bn. 0490 : 43 e7 c3 a2 7c 9c 7a c0 f5 be c3 d5 a5 4f 3e 78 C...|.z......O>x 04a0 : 2d f8 ac 7c 8f 05 73 66 cb 81 a0 42 28 f8 06 01 -..|..sf...B(... 04b0 : 3a b5 8c 6c 34 1e d0 61 58 43 25 e0 fc d1 46 4d :..l4..aXC%...FM 04c0 : 7e 1b 36 23 03 bb d6 4d 61 d8 d7 aa 05 00 03 87 ~.6#...Ma....... 04d0 : 30 82 03 83 30 82 02 ec a0 03 02 01 02 02 10 25 0...0..........% 04e0 : 4b 8a 85 38 42 cc e3 58 f8 c5 dd ae 22 6e a4 30 K..8B..X...."n.0 04f0 : 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 5f ...*.H........0_ 0500 : 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 17 30 1.0...U....US1.0 0510 : 15 06 03 55 04 0a 13 0e 56 65 72 69 53 69 67 6e ...U....VeriSign 0520 : 2c 20 49 6e 63 2e 31 37 30 35 06 03 55 04 0b 13 , Inc.1705..U... 0530 : 2e 43 6c 61 73 73 20 33 20 50 75 62 6c 69 63 20 .Class 3 Public 0540 : 50 72 69 6d 61 72 79 20 43 65 72 74 69 66 69 63 Primary Certific 0550 : 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 30 ation Authority0 0560 : 1e 17 0d 39 37 30 34 31 37 30 30 30 30 30 30 5a ...970417000000Z 0570 : 17 0d 31 31 31 30 32 34 32 33 35 39 35 39 5a 30 ..111024235959Z0 0580 : 81 ba 31 1f 30 1d 06 03 55 04 0a 13 16 56 65 72 ..1.0...U....Ver 0590 : 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 iSign Trust Netw 05a0 : 6f 72 6b 31 17 30 15 06 03 55 04 0b 13 0e 56 65 ork1.0...U....Ve 05b0 : 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 33 30 31 riSign, Inc.1301 05c0 : 06 03 55 04 0b 13 2a 56 65 72 69 53 69 67 6e 20 ..U...*VeriSign 05d0 : 49 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 20 53 65 International Se 05e0 : 72 76 65 72 20 43 41 20 2d 20 43 6c 61 73 73 20 rver CA - Class Pettersen Expires December 18, 2006 [Page 17] Internet-Draft TLS interoperability June 2006 05f0 : 33 31 49 30 47 06 03 55 04 0b 13 40 77 77 77 2e 31I0G..U...@www. 0600 : 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 43 50 53 verisign.com/CPS 0610 : 20 49 6e 63 6f 72 70 2e 62 79 20 52 65 66 2e 20 Incorp.by Ref. 0620 : 4c 49 41 42 49 4c 49 54 59 20 4c 54 44 2e 28 63 LIABILITY LTD.(c 0630 : 29 39 37 20 56 65 72 69 53 69 67 6e 30 81 9f 30 )97 VeriSign0..0 0640 : 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 ...*.H.......... 0650 : 8d 00 30 81 89 02 81 81 00 d8 82 80 e8 d6 19 02 ..0............. 0660 : 7d 1f 85 18 39 25 a2 65 2b e1 bf d4 05 d3 bc e6 }...9%.e+....... 0670 : 36 3b aa f0 4c 6c 5b b6 e7 aa 3c 73 45 55 b2 f1 6;..Ll[....(....;..MN 06b0 : 39 f7 5c 49 5a b8 c1 1d d3 b2 8a fe 70 30 95 42 9.\IZ.......p0.B 06c0 : cb fe 2b 51 8b 5a 3c 3a f9 22 4f 90 b2 02 a7 53 ..+Q.Z<:."O....S 06d0 : 9c 4f 34 e7 ab 04 b2 7b 6f 02 03 01 00 01 a3 81 .O4....{o....... 06e0 : e3 30 81 e0 30 0f 06 03 55 1d 13 04 08 30 06 01 .0..0...U....0.. 06f0 : 01 ff 02 01 00 30 44 06 03 55 1d 20 04 3d 30 3b .....0D..U. .=0; 0700 : 30 39 06 0b 60 86 48 01 86 f8 45 01 07 01 01 30 09..`.H...E....0 0710 : 2a 30 28 06 08 2b 06 01 05 05 07 02 01 16 1c 68 *0(..+.........h 0720 : 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69 73 ttps://www.veris 0730 : 69 67 6e 2e 63 6f 6d 2f 43 50 53 30 34 06 03 55 ign.com/CPS04..U 0740 : 1d 25 04 2d 30 2b 06 08 2b 06 01 05 05 07 03 01 .%.-0+..+....... 0750 : 06 08 2b 06 01 05 05 07 03 02 06 09 60 86 48 01 ..+.........`.H. 0760 : 86 f8 42 04 01 06 0a 60 86 48 01 86 f8 45 01 08 ..B....`.H...E.. 0770 : 01 30 0b 06 03 55 1d 0f 04 04 03 02 01 06 30 11 .0...U........0. 0780 : 06 09 60 86 48 01 86 f8 42 01 01 04 04 03 02 01 ..`.H...B....... 0790 : 06 30 31 06 03 55 1d 1f 04 2a 30 28 30 26 a0 24 .01..U...*0(0&.$ 07a0 : a0 22 86 20 68 74 74 70 3a 2f 2f 63 72 6c 2e 76 .". http://crl.v 07b0 : 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 70 63 61 33 erisign.com/pca3 07c0 : 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 .crl0...*.H..... 07d0 : 05 05 00 03 81 81 00 08 01 ec e4 68 94 03 42 f1 ...........h..B. 07e0 : 73 f1 23 a2 3a de e9 f1 da c6 54 c4 23 3e 86 ea s.#.:.....T.#>.. 07f0 : cf 6a 3a 33 ab ea 9c 04 14 07 36 06 0b f9 88 6f .j:3......6....o 0800 : d5 13 ee 29 2b c3 e4 72 8d 44 ed d1 ac 20 09 2d ...)+..r.D... .- 0810 : e1 f6 e1 19 05 38 b0 3d 0f 9f 7f f8 9e 02 dc 86 .....8.=........ 0820 : 02 86 61 4e 26 5f 5e 9f 92 1e 0c 24 a4 f5 d0 70 ..aN&_^....$...p 0830 : 13 cf 26 c3 43 3d 49 1d 9e 82 2e 52 5f bc 3e c6 ..&.C=I....R_.>. 0840 : 66 29 01 8e 4e 92 2c bc 46 75 03 82 ac 73 e9 d9 f)..N.,.Fu...s.. 0850 : 7e 0b 67 ef 54 52 1a 00 02 40 30 82 02 3c 30 82 ~.g.TR...@0..<0. 0860 : 01 a5 02 10 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b ....p.....)4.8.{ 0870 : 03 cc ba bf 30 0d 06 09 2a 86 48 86 f7 0d 01 01 ....0...*.H..... 0880 : 02 05 00 30 5f 31 0b 30 09 06 03 55 04 06 13 02 ...0_1.0...U.... 0890 : 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 US1.0...U....Ver 08a0 : 69 53 69 67 6e 2c 20 49 6e 63 2e 31 37 30 35 06 iSign, Inc.1705. 08b0 : 03 55 04 0b 13 2e 43 6c 61 73 73 20 33 20 50 75 .U....Class 3 Pu 08c0 : 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 72 blic Primary Cer 08d0 : 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f tification Autho 08e0 : 72 69 74 79 30 1e 17 0d 39 36 30 31 32 39 30 30 rity0...96012900 Pettersen Expires December 18, 2006 [Page 18] Internet-Draft TLS interoperability June 2006 08f0 : 30 30 30 30 5a 17 0d 32 38 30 38 30 31 32 33 35 0000Z..280801235 0900 : 39 35 39 5a 30 5f 31 0b 30 09 06 03 55 04 06 13 959Z0_1.0...U... 0910 : 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 .US1.0...U....Ve 0920 : 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 37 30 35 riSign, Inc.1705 0930 : 06 03 55 04 0b 13 2e 43 6c 61 73 73 20 33 20 50 ..U....Class 3 P 0940 : 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 ublic Primary Ce 0950 : 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 rtification Auth 0960 : 6f 72 69 74 79 30 81 9f 30 0d 06 09 2a 86 48 86 ority0..0...*.H. 0970 : f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 ...........0.... 0980 : 81 00 c9 5c 59 9e f2 1b 8a 01 14 b4 10 df 04 40 ...\Y..........@ 0990 : db e3 57 af 6a 45 40 8f 84 0c 0b d1 33 d9 d9 11 ..W.jE@.....3... 09a0 : cf ee 02 58 1f 25 f7 2a a8 44 05 aa ec 03 1f 78 ...X.%.*.D.....x 09b0 : 7f 9e 93 b9 9a 00 aa 23 7d d6 ac 85 a2 63 45 c7 .......#}....cE. 09c0 : 72 27 cc f4 4c c6 75 71 d2 39 ef 4f 42 f0 75 df r'..L.uq.9.OB.u. 09d0 : 0a 90 c6 8e 20 6f 98 0f .... o.. S : received 198 bytes (Certificate part2, Hello Done) 0000 : f8 ac 23 5f 70 29 36 a4 c9 86 e7 b1 9a 20 cb 53 ..#_p)6...... .S 0010 : a5 85 e7 3d be 7d 9a fe 24 45 33 dc 76 15 ed 0f ...=.}..$E3.v... 0020 : a2 71 64 4c 65 2e 81 68 45 a7 02 03 01 00 01 30 .qdLe..hE......0 0030 : 0d 06 09 2a 86 48 86 f7 0d 01 01 02 05 00 03 81 ...*.H.......... 0040 : 81 00 bb 4c 12 2b cf 2c 26 00 4f 14 13 dd a6 fb ...L.+.,&.O..... 0050 : fc 0a 11 84 8c f3 28 1c 67 92 2f 7c b6 c5 fa df ......(.g./|.... 0060 : f0 e8 95 bc 1d 8f 6c 2c a8 51 cc 73 d8 a4 c0 53 ......l,.Q.s...S 0070 : f0 4e d6 26 c0 76 01 57 81 92 5e 21 f1 d1 b1 ff .N.&.v.W..^!.... 0080 : e7 d0 21 58 cd 69 17 e3 44 1c 9c 19 44 39 89 5c ..!X.i..D...D9.\ 0090 : dc 9c 00 0f 56 8d 02 99 ed a2 90 45 4c e4 bb 10 ....V......EL... 00a0 : a4 3d f0 32 03 0e f1 ce f8 e8 c9 51 8c e6 62 9f .=.2.......Q..b. 00b0 : e6 9f c0 7d b7 72 9c c9 36 3a 6b 9f 4e a8 ff 64 ...}.r..6:k.N..d 00c0 : 0d 64 0e 00 00 00 .d.... C : Sending 139 bytes (Client Key exchange) 0000 : 16 03 01 00 86 10 00 00 82 00 80 43 4b e5 84 c9 ...........CK... 0010 : 27 e9 b3 6b 04 d4 54 a7 33 83 70 9f e1 80 c5 24 '..k..T.3.p....$ 0020 : fc 3e 9d fe 3d 11 64 14 64 f9 e2 30 68 1e 4d c6 .>..=.d.d..0h.M. 0030 : 2d 16 5f a0 25 1e 6a 51 cf 32 42 00 2c 5e e9 58 -._.%.jQ.2B.,^.X 0040 : cc 33 ad 2e 9b e9 6b 12 5c 23 ac b1 37 9b 4a 2b .3....k.\#..7.J+ 0050 : 28 f9 57 d9 92 89 01 f3 6b 94 a3 18 dc f6 1f e1 (.W.....k....... 0060 : f0 68 de 54 de f0 58 e3 7a 58 09 dd 3b 07 f7 df .h.T..X.zX..;... 0070 : 5b 62 04 73 38 7c 6c 00 81 61 e7 85 a6 32 9d 45 [b.s8|l..a...2.E 0080 : 6b f4 34 00 7d cf d7 7b d0 3e da k.4.}..{.>. C : Sending 6 bytes (Cipher Change) 0000 : 14 03 01 00 01 01 ...... C : Plaintext 16 bytes (Finished) 0000 : 14 00 00 0c 7c cf 8d 7b 62 76 ab 9a ae b6 e5 6e ....|..{bv.....n Pettersen Expires December 18, 2006 [Page 19] Internet-Draft TLS interoperability June 2006 C : Sending 53 bytes (Encrypted Finished) 0000 : 16 03 01 00 30 6f fd 31 80 51 a9 3d 18 7d 55 ef ....0o.1.Q.=.}U. 0010 : 7c 6c 80 07 b2 79 6a 06 39 79 7e 15 7d e8 ee 1f |l...yj.9y~.}... 0020 : fd be 68 6a af e2 cd db 47 f9 a6 b8 20 26 b9 03 ..hj....G... &.. 0030 : 12 ec d3 c3 fd ..... S : Received 6 bytes (Cipher Change) 0000 : 14 03 01 00 01 01 ...... S : Received 53 bytes (Encrypted Finished) 0000 : 16 03 01 00 30 a4 11 4c 05 28 3b cc 39 d3 aa 63 ....0..L.(;.9..c 0010 : bc 9d 74 f8 9b 8e 1c 6b 5c ee f2 4b 82 e9 ce c9 ..t....k\..K.... 0020 : ce 73 b9 28 c2 2d 84 92 a3 70 5b 5b a8 8b 4f 86 .s.(.-...p[[..O. 0030 : 59 90 bf 39 9f Y..9. S : Plaintext 16 bytes (Plaintext Finished) 0000 : 14 00 00 0c 78 40 33 0f ae eb f4 e4 19 bd e8 66 ....x@3........f C : Plaintext 109 bytes (Client Hello) 0000 : 01 00 00 69 03 01 44 84 9f e0 38 4e 2b 3c 01 4d ...i..D...8N+<.M 0010 : d2 9c c0 03 fd 1f 92 f4 b7 d2 27 61 9e 68 a2 bf ..........'a.h.. 0020 : 7d fc f2 98 5d d6 20 00 00 51 c7 87 47 cd 99 56 }...]. ..Q..G..V 0030 : 93 d3 c5 1b f1 86 bb 19 88 59 e9 58 58 58 58 44 .........Y.XXXXD 0040 : 84 9f e5 00 02 9b ae 00 22 00 35 00 39 00 38 00 ........".5.9.8. 0050 : 37 00 33 00 32 00 31 00 30 00 2f 00 05 00 04 00 7.3.2.1.0./..... 0060 : 13 00 0d 00 16 00 10 00 0a 00 00 01 00 ............. C : Sending 149 bytes (Encrypted Client Hello, v3.0 record protocol over TLS 1.0 encrypted connection) 0000 : 16 03 00 00 90 d6 39 9d 73 59 a4 88 61 9d ea f6 ......9.sY..a... 0010 : 43 f0 96 12 86 5d 50 fb 81 8d e7 c5 7d 57 1b d5 C....]P.....}W.. 0020 : a6 f7 24 a9 9d b0 a4 5c 93 60 c3 6a 8f d5 b5 1b ..$....\.`.j.... 0030 : e1 96 af 8f 2e 94 0a 69 05 0c e2 8c 0d c5 a5 31 .......i.......1 0040 : 6f 2b 41 77 8e e8 d3 8e 16 96 87 b7 3d 9d 83 1b o+Aw........=... 0050 : 1e 04 15 27 80 8e 67 05 d3 ee 9f 82 63 13 10 a0 ...'..g.....c... 0060 : 29 70 ce c4 9e c0 22 94 15 39 d8 07 fd 88 0c bb )p...."..9...... 0070 : ff 00 26 34 1f 63 f1 fc 36 5f 30 fe 51 ef f4 78 ..&4.c..6_0.Q..x 0080 : dd df f1 7b c2 91 f9 29 e4 e2 5c 1f 10 98 b8 c8 ...{...)..\..... 0090 : ec cc 13 d9 da ..... S : Received 5 bytes (SSL v2 Error message) 0000 : 80 03 00 00 01 ..... A.6. Wrong version expected in RSA Client Key Exchange Pettersen Expires December 18, 2006 [Page 20] Internet-Draft TLS interoperability June 2006 Date: June 15, 2006 Server: Stronghold/2.4.2 Apache/1.3.6 C2NetEU/2412 (Unix) Site: https://www.gotogate.no/ Highest supported version: TLS 1.0 This server negotiates a TLS 1.0 connection when TLS 1.1 is offered, but after receiving the RSA Client Key Exchange the server sends a handshake error and closes the connection, as seen in Appendix A.6.1. The reason for the error is that the server expects the negotiated version to be used in the Premaster Secret, not the version used in the Client Hello, as seen in Appendix A.6.2 A.6.1. Correct Premaster - Connection Failure This is a normal TLS handshake requesting a TLS 1.1 connection from the server. The server selects TLS 1.0, but reports a handshake failure after the Client Key Exchange message has been sent. C : Sending 82 bytes (Client Hello) 0000 : 16 03 01 00 4d 01 00 00 49 03 02 44 90 b9 63 a2 ....M...I..D..c. 0010 : 1b bd 07 1d 01 55 3f 8a 9e c9 0a a1 99 dc 8a 1b .....U...?.?.... 0020 : d8 62 dc 07 bc 0c 58 99 0c e0 a4 00 00 22 00 39 .b....X..?...".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 .. S : Received 948 bytes (Server hello, Certificate, Hello Done) 0000 : 16 03 01 00 4a 02 00 00 46 03 01 44 90 b8 cb 2f ....J...F..D.??/ 0010 : e2 a7 3e 22 f8 af 5d 62 ca ab c1 6a c1 16 5f 88 ?.>".?]b?.?j?._. 0020 : 64 81 5d 24 52 8b 2f 72 6d 97 c9 20 71 09 06 7d d.]$R./rm.? q..} 0030 : 64 a4 8a ce e7 4c 4b bc 20 e5 db 5e 49 46 9d 51 d..??LK. .?^IF.Q 0040 : 01 bb f6 e1 4c e5 f6 0e bb b9 23 6f 00 05 00 16 ..........#o.... 0050 : 03 01 03 57 0b 00 03 53 00 03 50 00 03 4d 30 82 ...W...S..P..M0. 0060 : 03 49 30 82 02 b2 a0 03 02 01 02 02 03 3f 84 41 .I0...?........A 0070 : 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0...*.H.?......0 0080 : 81 ce 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 .?1.0...U....ZA1 0090 : 15 30 13 06 03 55 04 08 13 0c 57 65 73 74 65 72 .0...U....Wester 00a0 : 6e 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 n Cape1.0...U... 00b0 : 09 43 61 70 65 20 54 6f 77 6e 31 1d 30 1b 06 03 .Cape Town1.0... 00c0 : 55 04 0a 13 14 54 68 61 77 74 65 20 43 6f 6e 73 U....Thawte Cons 00d0 : 75 6c 74 69 6e 67 20 63 63 31 28 30 26 06 03 55 ulting cc1(0&..U 00e0 : 04 0b 13 1f 43 65 72 74 69 66 69 63 61 74 69 6f ....Certificatio 00f0 : 6e 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 n Services Divis 0100 : 69 6f 6e 31 21 30 1f 06 03 55 04 03 13 18 54 68 ion1!0...U....Th 0110 : 61 77 74 65 20 50 72 65 6d 69 75 6d 20 53 65 72 awte Premium Ser Pettersen Expires December 18, 2006 [Page 21] Internet-Draft TLS interoperability June 2006 0120 : 76 65 72 20 43 41 31 28 30 26 06 09 2a 86 48 86 ver CA1(0&..*.H. 0130 : f7 0d 01 09 01 16 19 70 72 65 6d 69 75 6d 2d 73 ?......premium-s 0140 : 65 72 76 65 72 40 74 68 61 77 74 65 2e 63 6f 6d erver@thawte.com 0150 : 30 1e 17 0d 30 35 30 36 32 31 31 31 30 37 33 39 0...050621110739 0160 : 5a 17 0d 30 36 30 36 32 31 31 31 30 37 33 39 5a Z..060621110739Z 0170 : 30 5b 31 0b 30 09 06 03 55 04 06 13 02 4e 4f 31 0[1.0...U....NO1 0180 : 0d 30 0b 06 03 55 04 08 13 04 4f 73 6c 6f 31 0d .0...U....Oslo1. 0190 : 30 0b 06 03 55 04 07 13 04 4f 73 6c 6f 31 14 30 0...U....Oslo1.0 01a0 : 12 06 03 55 04 0a 13 0b 47 4f 54 4f 47 41 54 45 ...U....GOTOGATE 01b0 : 20 41 53 31 18 30 16 06 03 55 04 03 13 0f 77 77 AS1.0...U....ww 01c0 : 77 2e 67 6f 74 6f 67 61 74 65 2e 6e 6f 30 81 9f w.gotogate.no0.. 01d0 : 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H.?....... 01e0 : 81 8d 00 30 81 89 02 81 81 00 ca e1 b4 e6 2a cb ...0......???.*? 01f0 : 27 c0 d3 17 d0 f8 8b 91 62 f9 97 84 86 b5 9e 0b '??.....b?...... 0200 : 1d df 97 b1 ce 7e 12 25 59 f2 80 d2 bf 8e 7b 56 ....?~.%Y?.??.{V 0210 : d0 cb 3c 1a ba c9 c6 0f 50 5b 17 b6 fd 66 ed c3 .?<.??..P[..?f?? 0220 : 32 29 9b cd bb fd a4 9a 5a c1 67 48 2e 61 fa a6 2).?.?..Z?gH.a?? 0230 : 48 1d ef 63 3c 97 38 6e a5 48 4c d8 e1 fe ec ec H.?c<.8n.HL.?.?? 0240 : ce 49 5a 86 54 43 ff 40 f2 8e 4c 26 35 d8 a3 19 ?IZ.TC?@?.L&5... 0250 : c6 e1 b9 6e ac 45 17 1d 37 32 85 18 d0 e3 41 d8 .?.n.E..72...?A. 0260 : c3 21 7b 67 e7 4f 37 64 f8 a9 02 03 01 00 01 a3 ?!{g?O7d........ 0270 : 81 a6 30 81 a3 30 1d 06 03 55 1d 25 04 16 30 14 .?0..0...U.%..0. 0280 : 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 ..+.........+... 0290 : 05 07 03 02 30 40 06 03 55 1d 1f 04 39 30 37 30 ....0@..U...9070 02a0 : 35 a0 33 a0 31 86 2f 68 74 74 70 3a 2f 2f 63 72 5?3?1./http://cr 02b0 : 6c 2e 74 68 61 77 74 65 2e 63 6f 6d 2f 54 68 61 l.thawte.com/Tha 02c0 : 77 74 65 50 72 65 6d 69 75 6d 53 65 72 76 65 72 wtePremiumServer 02d0 : 43 41 2e 63 72 6c 30 32 06 08 2b 06 01 05 05 07 CA.crl02..+..... 02e0 : 01 01 04 26 30 24 30 22 06 08 2b 06 01 05 05 07 ...&0$0"..+..... 02f0 : 30 01 86 16 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 0...http://ocsp. 0300 : 74 68 61 77 74 65 2e 63 6f 6d 30 0c 06 03 55 1d thawte.com0...U. 0310 : 13 01 01 ff 04 02 30 00 30 0d 06 09 2a 86 48 86 ...?..0.0...*.H. 0320 : f7 0d 01 01 04 05 00 03 81 81 00 60 28 92 bc 07 ?..........`(... 0330 : 1f 96 76 d8 26 bd 10 59 8a 02 17 f3 a3 60 bc fc ..v.&..Y...?.`.. 0340 : 2a 4e b1 41 17 85 b3 b2 b0 4d db 43 d8 a4 f2 a9 *N.A....?M?C..?. 0350 : 7d 41 80 6d e7 fd ac 13 65 59 8c f3 81 6b 7c 0a }A.m??..eY.?.k|. 0360 : b7 17 0d 00 4e 71 f4 84 f5 d2 30 b1 98 34 4b 2c ?...Nq?.??0..4K, 0370 : b0 d0 0b 6d 85 e9 4d 6d 10 56 90 bd 36 b5 f3 5e ?..m.?Mm.V..6.?^ 0380 : ed 21 72 93 21 fc 90 d9 78 92 08 8b 6b b2 e9 0c ?!r.!..?x...k.?. 0390 : 5a 19 54 b9 1a c9 ed c2 59 72 44 d3 13 57 08 15 Z.T..???YrD?.W.. 03a0 : 1a 32 dd d9 53 23 85 76 d1 1c 0d 16 03 01 00 04 .2??S#.v?....... 03b0 : 0e 00 00 00 .... C : Plain Pre,aster Secret (correct version number, from Client Hello) 0000 : 03 02 93 99 39 68 bc 45 f3 a0 d9 1e cd d5 bc 51 ....9h.E???.??.Q 0010 : 6b 79 b4 c5 c9 98 52 44 c0 57 ba 60 67 b3 bb dd ky?.?.RD?W?`g..? 0020 : 05 56 e8 79 93 78 39 ba 44 27 7e 1d 07 46 6b 4d .V?y.x9?D'~..FkM Pettersen Expires December 18, 2006 [Page 22] Internet-Draft TLS interoperability June 2006 C : Sending 139 bytes (Client Key Exchange) 0000 : 16 03 01 00 86 10 00 00 82 00 80 17 2c 16 c7 3b ............,.?; 0010 : fc c9 29 da e1 21 37 c6 86 93 46 2c 94 1d b8 eb .?)??!7...F,..?? 0020 : 06 8a 78 05 80 af 60 5b 6b 73 fb c1 56 b4 8e 21 ..x..?`[ks??V?.! 0030 : 91 56 51 62 9d f0 b1 f6 28 45 5a 25 ab 7e 4e 1d .VQb....(EZ%.~N. 0040 : 2c 93 e4 01 f5 3e df d3 31 5b 3e b8 41 95 21 95 ,...?>.?1[>?A.!. 0050 : e5 c4 d0 5b 6f 12 36 eb c8 44 8f 16 cf a3 9a c8 ...[o.6??D..?..? 0060 : 8a 70 bc 60 b2 ca 1d d3 1b 8b d3 49 4f 0a 72 d7 .p.`.?.?..?IO.r? 0070 : ca 87 99 1b 73 4d 1b 32 bc ed 9a 6f 85 da f3 bd ?...sM.2.?.o.??. 0080 : c7 d5 a5 e4 e7 13 9d 9b a4 a3 27 ??..?.....' C : Sending 6 bytes (Cipher Change) 0000 : 14 03 01 00 01 01 ...... C : Plaintext 16 bytes (Finished) 0000 : 14 00 00 0c c4 be 77 0b e5 a1 c1 7c 17 e8 67 04 ......w..??|.?g. C : Sending 41 bytes (Encrypted Finished) 0000 : 16 03 01 00 24 ee 6c e2 94 6e 17 d0 7f 86 dd a0 ....$?l?.n....?? 0010 : 1b 09 18 4c 6b ed be 1e 22 38 a6 08 56 56 18 66 ...Lk?.."8?.VV.f 0020 : 31 bd 78 8d 7e c5 27 77 f0 1.x.~.'w. S : Received 7 bytes (Hanshake Failure Alert, 20) 0000 : 15 03 01 00 02 02 14 ....... A.6.2. Correct Premaster - Connection Success This example uses the same handshake parameters as Appendix A.6.1, but (incorrectly) uses the negotiated version in the RSA Client Key Exchange Premaster Secret, not the Client Hello version. C : Sending 82 bytes (Client Hello) 0000 : 16 03 01 00 4d 01 00 00 49 03 02 44 90 ba 62 c9 ....M...I..D.?b? 0010 : 90 f9 f6 58 77 e4 47 4d 54 68 d0 34 2d 58 01 58 .?.Xw.GMTh.4-X.X 0020 : 58 75 9d 2d a9 7f 7f b0 31 79 2c 00 00 22 00 39 Xu.-...?1y,..".9 0030 : 00 38 00 37 00 36 00 35 00 33 00 32 00 31 00 30 .8.7.6.5.3.2.1.0 0040 : 00 2f 00 05 00 04 00 13 00 0d 00 16 00 10 00 0a ./.............. 0050 : 01 00 .. S : Received 948 bytes (Server hello, Certificate, Hello Done) 0000 : 16 03 01 00 4a 02 00 00 46 03 01 44 90 b9 ca c7 ....J...F..D..?? 0010 : e2 39 41 9b 19 83 f1 da 9f 28 19 44 4b 1e aa 60 ?9A...??.(.DK.?` 0020 : 16 8b d4 e5 a3 76 22 44 3f 99 12 20 2a c7 7a ed ..?..v"D... *?z? 0030 : b1 22 97 0f 50 4d ee b1 a7 78 10 8c 59 aa bf 16 ."..PM?..x..Y??. 0040 : a5 19 75 bc f8 b1 6a eb 68 f6 0f 3d 00 05 00 16 ..u...j?h..=.... 0050 : 03 01 03 57 0b 00 03 53 00 03 50 00 03 4d 30 82 ...W...S..P..M0. 0060 : 03 49 30 82 02 b2 a0 03 02 01 02 02 03 3f 84 41 .I0...?........A 0070 : 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0...*.H.?......0 Pettersen Expires December 18, 2006 [Page 23] Internet-Draft TLS interoperability June 2006 0080 : 81 ce 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 .?1.0...U....ZA1 0090 : 15 30 13 06 03 55 04 08 13 0c 57 65 73 74 65 72 .0...U....Wester 00a0 : 6e 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 n Cape1.0...U... 00b0 : 09 43 61 70 65 20 54 6f 77 6e 31 1d 30 1b 06 03 .Cape Town1.0... 00c0 : 55 04 0a 13 14 54 68 61 77 74 65 20 43 6f 6e 73 U....Thawte Cons 00d0 : 75 6c 74 69 6e 67 20 63 63 31 28 30 26 06 03 55 ulting cc1(0&..U 00e0 : 04 0b 13 1f 43 65 72 74 69 66 69 63 61 74 69 6f ....Certificatio 00f0 : 6e 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 n Services Divis 0100 : 69 6f 6e 31 21 30 1f 06 03 55 04 03 13 18 54 68 ion1!0...U....Th 0110 : 61 77 74 65 20 50 72 65 6d 69 75 6d 20 53 65 72 awte Premium Ser 0120 : 76 65 72 20 43 41 31 28 30 26 06 09 2a 86 48 86 ver CA1(0&..*.H. 0130 : f7 0d 01 09 01 16 19 70 72 65 6d 69 75 6d 2d 73 ?......premium-s 0140 : 65 72 76 65 72 40 74 68 61 77 74 65 2e 63 6f 6d erver@thawte.com 0150 : 30 1e 17 0d 30 35 30 36 32 31 31 31 30 37 33 39 0...050621110739 0160 : 5a 17 0d 30 36 30 36 32 31 31 31 30 37 33 39 5a Z..060621110739Z 0170 : 30 5b 31 0b 30 09 06 03 55 04 06 13 02 4e 4f 31 0[1.0...U....NO1 0180 : 0d 30 0b 06 03 55 04 08 13 04 4f 73 6c 6f 31 0d .0...U....Oslo1. 0190 : 30 0b 06 03 55 04 07 13 04 4f 73 6c 6f 31 14 30 0...U....Oslo1.0 01a0 : 12 06 03 55 04 0a 13 0b 47 4f 54 4f 47 41 54 45 ...U....GOTOGATE 01b0 : 20 41 53 31 18 30 16 06 03 55 04 03 13 0f 77 77 AS1.0...U....ww 01c0 : 77 2e 67 6f 74 6f 67 61 74 65 2e 6e 6f 30 81 9f w.gotogate.no0.. 01d0 : 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H.?....... 01e0 : 81 8d 00 30 81 89 02 81 81 00 ca e1 b4 e6 2a cb ...0......???.*? 01f0 : 27 c0 d3 17 d0 f8 8b 91 62 f9 97 84 86 b5 9e 0b '??.....b?...... 0200 : 1d df 97 b1 ce 7e 12 25 59 f2 80 d2 bf 8e 7b 56 ....?~.%Y?.??.{V 0210 : d0 cb 3c 1a ba c9 c6 0f 50 5b 17 b6 fd 66 ed c3 .?<.??..P[..?f?? 0220 : 32 29 9b cd bb fd a4 9a 5a c1 67 48 2e 61 fa a6 2).?.?..Z?gH.a?? 0230 : 48 1d ef 63 3c 97 38 6e a5 48 4c d8 e1 fe ec ec H.?c<.8n.HL.?.?? 0240 : ce 49 5a 86 54 43 ff 40 f2 8e 4c 26 35 d8 a3 19 ?IZ.TC?@?.L&5... 0250 : c6 e1 b9 6e ac 45 17 1d 37 32 85 18 d0 e3 41 d8 .?.n.E..72...?A. 0260 : c3 21 7b 67 e7 4f 37 64 f8 a9 02 03 01 00 01 a3 ?!{g?O7d........ 0270 : 81 a6 30 81 a3 30 1d 06 03 55 1d 25 04 16 30 14 .?0..0...U.%..0. 0280 : 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 ..+.........+... 0290 : 05 07 03 02 30 40 06 03 55 1d 1f 04 39 30 37 30 ....0@..U...9070 02a0 : 35 a0 33 a0 31 86 2f 68 74 74 70 3a 2f 2f 63 72 5?3?1./http://cr 02b0 : 6c 2e 74 68 61 77 74 65 2e 63 6f 6d 2f 54 68 61 l.thawte.com/Tha 02c0 : 77 74 65 50 72 65 6d 69 75 6d 53 65 72 76 65 72 wtePremiumServer 02d0 : 43 41 2e 63 72 6c 30 32 06 08 2b 06 01 05 05 07 CA.crl02..+..... 02e0 : 01 01 04 26 30 24 30 22 06 08 2b 06 01 05 05 07 ...&0$0"..+..... 02f0 : 30 01 86 16 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 0...http://ocsp. 0300 : 74 68 61 77 74 65 2e 63 6f 6d 30 0c 06 03 55 1d thawte.com0...U. 0310 : 13 01 01 ff 04 02 30 00 30 0d 06 09 2a 86 48 86 ...?..0.0...*.H. 0320 : f7 0d 01 01 04 05 00 03 81 81 00 60 28 92 bc 07 ?..........`(... 0330 : 1f 96 76 d8 26 bd 10 59 8a 02 17 f3 a3 60 bc fc ..v.&..Y...?.`.. 0340 : 2a 4e b1 41 17 85 b3 b2 b0 4d db 43 d8 a4 f2 a9 *N.A....?M?C..?. 0350 : 7d 41 80 6d e7 fd ac 13 65 59 8c f3 81 6b 7c 0a }A.m??..eY.?.k|. 0360 : b7 17 0d 00 4e 71 f4 84 f5 d2 30 b1 98 34 4b 2c ?...Nq?.??0..4K, 0370 : b0 d0 0b 6d 85 e9 4d 6d 10 56 90 bd 36 b5 f3 5e ?..m.?Mm.V..6.?^ Pettersen Expires December 18, 2006 [Page 24] Internet-Draft TLS interoperability June 2006 0380 : ed 21 72 93 21 fc 90 d9 78 92 08 8b 6b b2 e9 0c ?!r.!..?x...k.?. 0390 : 5a 19 54 b9 1a c9 ed c2 59 72 44 d3 13 57 08 15 Z.T..???YrD?.W.. 03a0 : 1a 32 dd d9 53 23 85 76 d1 1c 0d 16 03 01 00 04 .2??S#.v?....... 03b0 : 0e 00 00 00 .... C : Plain Premaster Secret (Wrong version number, negotiated version) 0000 : 03 01 9d 41 00 f3 76 57 07 9b 68 f9 d2 2d 5e 49 ...A.?vW..h??-^I 0010 : 9f 09 20 02 f6 b2 bf a2 c5 cb c7 6c 0f 2f 0c e2 .. ...?..??l./.? 0020 : 95 92 27 2d a3 0b 9f 33 cc 17 5b 28 72 1b 12 42 ..'-...3?.[(r..B C : Sending 139 bytes (Client Key Exchange) 0000 : 16 03 01 00 86 10 00 00 82 00 80 1c b1 e5 ca 77 ..............?w 0010 : 7f 30 81 80 70 1d 5f 39 26 5b d7 c4 5e db 46 73 .0..p._9&[?.^?Fs 0020 : be 48 1a eb 92 fa 95 cd dc 23 f4 2a fe 7c 25 7f .H.?.?.?.#?*.|%. 0030 : 0d d4 22 1f 48 f6 77 c2 a2 e4 53 49 ea f8 bf c4 .?".H.w?..SI?.?. 0040 : cf 34 12 98 46 93 d9 e2 b3 bc 10 f8 f3 c0 16 6e ?4..F.??....??.n 0050 : 18 40 f7 8d c0 27 11 1f 04 30 f5 9b cd 42 c8 e5 .@?.?'...0?.?B?. 0060 : 1a e1 de 58 90 e6 b2 90 d4 89 19 ec bc 6b 29 cb .?.X....?..?.k)? 0070 : 4d 62 01 38 26 ae 15 1c f5 21 13 b6 99 33 86 01 Mb.8&...?!...3.. 0080 : 66 1b a3 10 e2 1d 72 c2 10 7e 64 f...?.r?.~d C : Sending 6 bytes (Cipher Change) 0000 : 14 03 01 00 01 01 ...... C : Plain Finished 0000 : 14 00 00 0c e8 e7 48 a2 d4 6e 0f a0 70 bf 3e 05 ....??H.?n.?p?>. C : Sending 41 bytes (Encrypted Finished) 0000 : 16 03 01 00 24 6f 2f 39 d4 7d 78 84 89 15 c8 92 ....$o/9?}x...?. 0010 : bc de af 63 c9 53 2e c6 d6 27 01 5d 3c 96 00 1a ..?c?S...'.]<... 0020 : ca e0 66 11 43 55 4e 2a ab ??f.CUN*. S : Received 47 bytes (Cipher Change, Encrypted Finished) 0000 : 14 03 01 00 01 01 16 03 01 00 24 e7 6f 04 fc c8 ..........$?o..? 0010 : 9b c3 62 ae 27 bc cc 1a a0 01 f0 16 f3 7a cf cd .?b.'.?.?...?z?? 0020 : f7 8c db 16 60 4a a3 7b 3e c2 66 ad ef c6 f8 ?.?.`J.{>?f??.. S : Plaintext 16 bytes (Plaintext Finished) 0000 : 14 00 00 0c be 82 73 55 1b 12 ce 7c 25 02 4c af ......sU..?|%.L? Pettersen Expires December 18, 2006 [Page 25] Internet-Draft TLS interoperability June 2006 Author's Address Yngve N. Pettersen Opera Software ASA Email: yngve@opera.com Pettersen Expires December 18, 2006 [Page 26] Internet-Draft TLS interoperability June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Pettersen Expires December 18, 2006 [Page 27]