From a714aec91295c3929fdeefd2af0eb81d5a81ebf4 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 13 Jan 2020 16:01:27 +0100 Subject: [PATCH] Clarify / correct a few bits --- etc/client-simulation.wiresharked.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md index d35ac1d..77458e0 100644 --- a/etc/client-simulation.wiresharked.md +++ b/etc/client-simulation.wiresharked.md @@ -5,10 +5,10 @@ The whole process is done manually. ## Instructions how to add a client simulation: -* Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute. -* Make sure you create a bit of encrypted traffic to a target of your choice. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). -* Make sure the client traffic is specific: For just "Android" do not use a browser! -* Stop the recording. +* Start wireshark at a client or router. Best is during capture to filter for the target of your choice. +* Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI). +* Make sure the client traffic is specific: For just "Android" do not use a browser! Use the play store app e.g.. +* Stop recording. * If needed sort for ClientHello. * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. @@ -18,9 +18,9 @@ The whole process is done manually. * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle -* For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh -* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh -* Figure out the services by applying a good piece of logic +* For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh` +* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` +* Figure out the services by applying a good piece of human logic * Before submitting a PR: test it yourself! You can also watch it again via wireshark