Version 39 (modified by 6 years ago) (diff) | ,
---|
Meek is a transport that uses HTTP for carrying bytes and TLS for obfuscation. Traffic is relayed through a third-party server (Google App Engine). It uses a trick to talk to the third party so that it looks like it is talking to an unblocked server.
- [tor-dev] A simple HTTP transport and big ideas
https://lists.torproject.org/pipermail/tor-dev/2014-January/006159.html - Experimental bundles (#10935):
https://people.torproject.org/~dcf/pt-bundle/3.5.2.1-meek-1/
https://lists.torproject.org/pipermail/tor-qa/2014-February/000340.html
Quick start
To get a prebuilt complete bundle:
To build from source:
git clone https://git.torproject.org/pluggable-transports/meek.git cd meek/meek-client export GOPATH=~/go go get go build tor -f torrc
Overview
meek sends traffic through a custom web app on Google App Engine. meek works in places where Google search (www.google.com) is unblocked, even though App Engine itself (appspot.com) may be blocked. The meek-client program builds a special HTTPS request and sends it to the Google frontend server--the server that dispatches requests to different Google services, like search, Google Drive, and App Engine. What's special about the HTTPS request is that from the outside it appears to be destined for www.google.com, so it is allowed by the censor. But under the encryption layer, the Host header is actually for meek-reflect.appspot.com, so the frontend server knows to forward the request to App Engine and the web app that we run. The web app in turn forwards the traffic to a Tor bridge, where the meek-server program decodes it and feeds it to Tor.
Here's what's happening at a byte level. When meek-client receives a SOCKS request from the Tor client, it generates a random session id string. meek-client makes an HTTP POST to https://meek-reflect.appspot.com/, which is a special web app set up for this transport. The request looks something like this:
POST / HTTP/1.1 Host: meek-reflect.appspot.com X-Session-Id: x5ej2h96frvLXeqgKNjIyRDRJidU8RMIeRPDzvLVG+E= Content-Type: application/octet-stream Content-Length: 100 <data payload follows>
Normally a censor would be able to search for the string meek-reflect.appspot.com
and block the connection. But the HTTP request is encrypted inside HTTPS, and the IP address and SNI of the HTTPS connection are those of www.google.com. The censor sees a DNS request, but it is for www.google.com, not appspot.com.
The web app running at meek-reflect.appspot.com is very simple: it just copies the POST request it receives, and makes an identical request to a meek-server running on a Tor relay. There is a meek-server instance running at http://meek.bamsoftware.com:7002/. The request from App Engine to meek-server looks like:
POST / HTTP/1.1 Host: meek.bamsoftware.com:7002 X-Session-Id: x5ej2h96frvLXeqgKNjIyRDRJidU8RMIeRPDzvLVG+E= Content-Type: application/octet-stream Content-Length: 100 <data payload follows>
When meek-server receives this request, it reads the session id string x5ej2h96frvLXeqgKNjIyRDRJidU8RMIeRPDzvLVG+E=
and checks if it has an existing session (i.e., ORPort connection) by that name. If it does, it copies the data payload to the ORPort. Otherwise, it creates a new ORPort connection, and copies the data payload to it. In any case, it then tries to read from the ORPort, and sends an HTTP response back to App Engine with any data from the Tor relay:
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 200 <data payload follows>
The web app at meek-reflect.appspot.com simply copies the HTTP response and sends it back to the client:
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 200 <data payload follows>
When meek-client finally receives this response, it writes the data payload back to its SOCKS port. The process then repeats: the client tries to read from its SOCKS port, it makes a request to App Engine, App Engine copies request to meek-server, meek-server writes to and reads from the ORPort, meek-server sends a response, App Engine copies the response to meek-client, and meek-client writes the response body to the SOCKS port.
There is no way for the server to push data to the client. It has to wait for a request in order to send its data in the response. For this reason, the client polls the server, making a request periodically even if it has nothing to send. The polling starts out frequent and backs off exponentially while the server has nothing to say. The polling interval resets to the minimum every time the server sends some data.
Other clients operating simultaneously will use different session id strings, so the server can tell them apart. Stale session ids that have not had any traffic in a while are closed and forgotten.
Things to do
Build a PHP middle relay that can be used in the place of App Engine. (Easy and fun.) (#10984)
Make the TLS signature closer to that of a browser; see #Distinguishability. (May need a client rewrite.)
Pin Google's public key like flashproxy-reg-appspot does. Decide what to do if the user asked to use a server other than Google's. (May need a client rewrite.)
General notes about App Engine
Quotas for unpaid apps:
You can pay to get higher quotas:
There is also a higher "premier" level of service that comes with support:
Paying for more bandwidth on a public proxy server would be nice in that users wouldn't have to set up their own instance, and we could hardcode the server inside a browser bundle. (It would be nice to know the cost per gigabyte of running App Engine and, say, an ordinary Tor relay.)
An idea to reduce overhead and eliminate polling is to use HTTP as a long-lived bidirectional channel, sending upstream data in a POST body and receiving data in the response body simultaneously. (That is, you send a POST with no Content-Length, the server reads your header and forwards the request to the relay, the server writes back a header, and after that you use the connection as an ordinary socket, with upstream and downstream data interleaved.) An implementation of this idea is at https://www.bamsoftware.com/git/meeker.git. The idea doesn't work with App Engine, for two reasons. 1) requests must be handled within 60 seconds, and 2) App Engine doesn't support streaming requests of this kind:
"App Engine calls the handler with a Request and a ResponseWriter, then waits for the handler to write to the ResponseWriter and return. When the handler returns, the data in the ResponseWriter's internal buffer is sent to the user. This is practically the same as when writing normal Go programs that use the http package. The one notable difference is that App Engine does not support streaming data in response to a single request."
App Engine doesn't even call your web app code until it has consumed the entire request body, and doesn't start flushing the response body until you close the output stream.
Using nginx instead of Google App Engine/PHP/etc
Any web server that serves a site over https using nginx can act as a reflector just by editing the config.
Requirements:
- A web server running a sufficiently recent version of nginx serving a site over SSL/TLS.
nginx -V
needs to displayTLS SNI support enabled
- A valid certificate signed by a "real" CA. Currently meek-client does not have a way to accept self-signed certificates or easily add CA certs to the trusted list.
Config:
# The configuration for the normal HTTPS server server { # Set default_server so that real content gets served by default # listen 443 default_server; listen [::]:443 default_server; server_name www.example.com; # Boilerplate for SSL, adjust as appropriate. ssl on; ssl_certificate /etc/ssl/nginx/example.com.crt; ssl_certificate_key /etc/ssl/nginx/example.com.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers !RC4:HIGH:!MD5:!aNULL:!DH; ssl_prefer_server_ciphers on; # Blah blah blah, normal site specific config root /usr/share/nginx/www; index index.html index.htm; location / { index index.html; } } # Configuration for the reflector server { # listen 443; listen [::]:443; # This does not need to be a real name, but it MUST be distinct from # the host used for real content. server_name meek-reflect.example.com; # Boilerplate for SSL/TLS (copy/paste from the other server block) ssl on; ssl_certificate /etc/ssl/nginx/example.com.crt; ssl_certificate_key /etc/ssl/nginx/example.com.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers !RC4:HIGH:!MD5:!aNULL:!DH; ssl_prefer_server_ciphers on; # This is where the magic happens location / { # Proxy traffic all traffic received with the SNI host to # a meek-server instance. proxy_pass http://meek.bamsoftware.com:7002; # Disable logging for the reflector. access_log off; error_log /dev/null; } }
ClientTransportPlugin Line:
ClientTransportPlugin meek exec ./meek-client \ --url=https://meek-reflect.example.com \ --front=www.example.com \ --log meek-client.log
Ideas
Instead of sending TLS with a front SNI, think about sending TLS with no SNI at all. (It might look like a really old browser or a non-browser daemon or something.) Then the censor doesn't have an SNI to match on, and has the choice of blocking an entire IP address (which may virtually host many domains) instead of a single SNI. This idea could be useful in deployment with a CDN, which though it may have thousands of domains, is blockable if we choose just one of those domains as a front.
The App Engine Channel API provides a way to have long-lived push connections to the client, subject to a restricted interface. (HTTP handlers are otherwise required to finish within 60 seconds.) The client could use HTTP request bodies to send data, and a channel to receive, and remove the need for polling. It would require us to reimplement the client JavaScript channel API in order to make use of the particular Comet-based protocol.
Paid apps can create outbound sockets. I don't think it helps us because then the web app would be responsible for managing the session id mapping.
GoAgent is similar in that it also uses App Engine as a middleman.
Distinguishability
Barriers to indistinguishability
- TLS ciphersuites
Look like a browser. #4744 has the story of when tor changed its ciphersuite list to look like Firefox's in 2012. tor's list of ciphers is in src/common/ciphers.inc. - TLS extensions
Look like a browser. - Packet lengths
Do something to break up fixed-length cells. - Interpacket times
- Upstream/downstream bandwidth ratio
- Polling interval
When we have nothing to send, we start polling at 100 ms, and increase the interval by 50% every time no data is received, up to a maximum of 5 s. The growth pattern and the fixed cap is detectable.
Here's what the fixed polling of 5 s looks like in the GNOME system monitor:
- Maximum payload lengths
Payloads are limited to 65536 bytes. During bootstrapping and bulk downloads, a lot of bodies have exactly this size. - Behavior on random drops
Suppose the censor drops every hundredth connection to https://www.google.com/. Normal web users will just refresh; meek's stream will be broken.
Working in our advantage is that we are likely to be transporting web traffic, so we inherit some of its traffic characteristics.
How to look like browser HTTPS
Some alternatives:
- Use your own HTTPS/TLS library, and take care to make sure your ciphersuites and extensions match those of a browser. There are Python bindings for NSS that might make it easier. Chromium is moving to OpenSSL in the future.
- Use a separate (headless) browser as an instrument for making HTTPS requests. This is what htpt plans to do.
PhantomJS is a headless WebKit that is scriptable with JavaScript. Its compressed size is 7–13 MB. This postserver.js example shows it running its own web server, which we could use as a means of communication:
meek-client on localhost ←HTTP→ PhantomJS on localhost ←HTTPS→ www.google.com.
MozRepl (addons.mozilla.org) gives you a JavaScript REPL that allows you to control the browser. It looks like the in-browser JavaScript console, except accessible from outside. Firefox Puppeteer is a fork of MozRepl that is designed for machine-driven browser interaction. Another option is to write an extension for some other browser and communicate with it using some custom IPC.
- Use an extension in Tor Browser itself. The plugin bypasses Tor Browser's normal proxy settings in order to issue HTTPS requests directly to the front domain.
- [tor-dev] Feasibility of using a Tor Browser plugin as a PT component?
https://lists.torproject.org/pipermail/tor-dev/2014-February/006266.html
- How to connect to a remote server using nsISocketTransportService in a firefox extension?
- WeaponryRawHttpRequest.js is doing what we want.
- David: nsISocketTransportService with
socketTransportService.createTransport(["ssl"], 1, "www.google.com", 443, null)
doesn't set the next_protocol_negotiation extension. I'm trying nsIHttpProtocolHandler instead.
#11183 is the progress of a browser extension. - [tor-dev] Feasibility of using a Tor Browser plugin as a PT component?
Building PhantomJS 1.9.7 took about 22 minutes on a four-core laptop.
real 21m59.728s user 78m47.316s sys 3m27.616s
Sample client hellos
tshark -V -2 -R ssl.handshake.ciphersuites -r file.pcap
Client Hello of meek-client f748701c (2014-02-08).
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 135 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 131 Version: TLS 1.2 (0x0303) Random gmt_unix_time: Feb 12, 2014 02:01:40.000000000 PST random_bytes: 38e06b8022577f5b08d7a35b8aae7a8c9813ba6498e86a6e... Session ID Length: 0 Cipher Suites Length: 26 Cipher Suites (13 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 64 Extension: server_name Type: server_name (0x0000) Length: 19 Server Name Indication extension Server Name list length: 17 Server Name Type: host_name (0) Server Name length: 14 Server Name: www.google.com Extension: status_request Type: status_request (0x0005) Length: 5 Data (5 bytes) Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 10 Data (10 bytes)
Client Hello of Chrome 33.0.1750.152 Mac OS X 10.9.2 (03/31/2014)
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 210 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 206 Version: TLS 1.2 (0x0303) Random gmt_unix_time: Mar 31, 2014 15:48:20.000000000 PDT random_bytes: 8d22d1664a1f3591910fb11c1b7445114039184a6f1c24e2... Session ID Length: 0 Cipher Suites Length: 40 Cipher Suites (20 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: Unknown (0xcc14) Cipher Suite: Unknown (0xcc13) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 125 Extension: server_name Type: server_name (0x0000) Length: 20 Server Name Indication extension Server Name list length: 18 Server Name Type: host_name (0) Server Name length: 15 Server Name: ssl.gstatic.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0 Extension: Unknown 16 Type: Unknown (0x0010) Length: 27 Data (27 bytes) Extension: Unknown 30032 Type: Unknown (0x7550) Length: 0 Data (0 bytes) Extension: status_request Type: status_request (0x0005) Length: 5 Data (5 bytes) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 18 Data (18 bytes) Extension: Unknown 18 Type: Unknown (0x0012) Length: 0 Data (0 bytes)
Client Hello of Chromium 31.0.1650.63 Debian jessie/sid (238485).
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 208 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 204 Version: TLS 1.2 (0x0303) Random gmt_unix_time: Feb 12, 2014 02:16:29.000000000 PST random_bytes: b05b2298a9015323e39cab49d1874c8aa608bcec1fb0a280... Session ID Length: 0 Cipher Suites Length: 36 Cipher Suites (18 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 127 Extension: server_name Type: server_name (0x0000) Length: 19 Server Name Indication extension Server Name list length: 17 Server Name Type: host_name (0) Server Name length: 14 Server Name: www.google.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0 Extension: Unknown 16 Type: Unknown (0x0010) Length: 34 Data (34 bytes) Extension: Unknown 30031 Type: Unknown (0x754f) Length: 0 Data (0 bytes) Extension: status_request Type: status_request (0x0005) Length: 5 Data (5 bytes) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 18 Data (18 bytes)
Client Hello of GoAgent 3.1.5 6287469afd (02-28-2014) Note that no server_name extension is sent. The ciphersuite list is defined here, but it doesn't seem to be used unless the obfuscate option is set. If obfuscate is set, it randomly throws out half the ciphers in expectation. Weird stuff: TLSv1.1 (most everything else is either TLSv1.0 or TLSv1.2), large list of supported elliptic curves.
Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 204 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 200 Version: TLS 1.1 (0x0302) Random gmt_unix_time: Feb 28, 2014 14:53:49.000000000 PST random_bytes: 27d18a6b51e061e610fb8455c9e531c4f18b783533ac2fcb... Session ID Length: 0 Cipher Suites Length: 86 Cipher Suites (43 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c) Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 73 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 52 Elliptic Curves Length: 50 Elliptic curves (25 curves) Elliptic curve: sect571r1 (0x000e) Elliptic curve: sect571k1 (0x000d) Elliptic curve: secp521r1 (0x0019) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: secp384r1 (0x0018) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Elliptic curve: secp256k1 (0x0016) Elliptic curve: secp256r1 (0x0017) Elliptic curve: sect239k1 (0x0008) Elliptic curve: sect233k1 (0x0006) Elliptic curve: sect233r1 (0x0007) Elliptic curve: secp224k1 (0x0014) Elliptic curve: secp224r1 (0x0015) Elliptic curve: sect193r1 (0x0004) Elliptic curve: sect193r2 (0x0005) Elliptic curve: secp192k1 (0x0012) Elliptic curve: secp192r1 (0x0013) Elliptic curve: sect163k1 (0x0001) Elliptic curve: sect163r1 (0x0002) Elliptic curve: sect163r2 (0x0003) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: Heartbeat Type: Heartbeat (0x000f) Length: 1 Mode: Peer allowed to send requests (1)
Client Hello of flashproxy-reg-appspot 1.6 (02-20-2014). flashproxy-reg-url uses httplib and OpenSSL through M2Crypto.
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 216 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 212 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Nov 16, 1982 02:42:09.000000000 PST random_bytes: dbd19e8d5a33d8a7f9efa1479e323d252c14ba4154685041... Session ID Length: 0 Cipher Suites Length: 98 Cipher Suites (49 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) Cipher Suite: TLS_SRP_SHA_WITH_AES_256_CBC_SHA (0xc020) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c) Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) Cipher Suite: TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA (0xc01a) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) Cipher Suite: TLS_SRP_SHA_WITH_AES_128_CBC_SHA (0xc01d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 73 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 52 Elliptic Curves Length: 50 Elliptic curves (25 curves) Elliptic curve: sect571r1 (0x000e) Elliptic curve: sect571k1 (0x000d) Elliptic curve: secp521r1 (0x0019) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: secp384r1 (0x0018) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Elliptic curve: secp256k1 (0x0016) Elliptic curve: secp256r1 (0x0017) Elliptic curve: sect239k1 (0x0008) Elliptic curve: sect233k1 (0x0006) Elliptic curve: sect233r1 (0x0007) Elliptic curve: secp224k1 (0x0014) Elliptic curve: secp224r1 (0x0015) Elliptic curve: sect193r1 (0x0004) Elliptic curve: sect193r2 (0x0005) Elliptic curve: secp192k1 (0x0012) Elliptic curve: secp192r1 (0x0013) Elliptic curve: sect163k1 (0x0001) Elliptic curve: sect163r1 (0x0002) Elliptic curve: sect163r2 (0x0003) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: Heartbeat Type: Heartbeat (0x000f) Length: 1 Mode: Peer allowed to send requests (1)
Client Hello of Iceweasel 24.4.0.
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 169 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 165 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Jul 12, 2089 08:23:06.000000000 PDT random_bytes: f0b149a04ac4a554c5bda57030b17342cc1c0ab59c925cc8.. . Session ID Length: 0 Cipher Suites Length: 70 Cipher Suites (35 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 54 Extension: server_name Type: server_name (0x0000) Length: 19 Server Name Indication extension Server Name list length: 17 Server Name Type: host_name (0) Server Name length: 14 Server Name: www.google.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0
Client Hello of PhantomJS 1.9.7. Looks like OpenSSL, not NSS? SSLv3.0 without extensions.
var page = require('webpage').create(); page.open("https://meek-reflect.appspot.com", function(status) { console.log("status", status); });
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 145 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 141 Version: SSL 3.0 (0x0300) Random gmt_unix_time: Dec 21, 2024 05:29:48.000000000 PST random_bytes: 2ba97418e27010f24be013ec578b00f1c805895bf42e1e4f... Session ID Length: 0 Cipher Suites Length: 102 Cipher Suites (51 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c) Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0)
Client Hello of PhantomJS 1.9.7 using TLSv1.0. You can get TLSv1.0 by running the command phantomjs --ssl-protocol=TLSv1
.
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 253 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 249 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Nov 22, 2001 03:52:58.000000000 PST random_bytes: 2f5a801b22f51ef9290a504793258c9c25b83406ff1a84f9... Session ID Length: 0 Cipher Suites Length: 102 Cipher Suites (51 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c) Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 106 Extension: server_name Type: server_name (0x0000) Length: 29 Server Name Indication extension Server Name list length: 27 Server Name Type: host_name (0) Server Name length: 24 Server Name: meek-reflect.appspot.com Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 52 Elliptic Curves Length: 50 Elliptic curves (25 curves) Elliptic curve: sect571r1 (0x000e) Elliptic curve: sect571k1 (0x000d) Elliptic curve: secp521r1 (0x0019) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: secp384r1 (0x0018) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Elliptic curve: secp256k1 (0x0016) Elliptic curve: secp256r1 (0x0017) Elliptic curve: sect239k1 (0x0008) Elliptic curve: sect233k1 (0x0006) Elliptic curve: sect233r1 (0x0007) Elliptic curve: secp224k1 (0x0014) Elliptic curve: secp224r1 (0x0015) Elliptic curve: sect193r1 (0x0004) Elliptic curve: sect193r2 (0x0005) Elliptic curve: secp192k1 (0x0012) Elliptic curve: secp192r1 (0x0013) Elliptic curve: sect163k1 (0x0001) Elliptic curve: sect163r1 (0x0002) Elliptic curve: sect163r2 (0x0003) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: Heartbeat Type: Heartbeat (0x000f) Length: 1 Mode: Peer allowed to send requests (1)
Client Hello of TBB 3.5.2.1 (Firefox 24.3.0).
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 170 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 166 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Nov 25, 2028 15:12:53.000000000 MST random_bytes: f09127b7fbd7a63fe2fbd8a60e88d0f2fa2b89589f1ce5e6... Session ID Length: 0 Cipher Suites Length: 70 Cipher Suites (35 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 55 Extension: server_name Type: server_name (0x0000) Length: 24 Server Name Indication extension Server Name list length: 22 Server Name Type: host_name (0) Server Name length: 19 Server Name: www.bamsoftware.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0
Client Hello of meek-http-helper in Iceweasel 24.3.0.
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 169 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 165 Version: TLS 1.0 (0x0301) Random gmt_unix_time: May 27, 2061 01:46:52.000000000 PDT random_bytes: ab15e9cd99c4af9f3ebf9c2378be903cfa173fb51de1da86... Session ID Length: 0 Cipher Suites Length: 70 Cipher Suites (35 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 54 Extension: server_name Type: server_name (0x0000) Length: 19 Server Name Indication extension Server Name list length: 17 Server Name Type: host_name (0) Server Name length: 14 Server Name: www.google.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0
Client Hello of meek-http-helper running in TB 3.5.2.1 with attachment:Don-t-prohibit-name-lookups-with-socks_remote_dns-tr.patch:ticket:11183. Seems to differ from Iceweasel only in the "SessionTicket TLS" extension (see #4099).
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 165 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 161 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Nov 7, 1995 12:33:44.000000000 PST random_bytes: c351acb9c15b317264f0a8decfa8ac8f88cbf99ca99f192b... Session ID Length: 0 Cipher Suites Length: 70 Cipher Suites (35 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 50 Extension: server_name Type: server_name (0x0000) Length: 19 Server Name Indication extension Server Name list length: 17 Server Name Type: host_name (0) Server Name length: 14 Server Name: www.google.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0
Client hello of Tor Browser 3.5.2.1-meek-4, which uses a separate browser instance to run the extension as suggested in comment:12:ticket:11183. It matches Iceweasel 24. The only difference is in the client randomness.
Length: 165 Version: TLS 1.0 (0x0301) Random - gmt_unix_time: Jul 12, 2089 08:23:06.000000000 PDT - random_bytes: f0b149a04ac4a554c5bda57030b17342cc1c0ab59c925cc8... + gmt_unix_time: Oct 23, 2081 13:09:42.000000000 PDT + random_bytes: 1608e4e50bbc5fb188ab87211ce29f35622d117a4829ebb2... Session ID Length: 0 Cipher Suites Length: 70 Cipher Suites (35 suites)
Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 169 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 165 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 23, 2081 13:09:42.000000000 PDT random_bytes: 1608e4e50bbc5fb188ab87211ce29f35622d117a4829ebb2... Session ID Length: 0 Cipher Suites Length: 70 Cipher Suites (35 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 54 Extension: server_name Type: server_name (0x0000) Length: 19 Server Name Indication extension Server Name list length: 17 Server Name Type: host_name (0) Server Name length: 14 Server Name: www.google.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0
Tickets
- #10935
- Make bundles featuring meek
- #10984
- PHP relay for meek
- #11183
- Make an HTTP requestor Firefox extension for meek-client
- #11184
- Create meek repo
- #11393
- Make an HTTP requestor Chrome extension for meek-client
- #11490
- Include meek in userstats-bridge-transport
- #12776
- Move meek's URL and front configuration into bridge_prefs.js
- #13106
- Upgrade meek to 0.11
- #13247
- meek profile error after browser restarts (e.g., after update or add-on installation)
- #13586
- Use security.ssl.disable_session_identifiers pref in meek-http-helper to restore TLS session tickets
- #14033
- Upgrade meek to 0.15
- #15428
- Upgrade meek to 0.16
- #15606
- Upgrade meek to 0.17
- #15872
- Meek doesn't start in Tor Browser 4.5 on Windows 7
- #15902
- Upgrade meek to 0.18
- #16014
- Windows: staged update fails if Meek is enabled
- #16281
- Updating to 4.5.1 sets DisableNetwork
- #16634
- Use new CDN endpoint for meek-azure
- #16662
- Enable network.http.spdy.* prefs in meek-http-helper for a matching TLS fingerprint
- #17330
- Figure out what happens when a user's chosen transport is removed from bridge_prefs.js in an update
- #17473
- Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296
- #17476
- Error console complaining it can't find meek helper
- #18167
- Don't trust "bridge-ips" blindly for user number estimates
- #18517
- meek is broken in Tor Browser 6.0a3
- #18585
- Cannot specify custom meek bridges
- #18611
- Improve semantics for pluggable transports with dummy addresses
- #19487
- Meek and ReachableAddresses
- #19646
- Mac OS: wrong location for meek browser profile
- #19732
- "Tor circuit for this site" labels meek bridge as being in China
- #20250
- meek fails on macOS 10.12 when built with Go 1.4.3 or Go 1.6.3
- #20290
- Upgrade meek to 0.24
- #20495
- Unexplained drop in meek users, 2016-10-19 to 2016-11-10
- #20781
- Figure out how to sandbox meek in a sensible way.
- #21342
- Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge.
- #21732
- Stop the Meek Tor Browser opening links or documents on macOS
- #21918
- Move meek-amazon to the d2cly7j4zqgua7.cloudfront.net backend
- #22949
- Add some IP-HOST pair for meek use
- #24614
- update to a newer Meek tag
- #25529
- Tor not reading torrc-defaults when started from command line, while it reads it successfully when started from Tor Browser
- #26098
- remove meek-amazon from the Tor Browser
- #26891
- Problem running meek server without CDN, stuck at Performing bandwidth self-test...done
- #27723
- Obfs4 stopped working 16 Sept 18
- #29349
- Remove obsolete prefs from meek-http-helper-user.js
- #29430
- Use uTLS for meek TLS camouflage in Tor Browser
- #29611
- Work around lack of app.update.enabled pref in Firefox 63+
- #31149
- Tor is stuck at "Loading Network Status"
- #31464
- meek and moat are broken on macOS 10.9 with the switch to Go 1.12
- #31491
- clean up the old meek http helper browser profiles
- #31910
- replace meek_lite with meek in circuit display
- #32037
- Tor Browser 8.5.5 Encounters Javascript problem when attempting to use Meek-Azure bridges
Attachments (20)
-
meek-0.1-network-history.png (7.7 KB) - added by 6 years ago.
Screenshot of the GNOME system monitor showing the 5 s polling interval of meek 0.1.
- meek-diagram.jpg (202.3 KB) - added by 6 years ago.
-
Screen Shot 2014-06-05 at 8.46.34 pm.png (61.3 KB) - added by 6 years ago.
An example CloudFront reflector setup
-
meek-diagram.png (57.4 KB) - added by 5 years ago.
Redrawn diagram, no longer Google-specific.
-
conf-4.png (28.3 KB) - added by 5 years ago.
4.0-alpha-1 settings screen 4.
-
meek-diagram.svg (27.0 KB) - added by 5 years ago.
Inkscape SVG source of meek diagram.
-
domain-fronting.svg (10.9 KB) - added by 5 years ago.
Inkscape SVG source for domain-fronting diagram.
-
conf-1.2.png (29.0 KB) - added by 3 years ago.
6.0.3 settings screen 2.
-
meek-custom-front.png (20.4 KB) - added by 3 years ago.
Network Settings panel showing show to enter a custom front domain.
-
conf-2.png (38.1 KB) - added by 2 years ago.
7.0.5 settings screen 3
-
conf-3.png (34.2 KB) - added by 2 years ago.
7.0.5 settings screen 4
-
cloudfront-setup.png (294.7 KB) - added by 2 years ago.
Picture of CLoudFront configuration screen.
-
cloudfront-d2zfqthxsdq309-Usage-2017-11-01.csv (9.1 KB) - added by 2 years ago.
CSV of CloudFront usage on d2zfqthxsdq309 just before I shut it off today (https://lists.torproject.org/pipermail/tor-project/2017-November/001555.html).
-
cloudfront-d2zfqthxsdq309-Usage-2017-11-01.png (276.9 KB) - added by 2 years ago.
Graph of CloudFront usage on d2zfqthxsdq309 just before I shut it off today (https://lists.torproject.org/pipermail/tor-project/2017-November/001555.html).
-
tab-meek-costs.py (3.5 KB) - added by 22 months ago.
Program to generate table of monthly costs.
- meek-costs.csv (2.2 KB) - added by 22 months ago.
-
conf-0.png (16.1 KB) - added by 21 months ago.
Tor Browser 7.5.3 settings screen 1
-
conf-1.3.png (13.6 KB) - added by 21 months ago.
Tor Browser 7.5.3 settings screen 2
-
conf-1.png (13.6 KB) - added by 21 months ago.
Tor Browser 7.5.3 settings screen 2
- azure-setup.png (17.7 KB) - added by 20 months ago.
Download all attachments as: .zip