Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using OpenSSL, we attempt to establish a TLS 1.3 connection with 216.58.196.174, corresponding to google.com. However, instead of specifying 'google.com' in the SNI, we specify a potentially blocked website '1337x.be' and an unblocked website 'facebook.com'.
openssl s_client -state -connect 216.58.196.174:443 -servername 1337x.be -tls1_3
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
CONNECTED(00000003)
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIKEDCCCPigAwIBAgIRAI8EyckMA1DNCAAAAAAU+9IwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0xOTA5MTcxMzMyNTNaFw0xOTEyMTAxMzMy
NTNaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDo4afE
tLsZ9XzmBawxDHN3QMfHFm/5duAq5hBJ+ye752UsmusHUr1ZHfNyk/hmoUeElpdT
Ha2kV4qCPr8+KduonO2FRLOrVpK8+NrcSYCL6uFZGJCMMcTKGpiu02hqAfDQ5ljB
ykAcgpGpVGmqCCUcb6HTLxJ5TLTBm4j5qIYxJs/ilCA4dpNigHII0stHJtwMiY18
mwmDZhJ+y10aa4rn9TkQQzxGIld6nJCGdyEKNnwPpiYFZuO+H5twpjt687NRU1pC
COckIzyw++MnLK76z/uWj0dhIsnOeDRl4E6nJx7/kQSb7iVGiVej6+1lHhZxBIrC
Sb78Ymp9wBfpTQzXAgMBAAGjggbbMIIG1zAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUgOfNKSyrb1zP
dl9QCcEi5lzPvv8wHwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswZAYI
KwYBBQUHAQEEWDBWMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5wa2kuZ29vZy9n
dHMxbzEwKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZy9nc3IyL0dUUzFPMS5j
cnQwggSdBgNVHREEggSUMIIEkIIMKi5nb29nbGUuY29tgg0qLmFuZHJvaWQuY29t
ghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5jb22CGCou
Y3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIR
Ki5nY3BjZG4uZ3Z0MS5jb22CCiouZ2dwaHQuY26CDiouZ2tlY25hcHBzLmNughYq
Lmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yC
DiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuC
DyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20u
YnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5j
b20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVz
ggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2ds
ZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5j
b22CDyouZ29vZ2xlYXBpcy5jboIRKi5nb29nbGVjbmFwcHMuY26CFCouZ29vZ2xl
Y29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0q
LmdzdGF0aWMuY29tghIqLmdzdGF0aWNjbmFwcHMuY26CCiouZ3Z0MS5jb22CCiou
Z3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECou
dXJsLmdvb2dsZS5jb22CEyoud2Vhci5na2VjbmFwcHMuY26CFioueW91dHViZS1u
b2Nvb2tpZS5jb22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5j
b22CESoueW91dHViZWtpZHMuY29tggcqLnl0LmJlggsqLnl0aW1nLmNvbYIaYW5k
cm9pZC5jbGllbnRzLmdvb2dsZS5jb22CC2FuZHJvaWQuY29tghtkZXZlbG9wZXIu
YW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26C
BGcuY2+CCGdncGh0LmNuggxna2VjbmFwcHMuY26CBmdvby5nbIIUZ29vZ2xlLWFu
YWx5dGljcy5jb22CCmdvb2dsZS5jb22CD2dvb2dsZWNuYXBwcy5jboISZ29vZ2xl
Y29tbWVyY2UuY29tghhzb3VyY2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5j
b22CCnd3dy5nb28uZ2yCCHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVk
dWNhdGlvbi5jb22CD3lvdXR1YmVraWRzLmNvbYIFeXQuYmUwIQYDVR0gBBowGDAI
BgZngQwBAgIwDAYKKwYBBAHWeQIFAzAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8v
Y3JsLnBraS5nb29nL0dUUzFPMS5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
dwBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvYjQAAAW0/pAOeAAAEAwBI
MEYCIQDCyrLt//+wC5kZap7r4QsIU66C+nCF+tcxqUkjnD9MXgIhANZ0wQ6bcuTG
cqpPEdqNvohe/pGJf6HsKyXqIHqBkgSSAHYAdH7agzGtMxCRIZzOJU9CcMK//V5C
IAjGNzV55hB7zFYAAAFtP6QDyAAABAMARzBFAiEA6jE8nuoi/G/q/0Qsox2xmLbs
R/GAWIzL5tfrStazuMsCIBZMKmToRvcwL+Kp1V53QxhWeVZJB53H+Mj8cLSorTYi
MA0GCSqGSIb3DQEBCwUAA4IBAQBn7y1aUxVc+jsfOft0uOn8s+M6LYAnLHoa8O6t
eOhTNgRZ1IVEiwyZRNtptS+wue0yHAyKfYNwkXVcHDkjQZ7ZN1Zzy3FvM8tiHmaf
gieKMPXW2+nKWG8vCiJ7qaXhvMgK//1guTgFptv5Nr58iLkUxec1dRW1agRkfKpL
Kojuz75sP2LOIaxGVrbkW5kGdih+4S9H+5qeNcIqLlemd1dKQlopJT+aQ1DryefA
R3Ua1Zu5SZ0y3AY/bV78AVkSYAQSIzJgmH2aCioPpVNfhXaPknYAeL5iPgx7mTMT
G1fqLndmrSuynOshIiPHoyu2YFJPz4bjN7qGBIN9Iv3jl11S
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4177 bytes and written 312 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read:errno=0
SSL3 alert write:warning:close notify
openssl s_client -state -connect 216.58.196.174:443 -servername facebook.com -tls1_3
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIKEDCCCPigAwIBAgIRAN3ZBLChBcJ1AgAAAABH2HowDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0xOTEwMTAyMDU0NDZaFw0yMDAxMDIyMDU0
NDZaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm85BO
JdHDM3c0Iupj1OLcqGdBf5GMqQ4IJlbDYiW3Q8KJGfq5U97bNbIUe1KXs/tko3ej
YiGKkkYjnS7h/p9PolqihCtVybiNa8mZgO2yQh3PH2cDnm6zyJmj2ClVqxjkbWs/
ZDR7/SFmyNE2BwiqaixGRyyzN53zYEeB/Qdsv+cpvDItQ6hzRb4ioObS86gRbNVn
ZD8gcr1B9jLO8IeASMR+kyKbtJjNNTaValx00TLmMjuSpmyrrdWFYBU4nGnMhLhz
xCh5G6NSuNbDBSh2pwnxiQBnqst/X7F4PCHDRzWVCcB2m52VhfI52KTR0HhH4ulu
nJgzllrKBo+pjWFrAgMBAAGjggbbMIIG1zAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUT566EVnzzo3r
UZhIQeINRFV9Uv0wHwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswZAYI
KwYBBQUHAQEEWDBWMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5wa2kuZ29vZy9n
dHMxbzEwKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZy9nc3IyL0dUUzFPMS5j
cnQwggSdBgNVHREEggSUMIIEkIIMKi5nb29nbGUuY29tgg0qLmFuZHJvaWQuY29t
ghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5jb22CGCou
Y3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIR
Ki5nY3BjZG4uZ3Z0MS5jb22CCiouZ2dwaHQuY26CDiouZ2tlY25hcHBzLmNughYq
Lmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yC
DiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuC
DyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20u
YnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5j
b20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVz
ggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2ds
ZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5j
b22CDyouZ29vZ2xlYXBpcy5jboIRKi5nb29nbGVjbmFwcHMuY26CFCouZ29vZ2xl
Y29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0q
LmdzdGF0aWMuY29tghIqLmdzdGF0aWNjbmFwcHMuY26CCiouZ3Z0MS5jb22CCiou
Z3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECou
dXJsLmdvb2dsZS5jb22CEyoud2Vhci5na2VjbmFwcHMuY26CFioueW91dHViZS1u
b2Nvb2tpZS5jb22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5j
b22CESoueW91dHViZWtpZHMuY29tggcqLnl0LmJlggsqLnl0aW1nLmNvbYIaYW5k
cm9pZC5jbGllbnRzLmdvb2dsZS5jb22CC2FuZHJvaWQuY29tghtkZXZlbG9wZXIu
YW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26C
BGcuY2+CCGdncGh0LmNuggxna2VjbmFwcHMuY26CBmdvby5nbIIUZ29vZ2xlLWFu
YWx5dGljcy5jb22CCmdvb2dsZS5jb22CD2dvb2dsZWNuYXBwcy5jboISZ29vZ2xl
Y29tbWVyY2UuY29tghhzb3VyY2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5j
b22CCnd3dy5nb28uZ2yCCHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVk
dWNhdGlvbi5jb22CD3lvdXR1YmVraWRzLmNvbYIFeXQuYmUwIQYDVR0gBBowGDAI
BgZngQwBAgIwDAYKKwYBBAHWeQIFAzAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8v
Y3JsLnBraS5nb29nL0dUUzFPMS5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
dgCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQXgAAAW23qtRAAAAEAwBH
MEUCIQDtQ54pgum8vzgOOfsLfgclhZ8lA06YzQqQhU5iZB0J9wIgFDDSprpfCnSS
WblJKkhiZtwVKwJ0oC9Gs96HPzxf7HIAdwBep3P531bA57U2SH3QSeAyepGaDISh
EhKEGHWWgXFFWAAAAW23qtRfAAAEAwBIMEYCIQDel4ZWD0N7vy9E6yOVjagIWoF0
UqOZ7cKbjRil+crGvgIhAKdP1gkPRAwNUY3lZrxz09Qa0sVRTLxh6wBV5HYp7beu
MA0GCSqGSIb3DQEBCwUAA4IBAQCgVTkcWtDxRWlKGM6JflYOpMSUJgNzPXotjm42
4pG20owmUiA/lh3gm6lBLX5fY4mM2iboQT60P83XpcIk81TpAojbweYuTvIqFxqg
Uqoafrd7IP0yRzvTcJ3K4sL+vN0IPQ+YbbCrHGqkOWczXRs+QW/lOkDlLcecx8uK
OSQoLHUzDxCmxtlZvfyFTitoWDDQUUbk6rS/6INanr64Ld3BlBFlkp+aHeWsyEZn
6iTqD0TkudalliEgMWCJT7v9dYxnfXmJcFZ6Ui1ynPkNAhsSWA+ACgG75vq+5XDo
U1ub9YTMJPtH2xf11jRcsNLOuLN1T2se30hRpayL4Is8mVKd
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4177 bytes and written 316 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Q
DONE
SSL3 alert write:warning:close notify
@fortuna

This comment has been minimized.

Copy link

fortuna commented Nov 7, 2019

In Reliance Jio is using SNI inspection to block websites, you say you receive a TCP RST right after the connection is established.

That must be after the ClientHello is sent, but is it before or after the ServerHello is received?

Your log suggests it's after the ServerHello, since you have the certificate. However, that's a behavior I've never seen before. Usually the censor resets the connection before the ServerHello is received. So I'm interested in making sure that's really the case.

Thanks for sharing the logs!

@kush789

This comment has been minimized.

Copy link
Owner Author

kush789 commented Nov 7, 2019

The TCP RST comes after the ServerHello.

I do agree with you, it is strange for the censor to adopt such behaviour. I don't think it has been documented before in any context

@gurshabad

This comment has been minimized.

Copy link

gurshabad commented Nov 7, 2019

@fortuna As Kush said, the TCP RST comes after the ServerHello. Just wanted to add that this is also one of the reasons why we used TLS 1.3 (in older versions, they could be relying on the server cert, in which case they would need to wait for the ServerHello).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.