Skip to content

TLS layer appears as Raw #4087

New issue
New issue
Closed
Closed
TLS layer appears as Raw#4087
@marcindulak

Description

@marcindulak
marcindulak
opened on Aug 3, 2023

Brief description

The expected TLS layer of "Client Hello" shows as Raw.

I'm using curl against an nginx server configured with a self-signed certiticate, and try to read the saved pcap with scapy.
I get the same problem with Raw layer from both nginx using TLS1.2 and TLS1.3. Wireshark shows the expected TLS layer.
Making curl https://www.wireshark.org results in the expected TLS1.3 layer when read with scapy.

I checked https://github.com/secdev/scapy/issues but didn't find an indication what the issue may be.
I tested also #4082 using gpotter2@e28c0a2.

Scapy version

8e116af

Python version

3.11.3

Operating system

Debian GNU/Linux 12 (bookworm)

Additional environment information

docker compose setup that includes client <-> router <-> server, all running Debian.

How to reproduce

  1. Configure nginx

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj '/CN=server'
sudo cp server /etc/nginx/sites-enabled
sudo service nginx restart

    using the following server file

    server {
 listen 8443 ssl;
 listen [::]:8443 ssl;

 ssl_certificate /etc/ssl/certs/server.crt;
 ssl_certificate_key /etc/ssl/private/server.key;
 ssl_protocols TLSv1.3;

 root /var/www/html;
 index index.html index.htm index.nginx-debian.html;

 server_name server;

 location / {
          try_files $uri $uri/ =404;
     }
}

  2. On client, add sudo sh -c "echo 192.168.64.3 server >> /etc/hosts"

  3. On client, start tcpdump

    sudo tcpdump -i eth0 -s0 -nxxX -w /tmp/server.pcap

  4. From client, issue a curl request against the server

    echo > SSLKEYLOGFILE && SSLKEYLOGFILE=SSLKEYLOGFILE curl --cacert server.crt https://server:8443

  5. On client, execute scapy script python script.py against the saved pcap

    from scapy.all import *

load_layer('tls')
conf.tls_session_enable = True
conf.tls_nss_filename = 'SSLKEYLOGFILE'

packets = rdpcap('server.pcap')
print(packets[3].show())

  6. If desired, create pcapng

    editcap --inject-secrets tls,SSLKEYLOGFILE server.pcap server.pcapng

Actual result

###[ Ethernet ]### 
  dst       = 02:42:c0:a8:30:02
  src       = 02:42:c0:a8:30:03
  type      = IPv4
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 569
     id        = 207
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x4699
     src       = 192.168.48.3
     dst       = 192.168.64.3
     \options   \
###[ TCP ]### 
        sport     = 57146
        dport     = 8443
        seq       = 1342615260
        ack       = 3137762623
        dataofs   = 8
        reserved  = 0
        flags     = PA
        window    = 502
        chksum    = 0xf382
        urgptr    = 0
        options   = [('NOP', None), ('NOP', None), ('Timestamp', (4110525849, 588790177))]
###[ Raw ]### 
           load      = b'\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03p\x0bCD\xec\x05\xef]$\xd45\x9e\x1d\xfd\xa8\xcb\x8b`k\xb9\xe3f\x90\xbe@2\x00U\x83d\x8c\xfd ;\xb6\xbd\xd9\xd8\xb10Ycn\xf3Y\xcc\x11\xa8\xd4t\x8b\x8a\xb1\xfb\x015\xf6\xdbg\x9c\xfaF\xf9vR\x00>\x13\x02\x13\x03\x13\x01\xc0,\xc00\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0+\xc0/\x00\x9e\xc0$\xc0(\x00k\xc0#\xc0\'\x00g\xc0\n\xc0\x14\x009\xc0\t\xc0\x13\x003\x00\x9d\x00\x9c\x00=\x00<\x005\x00/\x00\xff\x01\x00\x01u\x00\x00\x00\x0b\x00\t\x00\x00\x06server\x00\x0b\x00\x04\x03\x00\x01\x02\x00\n\x00\x16\x00\x14\x00\x1d\x00\x17\x00\x1e\x00\x19\x00\x18\x01\x00\x01\x01\x01\x02\x01\x03\x01\x04\x00\x10\x00\x0e\x00\x0c\x02h2\x08http/1.1\x00\x16\x00\x00\x00\x17\x00\x00\x001\x00\x00\x00\r\x00*\x00(\x04\x03\x05\x03\x06\x03\x08\x07\x08\x08\x08\t\x08\n\x08\x0b\x08\x04\x08\x05\x08\x06\x04\x01\x05\x01\x06\x01\x03\x03\x03\x01\x03\x02\x04\x02\x05\x02\x06\x02\x00+\x00\t\x08\x03\x04\x03\x03\x03\x02\x03\x01\x00-\x00\x02\x01\x01\x003\x00&\x00$\x00\x1d\x00 \xdd\xabO\xa1\xfd\xf2"\xb7\xaa\xaf|\xdf\xfd\xbc\xa3\xec\x96n\x1f\x1d\xd1\x05\x95\xc1\xfa\xe9\xa4\x00kG\xcdH\x00\x15\x00\xb7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

None

Expected result

The TLS layer is printed

Related resources

pcaps.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions