<div dir="ltr">Hello,<div><br></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">I</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">was</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">wondering</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">what</span><span style="white-space-collapse: preserve;"> are the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">differences</span><span style="white-space-collapse: preserve;"> if we apply the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">ssl</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">bump operation</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">at</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">different</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">steps</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">?</span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">
<span class="gmail-YPkS7KbdpWfGdYKd3QB9">The</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">documentation</span> contains <span class="gmail-YPkS7KbdpWfGdYKd3QB9">information</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">about</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">only</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">one</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">difference</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">-</span> when we <span class="gmail-YPkS7KbdpWfGdYKd3QB9">bump</span> at <span class="gmail-YPkS7KbdpWfGdYKd3QB9">the</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">step1</span> Proxy <span class="gmail-YPkS7KbdpWfGdYKd3QB9">first</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">establishes</span> a <span class="gmail-YPkS7KbdpWfGdYKd3QB9">TLS</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">connection</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">with</span> the C<span class="gmail-YPkS7KbdpWfGdYKd3QB9">lient</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9">,</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">and</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">then</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">with</span> the S<span class="gmail-YPkS7KbdpWfGdYKd3QB9">erver</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9">,</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">while</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">in</span> the other <span class="gmail-YPkS7KbdpWfGdYKd3QB9">cases</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">-</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">first</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">with</span> the S<span class="gmail-YPkS7KbdpWfGdYKd3QB9">erver</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9">,</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">and</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">then</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">with</span> the C<span class="gmail-YPkS7KbdpWfGdYKd3QB9">lient</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9">.</span></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><span class="gmail-YPkS7KbdpWfGdYKd3QB9"><br></span></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><span class="gmail-YPkS7KbdpWfGdYKd3QB9">I looked into</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">this</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">issue</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">and</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">tried</span> to <span class="gmail-YPkS7KbdpWfGdYKd3QB9">summarize</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">the</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">information</span> <span class="gmail-YPkS7KbdpWfGdYKd3QB9">I</span> have (I will not detail here the information available to the admin at each of the three steps)<span class="gmail-YPkS7KbdpWfGdYKd3QB9">. Maybe it will help someone.</span></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><span class="gmail-YPkS7KbdpWfGdYKd3QB9"><br></span></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><span class="gmail-YPkS7KbdpWfGdYKd3QB9"><b>1. step1</b></span></span></div><div>Conf:</div><div><font face="monospace">ssl_bump bump step1</font></div><div><br></div><div>Workflow:</div><div><font face="monospace">step 1 (bump)<br>1. Client -> CONNECT aaa.bbb.ccc.ddd -> Proxy<br>2. Proxy -> HTTP 200 Connection established -> Client<br>3. Client -> Client Hello (SNI) -> Proxy<br>4. Proxy -> Makes Server Hello (with fake certificate for the SNI host) -> Client<br>5. Client <- Complete TLS handshake -> Proxy<br>6. Proxy -> Makes Client Hello (based on the Client Hello SNI, but uses its own cipher suites and TLS version) -> Server<br>7. Server -> Server Hello -> Proxy<br>8. Proxy <- Complete TLS handshake ->  Server<br>9. Client -> HTTP Request -> Proxy<br>10. Proxy -> HTTP Request -> Server<br>11. Server -> HTTP Response -> Proxy<br>12. Proxy -> HTTP Response -> Client<br>...</font></div><div><br></div><div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><span class="gmail-YPkS7KbdpWfGdYKd3QB9"><b>2. step2</b></span></span></div><div>Conf:</div><div><font face="monospace">ssl_bump stare step1</font></div><div><font face="monospace">ssl_bump bump step2</font></div><div><br></div><div>Workflow:</div></div><div><font face="monospace">step 1 (stare)<br>1. Client -> CONNECT </font>

<span style="font-family:monospace">aaa.bbb.ccc.ddd</span> <font face="monospace"> -> Proxy<br>2. Proxy -> HTTP 200 Connection established -> Client<br> <br>step 2 (bump)<br>3. Client -> Client Hello (SNI) -> Proxy<br>4. Proxy -> Makes Client Hello (based on the Client Hello SNI, but <b>uses its own cipher suites</b> and TLS version) -> Server<br>5. Server -> Server Hello -> Proxy<br>6. Proxy <- Complete TLS handshake ->  Server<br>7. Proxy -> Makes Server Hello (with fake certificate for the SNI host with mimicked attributes) -> Client<br>8. Client <- Complete TLS handshake -> Proxy<br>9. Client -> HTTP Request -> Proxy<br>10. Proxy -> HTTP Request -> Server<br>11. Server -> HTTP Response -> Proxy<br>12. Proxy -> HTTP Response -> Client<br>...</font></div><div><br></div><div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><span class="gmail-YPkS7KbdpWfGdYKd3QB9"><b>3. step3</b></span></span></div><div>Conf:</div><div><font face="monospace">ssl_bump stare step1</font></div><div><font face="monospace">ssl_bump stare step2</font></div><div><font face="monospace">ssl_bump bump step3</font></div><div><br></div><div>Workflow:</div></div><div><font face="monospace">step 1 (stare)<br>1. Client -> CONNECT </font>

<span style="font-family:monospace">aaa.bbb.ccc.ddd</span> <font face="monospace"> -> Proxy<br>2. Proxy -> HTTP 200 Connection established -> Client<br> <br>step 2 (stare)<br>3. Client -> Client Hello (SNI) -> Proxy<br> <br>step 3 (bump)<br>4. Proxy -> Makes Client Hello (based on the real Client Hello SNI, and uses <b>Client's cipher suites</b> but its own TLS version) -> Server<br>5. Server -> Server Hello -> Proxy<br>6. Proxy <- Complete TLS handshake ->  Server<br>7. Proxy -> Makes Server Hello (with fake certificate for the SNI host with mimicked attributes) -> Client<br>8. Client <- Complete TLS handshake -> Proxy<br>9. Client -> HTTP Request -> Proxy<br>10. Proxy -> HTTP Request -> Server<br>11. Server -> HTTP Response -> Proxy<br>12. Proxy -> HTTP Response -> Client<br>...</font></div><div><br></div><div>We obtained these data by analyzing network dumps for each configuration.</div><div><br></div><div>Bumping at steps 2 and 3 are very <span style="white-space-collapse: preserve;">similar</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">,</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">but</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">in</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">first</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">case</span><span style="white-space-collapse: preserve;">, </span><span style="white-space-collapse: preserve;">P</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">roxy</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">sends</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">Client</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">Hello</span><span style="white-space-collapse: preserve;"> to a Server </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">with</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">its</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">own</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">ciphers</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">,</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">and</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">in</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">latter</span><span style="white-space-collapse: preserve;"> case - </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">with</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">ciphers</span>

<span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">received</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">from</span><span style="white-space-collapse: preserve;"> the </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">Client</span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">.</span></div><div><br></div><div>If anyone has any comments or additions, please feel free to complete it.</div><div><br></div><div>Kind regards,</div><div>    Ankor.</div><div><br></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;"><br></span></div><div><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">



</span></div></div>