mholt
commented
7 years ago Thanks for filing an issue!
Huh, that's fascinating, because when I add this to the test corpus, the tests still pass. Are you sure this is the right handshake?
Closed larssonper closed 7 years ago
mholt
commented
7 years ago Thanks for filing an issue!
Huh, that's fascinating, because when I add this to the test corpus, the tests still pass. Are you sure this is the right handshake?
mholt
commented
7 years ago I've pushed a commit with your test case in it. Apparently it (already) correctly identifies Safari in the tests, but not in the wild...?
larssonper
commented
7 years ago Thats strange. I tested again. On an iPhone 5 (iOS 10.3.3), iPhone 7 (iOS 11) and a iPhone 8 (iOS 11). The iPhone 5 works. But not iPhone 7 or 8. All on the same network. I compared the packets on the inside of the firewall and outside. And the handshake was the same.
Here are hex-dump for all ClientHelo
iPhone 5 (iOS 10.3.3)
0000 f0 9f c2 05 c5 89 a4 c3 61 88 7f dc 08 00 45 00
0010 01 10 31 ac 40 00 40 06 1d f1 c0 a8 50 33 9f cb
0020 39 a4 da f8 01 bb f2 9e 8b e7 6d ee 4a 49 80 18
0030 10 15 e3 ad 00 00 01 01 08 0a 30 bc 9c 4e 8a 73
0040 11 b7 16 03 01 00 d7 01 00 00 d3 03 03 59 c5 f9
0050 85 d7 bc 02 96 e3 c9 b8 14 f3 88 23 a8 5d 62 b0
0060 c1 bc 18 13 05 ec 59 0e 8b 59 18 22 47 00 00 26
0070 00 ff c0 2c c0 2b c0 24 c0 23 c0 0a c0 09 c0 30
0080 c0 2f c0 28 c0 27 c0 14 c0 13 00 9d 00 9c 00 3d
0090 00 3c 00 35 00 2f 01 00 00 84 00 00 00 0f 00 0d
00a0 00 00 0a 6d 69 74 6d 2e 77 61 74 63 68 00 0a 00
00b0 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00
00c0 0d 00 12 00 10 04 01 02 01 05 01 06 01 04 03 02
00d0 03 05 03 06 03 33 74 00 00 00 10 00 30 00 2e 02
00e0 68 32 05 68 32 2d 31 36 05 68 32 2d 31 35 05 68
00f0 32 2d 31 34 08 73 70 64 79 2f 33 2e 31 06 73 70
0100 64 79 2f 33 08 68 74 74 70 2f 31 2e 31 00 05 00
0110 05 01 00 00 00 00 00 12 00 00 00 17 00 00iPhone 7 (iOS 11)
0000 f0 9f c2 05 c5 89 20 ee 28 cf 7d 77 08 00 45 02
0010 01 19 00 00 40 00 40 06 4f 75 c0 a8 50 50 9f cb
0020 39 a4 d0 1e 01 bb a2 4d be 51 01 c6 07 1a 80 18
0030 08 0a b5 73 00 00 01 01 08 0a 3f c3 45 ed 8a 73
0040 22 9a 16 03 01 00 e0 01 00 00 dc 03 03 47 1c c6
0050 8d ef b2 25 08 25 5a 61 c9 52 cd 14 a5 6c 95 a2
0060 e6 51 b6 50 76 bb 4b d9 84 a4 17 23 87 00 00 28
0070 c0 2c c0 2b c0 24 c0 23 c0 0a c0 09 cc a9 c0 30
0080 c0 2f c0 28 c0 27 c0 14 c0 13 cc a8 00 9d 00 9c
0090 00 3d 00 3c 00 35 00 2f 01 00 00 8b ff 01 00 01
00a0 00 00 00 00 0f 00 0d 00 00 0a 6d 69 74 6d 2e 77
00b0 61 74 63 68 00 17 00 00 00 0d 00 14 00 12 04 03
00c0 08 04 04 01 05 03 08 05 05 01 08 06 06 01 02 01
00d0 00 05 00 05 01 00 00 00 00 33 74 00 00 00 12 00
00e0 00 00 10 00 30 00 2e 02 68 32 05 68 32 2d 31 36
00f0 05 68 32 2d 31 35 05 68 32 2d 31 34 08 73 70 64
0100 79 2f 33 2e 31 06 73 70 64 79 2f 33 08 68 74 74
0110 70 2f 31 2e 31 00 0b 00 02 01 00 00 0a 00 08 00
0120 06 00 1d 00 17 00 18iPhone 8 (iOS 11)
0000 f0 9f c2 05 c5 89 b0 19 c6 e1 2f a3 08 00 45 00
0010 01 19 00 00 40 00 40 06 4f 93 c0 a8 50 34 9f cb
0020 39 a4 d6 19 01 bb ff bd b7 43 da d7 b0 bd 80 18
0030 08 0a 75 86 00 00 01 01 08 0a 29 b9 e2 d1 8a 73
0040 33 4c 16 03 01 00 e0 01 00 00 dc 03 03 98 67 f7
0050 26 1a 31 73 f6 bd 35 2d e4 82 38 5f 5e a9 1c 7a
0060 93 67 9c 3e 62 11 f9 bc b2 ce 0e 38 0c 00 00 28
0070 c0 2c c0 2b c0 24 c0 23 c0 0a c0 09 cc a9 c0 30
0080 c0 2f c0 28 c0 27 c0 14 c0 13 cc a8 00 9d 00 9c
0090 00 3d 00 3c 00 35 00 2f 01 00 00 8b ff 01 00 01
00a0 00 00 00 00 0f 00 0d 00 00 0a 6d 69 74 6d 2e 77
00b0 61 74 63 68 00 17 00 00 00 0d 00 14 00 12 04 03
00c0 08 04 04 01 05 03 08 05 05 01 08 06 06 01 02 01
00d0 00 05 00 05 01 00 00 00 00 33 74 00 00 00 12 00
00e0 00 00 10 00 30 00 2e 02 68 32 05 68 32 2d 31 36
00f0 05 68 32 2d 31 35 05 68 32 2d 31 34 08 73 70 64
0100 79 2f 33 2e 31 06 73 70 64 79 2f 33 08 68 74 74
0110 70 2f 31 2e 31 00 0b 00 02 01 00 00 0a 00 08 00
0120 06 00 1d 00 17 00 18I will ask some of my friend what they get when they go to https://mitm.watch on there iOS11-devices.
mholt
commented
7 years ago @larssonper Thanks, I'm integrating these into the corpus now, even though they already pass.
This is a dumb request, probably, but if you go to https://caddyserver.com/docs/mitm-detection on your iPhone with iOS 11 (doesn't matter which iPhone, 7 or 8), does it show a green badge or a red one?
mholt
commented
7 years ago Hmm, I take that back (about adding these new ones to the test corpus) -- since I can't be sure of the User-Agent string. I've assumed they're the same/similar to what I've used before but I have to be absolutely sure before adding them. But since they still pass already, I'm not really worried about not adding them to the tests.
Would still be interested to know if you get a false positive on the Caddy website.
larssonper
commented
7 years ago I get a green badge on the Caddy website. How does that differentiate to mitm.watch?
mholt
commented
7 years ago The only thing I can figure is that the Caddy website is using the latest version of Caddy, because Caddy has had support for iOS 11 beta since July. Probably just means that CF needs to update to the latest version. Thanks for taking the time to report this!
1. What version of Caddy are you using (
caddy -version)?https://mitm.watch
2. What are you trying to do?
Test the site with the new release of iOS11.
6. What did you expect to see?
Not MITM
7. What did you see instead (give full error messages and/or log)?
Likely MITM.
8. How can someone who is starting from scratch reproduce the bug as minimally as possible?
Use a iPhone with iOS11 and go to https://mitm.watch using Safari.
I guess the server doesn't recognize the new client handshake in iOS11. Using iOS11 on the same network gives Not MITM.
User agent:
ClientHello (hex dump from Wireshark):