[nSLUG] Wikipedia changes/limits protocols?

Mike Spencer mspencer at tallships.ca
Tue Jul 14 03:24:10 ADT 2015

Johann Tienhaara <jtienhaara at yahoo.com> wrote:

> Are we sure Firefox is actually making an SSLv2 request?  That would
> be very odd indeed, since FF was not even born until long after TLS
> had been invented.  I wonder if maybe wireshark is lying and it
> actually means TLS1.2, or something like that.  What happens when
> you wireshark a *successful* connection?

Well, that's a good question. And the answer is a bit weird.

As shown in the previously quoted Wireshark ouput,

     TCP   32998 > https [SYN]
     TCP   https > 32998 [SYN, ACK]
     TCP   32998 > https [ACK]
     SSLv2         Client Hello
     TCP   https > 32998 [ACK]
     TCP   https > 32998 [RST, ACK]

the remote host was sending ACK to Client Hello and immediately
following up with RST.  That's a Reset packet isn't it?  In any case,
the browser then sent a new SYN with a new source port and the above
pattern was repeated numerous times.

However, as noted in my previous post, I tried again tonight and got
quite different results.  I am, in fact, able to connect to Wikipedia
with the same FF browser -- no changes in about:config or menued

Now Wireshark shows,

     TCP    32839 > https  SYN
     TCP    https > 32839  SYN,ACK
     TCP    32839 > https  ACK
     TLSv1  Client  Hello
     TCP    https > 32839  ACK
     TLSv1  Server  Hello
     TCP    32839 > https  ACK
     TCP    TCP segment of reassembled PDU
     TLSv1  Ignored unknown record
     TCP    32839 > https   ACK
     [3 of these]
     TLSv1  Client key exchange...

And everything goes as it should.  The site suggested by Dan (which
apparently probes a designated server to detect what it supports) says
that WP supports TLSv1 and tonight FF is using that.

I have no idea why FF tried SSLv2 over and over, then gave up last
night but used TLSv1 tonight.

> According to your wireshark output, unless I'm mis-reading it, the
> server responded after your Client Hello...

Yes, with an ACK, but followed it up with and RST.  I read the
relevant RFC at one time but I'm not totally clear on all the details
of TCP so I could be misinterpreting something.  I can't see how
Wireshark could be lying.  AFAICT, FF tried one
protcol/handshake/hello last night (which failed repeatedly) and
different one tonight which succeeded.

> PKCS stands for Public Key Cryptography Standards.  

My confusion arose from the RFC title

    2315:  PKCS #7: Cryptographic Message Syntax

because someone mention PKCS #7.  I hadn't gotten as far as

    3447:  Public-Key Cryptography Standards (PKCS)

which would have answered my question.

- Mike

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

More information about the nSLUG mailing list