libncftp v. macOS Native curl with Secure Transport APIs and Session Reuse

Question

Created Jan ’25

Replies 19

Boosts 0

Participants 3

I am working on adding RFC4217 Secure FTP with TLS by extending Mike Gleason's classic libncftp client library. I refactored the code to include an FTP channel abstraction with FTP channel abstraction types for TCP, TLS, and TCP with Opportunistic TLS types. The first implementation of those included BSD sockets that libncftp has always supported with the clear TCP channel type.

I first embarked on extending the sockets implementation by adding TCP, TLS, and TCP with Opportunistic TLS channel abstraction types against the new, modern Network.framework C-based APIs, including using the “tricky” framer technique to employ a TCP with Opportunistic TLS FTP channel abstraction type to support explicit FTPS as specified by RFC4217 where you have to connect first in the clear with TCP, request AUTH TLS, and then start TLS after receiving positive confirmation. That all worked great.

Unfortunately, at the end of that effort, I discovered that many modern FTPS server implementations (vsftpd, pure-ftpd, proftpd) mandate TLS session reuse / resumption across the control and data channels, specifying the identical session ID and cipher suites across the control and data channels. Since Network.framework lacked a necessary and equivalent to the Secure Transport SSLSetPeerID, I retrenched and rewrote the necessary TLS and TCP with Opportunistic TLS FTP channel abstraction types using the now-deprecated Secure Transport APIs atop the Network.framework-based TCP clear FTP channel type abstraction I had just written.

Using the canonical test server I had been using throughout development, test.rebex.net, this Secure Transport solution seemed to work perfectly, working in clear, secure-control-only, and secure-control+data explicit FTPS operation.

I then proceeded to expand testing to include a broad set of Microsoft FTP Service, pure-ftpd, vsftpd, proftpd, and other FTP servers identified on the Internet (a subset from this list: https://gist.github.com/mnjstwins/85ac8348d6faeb32b25908d447943300).

In doing that testing, beyond test.rebex.net, I was unable to identify a single (among hundreds), that successfully work with secure-control+data explicit FTPS operation even though nearly all of them work with secure-control-only explicit FTPS operation.

So, I started regressing my libncftp + Network.framework + Secure Transport implementation against curl 8.7.1 on macOS 14.7.2 “Sonoma":

% which curl; `which curl` --version
/usr/bin/curl
curl 8.7.1 (x86_64-apple-darwin23.0) libcurl/8.7.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.61.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL threadsafe UnixSockets

I find that curl (also apparently written against Secure Transport) works in almost all of the cases my libncftp does not. This is a representative example:

% ./samples/misc/ncftpgetbytes -d stderr --secure --explicit --secure-both ftps://ftp.sjtu.edu.cn:21/pub/README.NetInstall

which fails in the secure-control+data case with errSSLClosedAbort on the data channel TLS handshake, just after ClientHello, attempts whereas:

% curl -4 --verbose --ftp-pasv --ftp-ssl-reqd ftp://ftp.sjtu.edu.cn:21/pub/README.NetInstall

succeeds.

I took an in-depth look at the implementation of github.com/apple-oss-distributions/curl/ and git/github.com/apple-oss-distributions/Security/ to identify areas where my implementation was, perhaps, deficient relative to curl and its curl/lib/vtls/sectransp.c Secure Transport implementation. As far as I can tell, I am doing everything consistently with what the Apple OSS implementation of curl is doing. The analysis included:

SSLSetALPNProtocols
- Not applicable for FTP; only used for HTTP/2 and HTTP/3.
SSLSetCertificate
- Should only be relevant when a custom, non-Keychain-based certificate is used.
SSLSetEnabledCiphers
- This could be an issue; however, the cipher suite used for the data channel should be the same as that used for the control channel. curl talks about disabling "weak" cipher suites that are known-insecure even though the default suites macOS enables are unlikely to enable them.
SSLSetProtocolVersionEnabled
- We do not appear to be getting a protocol version negotiation error, so this seems unlikely, but possible.
SSLSetProtocolVersionMax
- We do not appear to be getting a protocol version negotiation error, so this seems unlikely, but possible.
SSLSetProtocolVersionMin
- We do not appear to be getting a protocol version negotiation error, so this seems unlikely, but possible.
SSLSetSessionOption( , kSSLSessionOptionFalseStart)
- curl does seem to enable this for certain versions of macOS and disables it for others. Possible.
- Running curl with the --false-start option does not seem to make a difference.
SSLSetSessionOption( , kSSLSessionOptionSendOneByteRecord)
- Corresponds to "*****" which seems defaulted and is related to an SSL security flaw when using CBC-based block encryption ciphers, which is not applicable here.

Based on that, further experiments I attempted included:

Disable use of kSSLSessionOptionBreakOnServerAuth: No impact
Assert use of kSSLSessionOptionFalseStart: No impact
Assert use of kSSLSessionOptionSendOneByteRecord: No impact
Use SSLSetProtocolVersionMin and SSLSetProtocolVersionMax in various combinations: No impact
Use SSLSetProtocolVersionEnabled in various combinations: No impact
Forcibly set a single cipher suite (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, known to work with a given server): No impact
Employ a SetDefaultCipherSuites function similar to what curl does (filtering out “weak” cipher suites): No impact
- Notably, I can never coax a similar set of cipher suites that macOS curl does with that technique. In fact, it publishes ciphers that aren’t even in <Security/CipherSuite.h> nor referenced by github.com/apple-oss-distributions/curl/curl/lib/vtls/sectransp.c.
Assert use of kSSLSessionOptionAllowRenegotiation: No impact
Assert use of kSSLSessionOptionEnableSessionTickets: No impact

Looking at Wireshark, my ClientHello includes status_request, signed_certificate_timestamp, and extended_master_secret extensions whereas macOS curl's never do--same Secure Transport APIs. None of the above API experiments seem to influence the inclusion / exclusion of those three ClientHello additions.

Any suggestions are welcomed that might shine a light on what native curl has access to that allows it to work with ST for these FTP secure-control+data use cases.

Answered by gerickson-nuovations in 825564022

After much debugging, I was able to resolve this.

RFC4217 is vague, at best, on this; however, while intuition might dictate using a kTypeTLS (in my implementation, one in which the TCP connection and TLS handshake are synchronous and done back-to-back) channel type for securing the data channel and clubbing the TCP connection with the TLS handshake and doing all of this before sending a data-initiating command (such as NLST or RETR), in practice this works with only a scant number of FTPS server implementations (such as the custom Microsoft .NET implementation used for test.rebex.net).

Instead, the kTypeTCPOpportunisticTLS (in my implementation, one in which the TCP connection and TLS handshake are asynchronous and done independently) channel type hits the "broader side of the barn" of FTPS server implementations with a:

TCP connect
Sending the data-initiating command
Performing the TLS handshake to secure the channel

order of operations.

That sending the data-initiating command (such as NLST or RETR) is interposed between (1) and (3) was a bit surprising.

Now that I have made this change, this allows my implementation to work with either secure control-only or control+data with the following implementations:

The test.rebex.net custom Microsoft .NET implementation.
FileZilla
Microsoft FTP Service
proftpd
pure-ftpd
vsftpd

Boost

Answer 1

Etresoft OP

Jan ’25

I am working on adding RFC4217 Secure FTP with TLS by extending Mike Gleason's classic libncftp client library

Why? I had an app years ago that supported FTP. One of the first bug reports I had was from someone connecting to a server on VMS.

Any suggestions are welcomed that might shine a light on what native curl has access to that allows it to work with ST for these FTP secure-control+data use cases.

That part is easy enough to solve. Just download Apple's curl source and look.

0

Answer 2

gerickson-nuovations OP

Jan ’25

Why? I had an app years ago that supported FTP. One of the first bug reports I had was from someone connecting to a server on VMS.

That's a question best answered by my client. Apparently there is interest and demand.

That part is easy enough to solve. Just download Apple's curl source and look.

As noted above, I've scrubbed through it in detail and, as far as I can see, my implementation and its are nearly identical and experiments exploring the minor differences have not yielded any impact on the interoperability issue. Behaviorally, what curl is doing on macOS 14.7.2 seems at odds with the open source.

This is what has led to my question.

0

Answer 3

DTS Engineer OP

Apple

Jan ’25

https://developer.apple.com/forums/thread/773401

Written by gerickson-nuovations in 822974022

what curl is doing on macOS 14.7.2 seems at odds with the open source.

You’re testing the curl binary, right?

If you build curl from source, what behaviour do you see?

Just to set the stage here, it’s certainly possible for there to be a difference between the source code used by Apple to build the OS and the Darwin open source. However, in the case of curl I’m not aware of any such differences. However^2, it’s possible that the way Apple is building it is causing this change in behaviour.

By building curl from source you can rule out environmental factors; it’ll confirm that there must be something in the source code that’s allowing it to work.

OTOH, if your built-from-source version behaves the same as your app, that’s evidence that the difference is caused by the build environment.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

DTS Engineer OP

Apple

Jan ’25

Oh, one other thing. The Secure Transport TLS implementation is itself part of Darwin. Start here but also see here. You might be able to glean some hints from that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 5

gerickson-nuovations OP

Jan ’25

You’re testing the curl binary, right?

Thus far, binary-only, correct.

If you build curl from source, what behaviour do you see?

That's an experiment I have not yet embarked on but will do so.

0

Answer 6

gerickson-nuovations OP

Jan ’25

Oh, one other thing. The Secure Transport TLS implementation is itself part of Darwin. Start here but also see here. You might be able to glean some hints from that.

Thanks. I'd definitely been plumbing the depths of the former; however, I had not yet cloned and dove into the latter.

0

Answer 7

gerickson-nuovations OP

Jan ’25

Building curl from what's at github.com/apple-oss-distributions/curl fails out of the chute with:

unable to find sdk 'macosx.internal'

in Xcode.

One thing I note in the --verbose output of curl when interacting with SSL/ TLS endpoints is that the output has no equivalent in the sectransp.c libcurl VTLS implementation. The output could and would only be generated from the openssl.c implementation.

The contents of xcconfigs/common.xcconfig include:

CURL_CONFIGURE_OPTIONS[sdk=macosx*] = --enable-threaded-resolver --with-gssapi --with-ssl=/usr/local/libressl --with-secure-transport which seems to corroborate some of what I am seeing.

xcconfigs/libcurl.xcconfig also contains:

LIBRARY_SEARCH_PATHS[sdk=macosx*] = $(inherited) /usr/local/libressl/lib
HEADER_SEARCH_PATHS[sdk=macosx*] = $(inherited) /usr/local/libressl/include

which would seem to indicate there is more than just a pure Secure Transport implementation.

However, /usr/local/libressl surely does not exist on a “just installed it” macOS distribution much less on a “just installed Xcode” distribution.

0

Answer 8

DTS Engineer OP

Apple

Jan ’25

Written by gerickson-nuovations in 823105022

unable to find sdk 'macosx.internal'

Yeah, that’s pretty standard for Darwin projects. I’m hardly an expert in building open source, but the standard first step here is to switch the SDK to the standard macOS SDK. The code might then just build, but it’s more likely you’ll hit places where it fails to build because it relies on internal stuff. There’s no standard way to fix such problems; you have to tackle them on a case-by-case basis.

Written by gerickson-nuovations in 823105022

which would seem to indicate there is more than just a pure implementation.

Yep. Consider:

% sw_vers
ProductName:            macOS
ProductVersion:         15.2
BuildVersion:           24C101
% dyld_info -linked_dylibs /usr/bin/curl
…
/usr/bin/curl [arm64e]:
    -linked_dylibs:
        attributes     load path
                       /usr/lib/libcurl.4.dylib
                       …
% dyld_info -linked_dylibs /usr/lib/libcurl.4.dylib
/usr/lib/libcurl.4.dylib [arm64e]:
    -linked_dylibs:
        …
        weak-link      /usr/lib/libcrypto.46.dylib
        weak-link      /usr/lib/libssl.48.dylib
        …

Note I’m using dyld_info because works with libraries that are in the dynamic linker shared cache. For more on that, see An Apple Library Primer.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 9

gerickson-nuovations OP

Jan ’25

Regrettably, on my macOS 14.7.2 system, /usr/lib/libcurl.4.dylib does not exist (though I am sure it is squirreled away in some alternate path, somewhere).

In a different note, trolling through curl/lib/vtls/vtls.c, I found:

  env = env_tmp = curl_getenv("CURL_SSL_BACKEND");

#ifdef __APPLE__
#if TARGET_OS_OSX
  if (!env)
    env = have_openssl() ? "openssl" : "secure-transport";
#endif
#endif

and CURL_DEFAULT_SSL_BACKEND where CURL_DEFAULT_SSL_BACKEND is configured for openssl which corroborates my observation that the --verbose output seen for curl could only be possible if the implementation were truly OpenSSL. So, setting:

setenv CURL_SSL_BACKEND secure-transport

Yields output from curl -4 --verbose --ftp-pasv --ftp-ssl-reqd ftp://ftp.sjtu.edu.cn:21/pub/README.NetInstall -o README.NetInstall that is consistent with the sectransp.c implementation:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host ftp.sjtu.edu.cn:21 was resolved.
* IPv6: (none)
* IPv4: 202.38.97.230
*   Trying 202.38.97.230:21...
* Connected to ftp.sjtu.edu.cn (202.38.97.230) port 21
< 220 (vsFTPd 3.0.2)
> AUTH SSL
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0< 234 Proceed with negotiation.
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: ftp.sjtu.edu.cn
* Server certificate: ZeroSSL RSA Domain Secure Site CA
* Server certificate: USERTrust RSA Certification Authority
> USER anonymous
< 331 Please specify the password.
> PASS ftp@example.com
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0< 230 Login successful.
> PBSZ 0
< 200 PBSZ set to 0.
> PROT P
< 200 PROT now Private.
> PWD
< 257 "/"
* Entry path is '/'
> CWD pub
* ftp_perform ends with SECONDARY: 0
< 250 Directory successfully changed.
> EPSV
* Connect data stream passively
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0< 229 Entering Extended Passive Mode (|||14172|).
* Connecting to 202.38.97.230 (202.38.97.230) port 14172
*   Trying 202.38.97.230:14172...
* Connected 2nd connection to 202.38.97.230 port 14172
* SSL reusing session ID
> TYPE I
< 200 Switching to Binary mode.
> SIZE README.NetInstall
< 213 427
> RETR README.NetInstall
  0   427    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0< 150 Opening BINARY mode data connection for README.NetInstall (427 bytes).
* Maxdownload = -1
* Getting file with size: 427
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: ftp.sjtu.edu.cn
* Server certificate: ZeroSSL RSA Domain Secure Site CA
* Server certificate: USERTrust RSA Certification Authority
{ [427 bytes data]
* Remembering we are in dir "pub/"
< 226 Transfer complete.
100   427  100   427    0     0     85      0  0:00:05  0:00:04  0:00:01    85
* Connection #0 to host ftp.sjtu.edu.cn left intact

with that, not only does it still work but I get Wireshark data channel ClientHello that is more consistent with what I see in my libncftp Secure Transport implementation, including the three status_request, signed_certificate_timestamp, and extended_master_secret extensions extensions as well as a set of cipher suites that are more consistent.

Also consistent with the openssl backend, Wireshark—for whatever reason—does not pick up the initial control channel ClientHello. I see 234 Proceed with negotiation.\r\n and then a series of what looks to be opaque data, possibly with some certificate chain validation with various certificate data.

In short, curl on macOS 14.7.2 with either openssl or secure-transport SSL backends (continues to) work.

0

Answer 10

gerickson-nuovations OP

Jan ’25

To keep the comparison apples-to-apples, I also experimented with the curl --disable-epsv option, with which macOS curl still succeeds:

% curl -4 --verbose --disable-epsv --ftp-pasv --ftp-ssl-reqd ftp://ftp.sjtu.edu.cn:21/pub/README.NetInstall -o README.NetInstall && rm -f README.NetInstall
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host ftp.sjtu.edu.cn:21 was resolved.
* IPv6: (none)
* IPv4: 202.38.97.230
*   Trying 202.38.97.230:21...
* Connected to ftp.sjtu.edu.cn (202.38.97.230) port 21
< 220 (vsFTPd 3.0.2)
> AUTH SSL
< 234 Proceed with negotiation.
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: ftp.sjtu.edu.cn
* Server certificate: ZeroSSL RSA Domain Secure Site CA
* Server certificate: USERTrust RSA Certification Authority
> USER anonymous
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0< 331 Please specify the password.
> PASS ftp@example.com
< 230 Login successful.
> PBSZ 0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0< 200 PBSZ set to 0.
> PROT P
< 200 PROT now Private.
> PWD
< 257 "/"
* Entry path is '/'
> CWD pub
* ftp_perform ends with SECONDARY: 0
< 250 Directory successfully changed.
> PASV
* Connect data stream passively
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0< 227 Entering Passive Mode (202,38,97,230,62,39).
* Skip 202.38.97.230 for data connection, reuse ftp.sjtu.edu.cn instead
* Connecting to 202.38.97.230 (202.38.97.230) port 15911
*   Trying 202.38.97.230:15911...
* Connected 2nd connection to 202.38.97.230 port 15911
* SSL reusing session ID
> TYPE I
< 200 Switching to Binary mode.
> SIZE README.NetInstall
< 213 427
> RETR README.NetInstall
  0   427    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: ftp.sjtu.edu.cn
* Server certificate: ZeroSSL RSA Domain Secure Site CA
* Server certificate: USERTrust RSA Certification Authority
< 150 Opening BINARY mode data connection for README.NetInstall (427 bytes).
* Maxdownload = -1
* Getting file with size: 427
{ [427 bytes data]
* Remembering we are in dir "pub/"
< 226 Transfer complete.
100   427  100   427    0     0     77      0  0:00:05  0:00:05 --:--:--    85
* Connection #0 to host ftp.sjtu.edu.cn left intact

I'll play with Wireshark; however, it would seem there is something in that initial control channel ClientHello (or whatever is happening there) that unlocks the difference in behavior.

0

Answer 11

gerickson-nuovations OP

Jan ’25

FYI, parallel DTS case 11579452.

0

Answer 12

DTS Engineer OP

Apple

Jan ’25

Written by gerickson-nuovations in 823232022

curl on macOS 14.7.2 with either openssl or secure-transport SSL backends (continues to) work.

Well that’s a good sign. It suggests that, with the right wrangling, you will be able to get Secure Transport to do what you want. You just have work out what that wrangling is (-:

The issue here is that it’s not at all clear what these servers are complaining about. My general process for debugging such things is to run a packet trace of the working example (curl in Secure Transport mode), a packet trace of the non-working example (your code), and see where things diverge on the wire. Once you get to that point, if you have questions about the Secure Transport side of this, post ’em here and I’ll take a look.

Oh, the other option is to bring up one of these servers yourself and using logging (or the debugger) to work out why it’s rejecting the connection.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 13

gerickson-nuovations OP

Feb ’25

I've brought up the vsftpd-3.0.5 source code; however, whatever is failing is failing within OpenSSL rather than vsftpd, so I'll need to go a level deeper in pursuing that route.

Using:

% setenv CURL_SSL_BACKEND secure-transport
% curl -4 --verbose --disable-epsv --ftp-pasv --ftp-ssl-reqd ftp://ftp.sjtu.edu.cn:21/pub/README.NetInstall -o README.NetInstall

and enabling this block in our libncftp implementation in FTPChannelTLS_SecureTransportCreateSecureContext:

    result = SetDefaultCipherSuites(ssl_context);
    if (result != kNoErr)
        goto done;

which establishes a controlled collection of Secure Transport cipher suites that are strong and safe (similar to what curl does), disabling those that Secure Transport supports but are regarded as weak and unsafe due to either a weak key exchange or bulk encryption algorithm and then running:

% ./samples/misc/ncftpgetbytes -d stderr --secure --explicit --secure-both ftp://ftp.sjtu.edu.cn:21/pub/README.NetInstall

I am able to get identical control and data channel TLS v1.2 ClientHello between the two implementations.

In the intervening time, I have also pressed Fetch 5.8 into play, since it appears to support RFC4217 Secure FTP with TLS using Secure Transport.

With that, I have three implementations with nearly identical control and data TLS v1.2 ClientHello interactions:

macOS 14.7.2 "Sonoma" curl 8.7.1 with the Secure Transport SSL backend.

control

Frame 10: 255 bytes on wire (2040 bits), 255 bytes captured (2040 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 59659 (59659), Dst Port: ftp (21), Seq: 11, Ack: 52, Len: 189
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 184
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 180
            Version: TLS 1.2 (0x0303)
            Random: 67a265110ca18a92cd9ac84b497db8ebe59fa897b5118b31fa5b46b5d6ccfa6e
                GMT Unix Time: Feb  4, 2025 11:05:53.000000000 PST
                Random Bytes: 0ca18a92cd9ac84b497db8ebe59fa897b5118b31fa5b46b5d6ccfa6e
            Session ID Length: 0
            Cipher Suites Length: 58
            Cipher Suites (29 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d290700_ce028126f2cf_3304d8368043]
            [JA4_r: t12d290700_002f,0033,0035,0039,003c,003d,0067,006b,008c,008d,009c,009d,009e,009f,00ae,00af,00ff,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49200-49199-49192-49191-49172-49171-159-158-107-103-57-51-157-156-61-60-53-47-175-174-141-140,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: 72d1ce3ec5344511133a5ead287e526e]

data

Frame 54: 287 bytes on wire (2296 bits), 287 bytes captured (2296 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 59660 (59660), Dst Port: 62163 (62163), Seq: 1, Ack: 1, Len: 221
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 216
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 212
            Version: TLS 1.2 (0x0303)
            Random: 67a26513f800a7550ebd7c3aa73714288f4f738988f00bb53938769b7fb74f2a
                GMT Unix Time: Feb  4, 2025 11:05:55.000000000 PST
                Random Bytes: f800a7550ebd7c3aa73714288f4f738988f00bb53938769b7fb74f2a
            Session ID Length: 32
            Session ID: 0884dc8c9263e319cc00bd96818543a40053de39032ed01dd17ac01988c2ab17
            Cipher Suites Length: 58
            Cipher Suites (29 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d290700_ce028126f2cf_3304d8368043]
            [JA4_r: t12d290700_002f,0033,0035,0039,003c,003d,0067,006b,008c,008d,009c,009d,009e,009f,00ae,00af,00ff,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49200-49199-49192-49191-49172-49171-159-158-107-103-57-51-157-156-61-60-53-47-175-174-141-140,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: 72d1ce3ec5344511133a5ead287e526e]

Fetch 5.8

control

Frame 10: 241 bytes on wire (1928 bits), 241 bytes captured (1928 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 64718 (64718), Dst Port: ftp (21), Seq: 11, Ack: 52, Len: 175
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 170
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 166
            Version: TLS 1.2 (0x0303)
            Random: 67a286f4b8df7dcc7af3cc8039db44fa740b75e9b4e41e7909f01452afe2ac97
                GMT Unix Time: Feb  4, 2025 13:30:28.000000000 PST
                Random Bytes: b8df7dcc7af3cc8039db44fa740b75e9b4e41e7909f01452afe2ac97
            Session ID Length: 0
            Cipher Suites Length: 44
            Cipher Suites (22 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d220700_0d4ca5d4ec72_3304d8368043]
            [JA4_r: t12d220700_000a,002f,0035,003c,003d,009c,009d,00ff,c008,c009,c00a,c012,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49160-49200-49199-49192-49191-49172-49171-49170-157-156-61-60-53-47-10,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: e4d448cdfe06dc1243c1eb026c74ac9a]

data

Frame 59: 273 bytes on wire (2184 bits), 273 bytes captured (2184 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 64719 (64719), Dst Port: 46894 (46894), Seq: 1, Ack: 1, Len: 207
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 202
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 198
            Version: TLS 1.2 (0x0303)
            Random: 67a286f796b35d5c5597ef105149d2e766b2bd379d154bbf91b457e9de703847
                GMT Unix Time: Feb  4, 2025 13:30:31.000000000 PST
                Random Bytes: 96b35d5c5597ef105149d2e766b2bd379d154bbf91b457e9de703847
            Session ID Length: 32
            Session ID: 464cafa5581e0217481bb6978d088268cb46829661a6d2f700af392f19c75c0e
            Cipher Suites Length: 44
            Cipher Suites (22 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d220700_0d4ca5d4ec72_3304d8368043]
            [JA4_r: t12d220700_000a,002f,0035,003c,003d,009c,009d,00ff,c008,c009,c00a,c012,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49160-49200-49199-49192-49191-49172-49171-49170-157-156-61-60-53-47-10,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: e4d448cdfe06dc1243c1eb026c74ac9a]

data

Frame 99: 273 bytes on wire (2184 bits), 273 bytes captured (2184 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 64728 (64728), Dst Port: 14843 (14843), Seq: 1, Ack: 1, Len: 207
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 202
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 198
            Version: TLS 1.2 (0x0303)
            Random: 67a2870f8f2e07096846c01d4e9f850d2125c4e031547dd26ab4ccd1af0b6e39
                GMT Unix Time: Feb  4, 2025 13:30:55.000000000 PST
                Random Bytes: 8f2e07096846c01d4e9f850d2125c4e031547dd26ab4ccd1af0b6e39
            Session ID Length: 32
            Session ID: 464cafa5581e0217481bb6978d088268cb46829661a6d2f700af392f19c75c0e
            Cipher Suites Length: 44
            Cipher Suites (22 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d220700_0d4ca5d4ec72_3304d8368043]
            [JA4_r: t12d220700_000a,002f,0035,003c,003d,009c,009d,00ff,c008,c009,c00a,c012,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49160-49200-49199-49192-49191-49172-49171-49170-157-156-61-60-53-47-10,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: e4d448cdfe06dc1243c1eb026c74ac9a]

libncftp

control

Frame 22: 255 bytes on wire (2040 bits), 255 bytes captured (2040 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 61385 (61385), Dst Port: ftp (21), Seq: 28, Ack: 202, Len: 189
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 184
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 180
            Version: TLS 1.2 (0x0303)
            Random: 67a271516447f8241bc26ae70108821bcf55400bd502ca09d08ae80cdbfaa208
                GMT Unix Time: Feb  4, 2025 11:58:09.000000000 PST
                Random Bytes: 6447f8241bc26ae70108821bcf55400bd502ca09d08ae80cdbfaa208
            Session ID Length: 0
            Cipher Suites Length: 58
            Cipher Suites (29 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d290700_ce028126f2cf_3304d8368043]
            [JA4_r: t12d290700_002f,0033,0035,0039,003c,003d,0067,006b,008c,008d,009c,009d,009e,009f,00ae,00af,00ff,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49200-49199-49192-49191-49172-49171-159-158-107-103-57-51-157-156-61-60-53-47-175-174-141-140,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: 72d1ce3ec5344511133a5ead287e526e]

data

Frame 92: 287 bytes on wire (2296 bits), 287 bytes captured (2296 bits) on interface en0, id 0
Ethernet II, Src: Apple_ba:2f:d7 (e4:50:eb:ba:2f:d7), Dst: Ubiquiti_10:27:1c (f0:9f:c2:10:27:1c)
Internet Protocol Version 4, Src: 192.168.1.128 (192.168.1.128), Dst: 202.38.97.230 (202.38.97.230)
Transmission Control Protocol, Src Port: 61386 (61386), Dst Port: 30396 (30396), Seq: 1, Ack: 1, Len: 221
Transport Layer Security
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 216
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 212
            Version: TLS 1.2 (0x0303)
            Random: 67a271541faff5a3b12f2158f60d6c2b1edc453c379d2f7865c09e1f12d6146b
                GMT Unix Time: Feb  4, 2025 11:58:12.000000000 PST
                Random Bytes: 1faff5a3b12f2158f60d6c2b1edc453c379d2f7865c09e1f12d6146b
            Session ID Length: 32
            Session ID: c9519114a295130318a1c9b680bb546889b878ba0c7275c603e223938e89feb3
            Cipher Suites Length: 58
            Cipher Suites (29 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
                Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 81
            Extension: server_name (len=20) name=ftp.sjtu.edu.cn
                Type: server_name (0)
                Length: 20
                Server Name Indication extension
                    Server Name list length: 18
                    Server Name Type: host_name (0)
                    Server Name length: 15
                    Server Name: ftp.sjtu.edu.cn
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA4: t12d290700_ce028126f2cf_3304d8368043]
            [JA4_r: t12d290700_002f,0033,0035,0039,003c,003d,0067,006b,008c,008d,009c,009d,009e,009f,00ae,00af,00ff,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_0005,000a,000b,000d,0012,0017_0401,0201,0501,0601,0403,0203,0503,0603]
            [JA3 Fullstring: 771,255-49196-49195-49188-49187-49162-49161-49200-49199-49192-49191-49172-49171-159-158-107-103-57-51-157-156-61-60-53-47-175-174-141-140,0-10-11-13-5-18-23,23-24-25,0]
            [JA3: 72d1ce3ec5344511133a5ead287e526e]

It feels like this is a one- or two-liner away from working.

0

Answer 14

gerickson-nuovations OP

Feb ’25

Diving into github.com/apple-oss-distributions/Security with OSX/libsecurity_ssl/lib/sslRecord.c and OSX/libsecurity_ssl/lib/sslTransport.c, it looks like the implementation can return errSSLClosedAbort from the following:

OSX/libsecurity_ssl/lib/sslRecord.c:
- errorTranslate when recordErr is errSSLRecordClosedAbort
- errorTranslate is called from:
  - SSLWriteRecord
  - SSLReadRecord
  - SSLServiceWriteQueue
OSX/libsecurity_ssl/lib/sslTransport.c:
- SSLHandshake when ctx->state is SSL_HdskStateErrorClose.
- SSLRead when ctx->state is SSL_HdskStateErrorClose or SSL_HdskStateOutOfBandError.
- SSLReHandshake when ctx->state is SSL_HdskStateErrorClose or SSL_HdskStateOutOfBandError.
- SSLWrite when ctx->state is SSL_HdskStateErrorClose or SSL_HdskStateOutOfBandError.

For some reason, my implementation is triggering one of these cases whereas curl and Fetch 5.8 are not.

0

Answer 15

DTS Engineer OP

Apple

Feb ’25

Written by gerickson-nuovations in 823788022

I've brought up the vsftpd-3.0.5 source code; however, whatever is failing …

But, just to confirm, that means that can reproduce this with a server under your control, right? If so, that’s definitely a progress.

Written by gerickson-nuovations in 823788022

I have three implementations with nearly identical control and data TLS v1.2 ClientHello interaction

OK. And cases 1 and 2 (curl with Secure Transport, and Fetch 5.8) work whereas case 3 (your libncftp code) fails, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0