On Wed, Jun 15, 2022 at 03:09:16PM -0400, Viktor Dukhovni wrote:
> You can share the PCAP file with me off-list.
Thanks for the PCAP file. An immediate interesting feature is how the
connection is terminated ("tcpdump" output edited to trim excess
detail):
22:32:13.555416 1711 > 25: [S], seq 3405166426, win 65535, length 0
22:32:13.555449 25 > 1711: [S.], seq 1841506549, ack 3405166427, win 28960,
length 0
22:32:13.742679 1711 > 25: [.], ack 1, win 2058, length 0
22:32:13.994238 25 > 1711: [P.], seq 1:39, ack 1, win 227, length 38: SMTP:
220 mail.ittech.com.sg ESMTP Postfix
22:32:14.182397 1711 > 25: [.], ack 39, win 2058, length 0
22:32:14.182736 1711 > 25: [P.], seq 1:24, ack 39, win 2058, length 23:
SMTP: EHLO ansmtp.ariba.com
22:32:14.182767 25 > 1711: [.], ack 24, win 227, length 0
22:32:14.182917 25 > 1711: [P.], seq 39:194, ack 24, win 227, length 155:
SMTP: 250-mail.ittech.com.sg
22:32:14.370857 1711 > 25: [.], ack 194, win 2056, length 0
22:32:14.371213 1711 > 25: [P.], seq 24:34, ack 194, win 2058, length 10:
SMTP: STARTTLS
22:32:14.371276 25 > 1711: [P.], seq 194:224, ack 34, win 227, length 30:
SMTP: 220 2.0.0 Ready to start TLS
22:32:14.559151 1711 > 25: [.], ack 224, win 2058, length 0
22:32:14.559877 1711 > 25: [P.], seq 34:233, ack 224, win 2058, length 199
22:32:14.561871 25 > 1711: [.], seq 224:1672, ack 233, win 235, length 1448
22:32:14.561873 25 > 1711: [.], seq 1672:3120, ack 233, win 235, length 1448
22:32:14.561912 25 > 1711: [P.], seq 3120:3355, ack 233, win 235, length 235
22:32:14.750425 1711 > 25: [R.], seq 233, ack 1672, win 235, length 0
As we'll see below, the the last three TCP segments from the server
contain the TLS Server HELLO, the certificate message, the key exchange
message and server HELLO DONE message. The client slams the door closed
with "RST + ACK" and a sequence number acking receipt of just the first
of the three frames. The RST is delayed by ~190ms, which is close to
the RTT delay for earlier messages, so its origin does appear to be
remote.
[ Trimmed "tshark" decodes below signature ]
The first frame contains the TLS Server Hello and only a portion of the
server certificate message. I am guessing that the remote TLS stack
does not process partial TLS records (waits for each record to arrive in
full). So whatever the client TLS stack did not like was in the TLS
Server Hello.
The TLS Server Hello message does not look at all remarkable to me:
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 57
Version: TLS 1.2 (0x0303)
Random: ...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Compression Method: null (0)
Extensions Length: 17
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
So it is far from clear what you could do to make this client happy.
Perhaps some security middlebox near the client is misbehaving, or its
TLS stack is broken beyond repair. Your best may be to disable STARTTLS
for connections from this client:
smtpd_discard_ehlo_keyword_address_maps =
inline:{ { 216.109.104.12 = starttls } }
If possible, reach out to the postmaster of the remote system or ask the
receiving user for their contacts on the sending side. They may have some
insight about what it is their software is unhappy about.
--
Viktor.
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 0, Len: 0
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 0, Ack: 1,
Len: 0
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 1, Ack: 1,
Len: 0
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 1, Ack: 1,
Len: 38
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 38]
Sequence Number: 1 (relative sequence number)
[Next Sequence Number: 39 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
220 mail.ittech.com.sg ESMTP Postfix
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 1, Ack: 39,
Len: 0
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 39 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 1, Ack: 39,
Len: 23
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 23]
Sequence Number: 1 (relative sequence number)
[Next Sequence Number: 24 (relative sequence number)]
Acknowledgment Number: 39 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
EHLO ansmtp.ariba.com
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 39, Ack: 24,
Len: 0
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 0]
Sequence Number: 39 (relative sequence number)
[Next Sequence Number: 39 (relative sequence number)]
Acknowledgment Number: 24 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 39, Ack: 24,
Len: 155
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 155]
Sequence Number: 39 (relative sequence number)
[Next Sequence Number: 194 (relative sequence number)]
Acknowledgment Number: 24 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
250-mail.ittech.com.sg
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 24, Ack: 194,
Len: 0
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 0]
Sequence Number: 24 (relative sequence number)
[Next Sequence Number: 24 (relative sequence number)]
Acknowledgment Number: 194 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 24, Ack: 194,
Len: 10
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 10]
Sequence Number: 24 (relative sequence number)
[Next Sequence Number: 34 (relative sequence number)]
Acknowledgment Number: 194 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
STARTTLS
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 194, Ack: 34,
Len: 30
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 30]
Sequence Number: 194 (relative sequence number)
[Next Sequence Number: 224 (relative sequence number)]
Acknowledgment Number: 34 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
220 2.0.0 Ready to start TLS
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 34, Ack: 224,
Len: 0
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 0]
Sequence Number: 34 (relative sequence number)
[Next Sequence Number: 34 (relative sequence number)]
Acknowledgment Number: 224 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 34, Ack: 224,
Len: 199
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 199]
Sequence Number: 34 (relative sequence number)
[Next Sequence Number: 233 (relative sequence number)]
Acknowledgment Number: 224 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Transport Layer Security
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 194
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 190
Version: TLS 1.2 (0x0303)
Random: ...
Session ID Length: 0
Cipher Suites Length: 82
Cipher Suites (41 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 67
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: supported_groups (len=10)
Type: supported_groups (10)
Length: 10
Supported Groups List Length: 8
Supported Groups (4 groups)
Supported Group: secp521r1 (0x0019)
Supported Group: secp384r1 (0x0018)
Supported Group: secp256r1 (0x0017)
Supported Group: secp192r1 (0x0013)
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=32)
Type: signature_algorithms (13)
Length: 32
Signature Hash Algorithms Length: 30
Signature Hash Algorithms (15 algorithms)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA512 DSA (0x0602)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA384 DSA (0x0502)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA256 DSA (0x0402)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: SHA224 RSA (0x0301)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA224 DSA (0x0302)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: SHA224 ECDSA (0x0303)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA1 DSA (0x0202)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Extension: heartbeat (len=1)
Type: heartbeat (15)
Length: 1
Mode: Peer allowed to send requests (1)
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 224, Ack:
233, Len: 1448
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 1448]
Sequence Number: 224 (relative sequence number)
[Next Sequence Number: 1672 (relative sequence number)]
Acknowledgment Number: 233 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
TCP payload (1448 bytes)
TCP segment data (1382 bytes)
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 61
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 57
Version: TLS 1.2 (0x0303)
Random: ...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Compression Method: null (0)
Extensions Length: 17
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 1672, Ack:
233, Len: 1448
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 1448]
Sequence Number: 1672 (relative sequence number)
[Next Sequence Number: 3120 (relative sequence number)]
Acknowledgment Number: 233 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
[2 Reassembled TCP Segments (2650 bytes): #14(1382), #15(1268)]
[Frame: 14, payload: 0-1381 (1382 bytes)]
[Frame: 15, payload: 1382-2649 (1268 bytes)]
[Segment count: 2]
[Reassembled TCP length: 2650]
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2645
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2641
Certificates Length: 2638
Certificates (2638 bytes)
Certificate Length: 1326
Certificate: ... (id-at-commonName=mail.ittech.com.sg)
signedCertificate
version: v3 (2)
serialNumber: ...
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11
(sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items
(id-at-commonName=R3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item
(id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item
(id-at-organizationName=Let's Encrypt)
RelativeDistinguishedName item
(id-at-organizationName=Let's Encrypt)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Let's Encrypt
RDNSequence item: 1 item (id-at-commonName=R3)
RelativeDistinguishedName item
(id-at-commonName=R3)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: R3
validity
notBefore: utcTime (0)
utcTime: 2022-06-15 16:55:26 (UTC)
notAfter: utcTime (0)
utcTime: 2022-09-13 16:55:25 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item
(id-at-commonName=mail.ittech.com.sg)
RDNSequence item: 1 item
(id-at-commonName=mail.ittech.com.sg)
RelativeDistinguishedName item
(id-at-commonName=mail.ittech.com.sg)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mail.ittech.com.sg
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1
(rsaEncryption)
subjectPublicKey:
3082010a0282010100c5421505cb9e836e0dd36d08bc1dd8a6e84435bf237f6875b685af…
extensions: 9 items
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 5
KeyUsage: a0
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..1. .... = keyEncipherment: True
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .0.. = keyCertSign: False
.... ..0. = cRLSign: False
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1
(id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2
(id-kp-clientAuth)
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax [0 length]
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14
(id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: ...
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35
(id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: ...
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1
(id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1
(id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier:
http://r3.o.lencr.org
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2
(id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier:
http://r3.i.lencr.org/
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 1 item
GeneralName: dNSName (2)
dNSName: mail.ittech.com.sg
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32
(id-ce-certificatePolicies)
CertificatePoliciesSyntax: 2 items
PolicyInformation
policyIdentifier: 2.23.140.1.2.1
(joint-iso-itu-t.23.140.1.2.1)
PolicyInformation
policyIdentifier:
1.3.6.1.4.1.44947.1.1.1 (iso.3.6.1.4.1.44947.1.1.1)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1
(id-qt-cps)
DirectoryString:
http://cps.letsencrypt.org
Extension (SignedCertificateTimestampList)
Extension Id: 1.3.6.1.4.1.11129.2.4.2
(SignedCertificateTimestampList)
Serialized SCT List Length: 240
Signed Certificate Timestamp (Let's Encrypt
'Oak2022' log)
...
Signed Certificate Timestamp (Google
'Argon2022' log)
...
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11
(sha256WithRSAEncryption)
Padding: 0
encrypted: ...
Certificate Length: 1306
Certificate: ...
(id-at-commonName=R3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
signedCertificate
version: v3 (2)
serialNumber: ...
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11
(sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=ISRG Root
X1,id-at-organizationName=Internet Security Research Group,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item
(id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item
(id-at-organizationName=Internet Security Research Group)
RelativeDistinguishedName item
(id-at-organizationName=Internet Security Research Group)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Internet Security
Research Group
RDNSequence item: 1 item (id-at-commonName=ISRG
Root X1)
RelativeDistinguishedName item
(id-at-commonName=ISRG Root X1)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: ISRG Root X1
validity
notBefore: utcTime (0)
utcTime: 2020-09-04 00:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 2025-09-15 16:00:00 (UTC)
subject: rdnSequence (0)
rdnSequence: 3 items
(id-at-commonName=R3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item
(id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item
(id-at-organizationName=Let's Encrypt)
RelativeDistinguishedName item
(id-at-organizationName=Let's Encrypt)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Let's Encrypt
RDNSequence item: 1 item (id-at-commonName=R3)
RelativeDistinguishedName item
(id-at-commonName=R3)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: R3
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1
(rsaEncryption)
subjectPublicKey:
3082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26…
extensions: 8 items
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 86
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.2
(id-kp-clientAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.1
(id-kp-serverAuth)
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
pathLenConstraint: 0
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14
(id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: ...
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35
(id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: ...
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1
(id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 1 item
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2
(id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier:
http://x1.i.lencr.org/
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31
(id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName:
uniformResourceIdentifier (6)
uniformResourceIdentifier:
http://x1.c.lencr.org/
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32
(id-ce-certificatePolicies)
CertificatePoliciesSyntax: 2 items
PolicyInformation
policyIdentifier: 2.23.140.1.2.1
(joint-iso-itu-t.23.140.1.2.1)
PolicyInformation
policyIdentifier:
1.3.6.1.4.1.44947.1.1.1 (iso.3.6.1.4.1.44947.1.1.1)
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11
(sha256WithRSAEncryption)
Padding: 0
encrypted: ...
Transmission Control Protocol, Src Port: 25, Dst Port: 1711, Seq: 3120, Ack:
233, Len: 235
Source Port: 25
Destination Port: 1711
[TCP Segment Len: 235]
Sequence Number: 3120 (relative sequence number)
[Next Sequence Number: 3355 (relative sequence number)]
Acknowledgment Number: 233 (relative ack number)
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
[2 Reassembled TCP Segments (406 bytes): #15(180), #16(226)]
[Frame: 15, payload: 0-179 (180 bytes)]
[Frame: 16, payload: 180-405 (226 bytes)]
[Segment count: 2]
[Reassembled TCP length: 406]
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 401
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 397
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp521r1 (0x0019)
Pubkey Length: 133
Pubkey: ...
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Length: 256
Signature: ...
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Transmission Control Protocol, Src Port: 1711, Dst Port: 25, Seq: 233, Ack:
1672, Len: 0
Source Port: 1711
Destination Port: 25
[TCP Segment Len: 0]
Sequence Number: 233 (relative sequence number)
[Next Sequence Number: 233 (relative sequence number)]
Acknowledgment Number: 1672 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
