diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..1a68db5e5 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,13 @@ +## Goal + + +## Changes +- + +## Testing + + +## Checklist +- [ ] Title is a clear sentence (≤ 70 chars) +- [ ] Commits are signed (`git log --show-signature`) +- [ ] `submissions/labN.md` updated diff --git a/submissions/attachments/lab4/clienthello-summary.txt b/submissions/attachments/lab4/clienthello-summary.txt new file mode 100644 index 000000000..eeb31fb16 --- /dev/null +++ b/submissions/attachments/lab4/clienthello-summary.txt @@ -0,0 +1,2 @@ +0x0303 0x1302,0x1303,0x1301,0xc02c,0xc030,0x009f,0xcca9,0xcca8,0xccaa,0xc02b,0xc02f,0x009e,0xc024,0xc028,0x006b,0xc023,0xc027,0x0067,0xc00a,0xc014,0x0039,0xc009,0xc013,0x0033,0x009d,0x009c,0x003d,0x003c,0x0035,0x002f,0x00ff +0x0303 localhost 0x1302,0x1303,0x1301,0xc02c,0xc030,0x009f,0xcca9,0xcca8,0xccaa,0xc02b,0xc02f,0x009e,0xc024,0xc028,0x006b,0xc023,0xc027,0x0067,0xc00a,0xc014,0x0039,0xc009,0xc013,0x0033,0x009d,0x009c,0x003d,0x003c,0x0035,0x002f,0x00ff diff --git a/submissions/attachments/lab4/clienthello.txt b/submissions/attachments/lab4/clienthello.txt new file mode 100644 index 000000000..7371eac36 --- /dev/null +++ b/submissions/attachments/lab4/clienthello.txt @@ -0,0 +1,566 @@ +Frame 4: 589 bytes on wire (4712 bits), 589 bytes captured (4712 bits) + Encapsulation type: Linux cooked-mode capture v2 (210) + Arrival Time: Jun 15, 2026 11:28:28.305818000 MSK + UTC Arrival Time: Jun 15, 2026 08:28:28.305818000 UTC + Epoch Arrival Time: 1781512108.305818000 + [Time shift for this packet: 0.000000000 seconds] + [Time delta from previous captured frame: 0.004353000 seconds] + [Time delta from previous displayed frame: 0.000000000 seconds] + [Time since reference or first frame: 0.004397000 seconds] + Frame Number: 4 + Frame Length: 589 bytes (4712 bits) + Capture Length: 589 bytes (4712 bits) + [Frame is marked: False] + [Frame is ignored: False] + [Protocols in frame: sll:ethertype:ip:tcp:tls] +Linux cooked capture v2 + Protocol: IPv4 (0x0800) + Interface index: 1 + Link-layer address type: Loopback (772) + Packet type: Unicast to us (0) + Link-layer address length: 6 + Source: 00:00:00_00:00:00 (00:00:00:00:00:00) + Unused: 0000 +Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 + 0100 .... = Version: 4 + .... 0101 = Header Length: 20 bytes (5) + Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) + 0000 00.. = Differentiated Services Codepoint: Default (0) + .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) + Total Length: 569 + Identification: 0x95ef (38383) + 010. .... = Flags: 0x2, Don't fragment + 0... .... = Reserved bit: Not set + .1.. .... = Don't fragment: Set + ..0. .... = More fragments: Not set + ...0 0000 0000 0000 = Fragment Offset: 0 + Time to Live: 64 + Protocol: TCP (6) + Header Checksum: 0xa4cd [validation disabled] + [Header checksum status: Unverified] + Source Address: 127.0.0.1 + Destination Address: 127.0.0.1 +Transmission Control Protocol, Src Port: 44152, Dst Port: 8443, Seq: 1, Ack: 1, Len: 517 + Source Port: 44152 + Destination Port: 8443 + [Stream index: 0] + [Conversation completeness: Incomplete, ESTABLISHED (7)] + ..0. .... = RST: Absent + ...0 .... = FIN: Absent + .... 0... = Data: Absent + .... .1.. = ACK: Present + .... ..1. = SYN-ACK: Present + .... ...1 = SYN: Present + [Completeness Flags: ···ASS] + [TCP Segment Len: 517] + Sequence Number: 1 (relative sequence number) + Sequence Number (raw): 2157975 + [Next Sequence Number: 518 (relative sequence number)] + Acknowledgment Number: 1 (relative ack number) + Acknowledgment number (raw): 834201497 + 1000 .... = Header Length: 32 bytes (8) + Flags: 0x018 (PSH, ACK) + 000. .... .... = Reserved: Not set + ...0 .... .... = Accurate ECN: Not set + .... 0... .... = Congestion Window Reduced: Not set + .... .0.. .... = ECN-Echo: Not set + .... ..0. .... = Urgent: Not set + .... ...1 .... = Acknowledgment: Set + .... .... 1... = Push: Set + .... .... .0.. = Reset: Not set + .... .... ..0. = Syn: Not set + .... .... ...0 = Fin: Not set + [TCP Flags: ·······AP···] + Window: 512 + [Calculated window size: 65536] + [Window size scaling factor: 128] + Checksum: 0x002e [unverified] + [Checksum Status: Unverified] + Urgent Pointer: 0 + Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps + TCP Option - No-Operation (NOP) + Kind: No-Operation (1) + TCP Option - No-Operation (NOP) + Kind: No-Operation (1) + TCP Option - Timestamps + Kind: Time Stamp Option (8) + Length: 10 + Timestamp value: 3708445155: TSval 3708445155, TSecr 3708445151 + Timestamp echo reply: 3708445151 + [Timestamps] + [Time since first frame in this TCP stream: 0.004397000 seconds] + [Time since previous frame in this TCP stream: 0.004353000 seconds] + [SEQ/ACK analysis] + [iRTT: 0.000044000 seconds] + [Bytes in flight: 517] + [Bytes sent since last PSH flag: 517] + TCP payload (517 bytes) +Transport Layer Security + TLSv1 Record Layer: Handshake Protocol: Client Hello + Content Type: Handshake (22) + Version: TLS 1.0 (0x0301) + Length: 512 + Handshake Protocol: Client Hello + Handshake Type: Client Hello (1) + Length: 508 + Version: TLS 1.2 (0x0303) + Random: 8cb594e1ad286ea2ad7b4e3e884d122fea2b09241c50239fc0fd766bd9f0b18a + GMT Unix Time: Oct 22, 2044 03:52:49.000000000 MSK + Random Bytes: ad286ea2ad7b4e3e884d122fea2b09241c50239fc0fd766bd9f0b18a + Session ID Length: 32 + Session ID: be15ab8abb319e9b37f5eb11067d24a8096c816546e096790d5e6f64a51b9486 + Cipher Suites Length: 62 + Cipher Suites (31 suites) + Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) + Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) + Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) + Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) + Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) + Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) + Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) + Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) + Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) + Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) + Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) + Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) + Compression Methods Length: 1 + Compression Methods (1 method) + Compression Method: null (0) + Extensions Length: 373 + Extension: ec_point_formats (len=4) + Type: ec_point_formats (11) + Length: 4 + EC point formats Length: 3 + Elliptic curves point formats (3) + EC point format: uncompressed (0) + EC point format: ansiX962_compressed_prime (1) + EC point format: ansiX962_compressed_char2 (2) + Extension: supported_groups (len=22) + Type: supported_groups (10) + Length: 22 + Supported Groups List Length: 20 + Supported Groups (10 groups) + Supported Group: x25519 (0x001d) + Supported Group: secp256r1 (0x0017) + Supported Group: x448 (0x001e) + Supported Group: secp521r1 (0x0019) + Supported Group: secp384r1 (0x0018) + Supported Group: ffdhe2048 (0x0100) + Supported Group: ffdhe3072 (0x0101) + Supported Group: ffdhe4096 (0x0102) + Supported Group: ffdhe6144 (0x0103) + Supported Group: ffdhe8192 (0x0104) + Extension: application_layer_protocol_negotiation (len=14) + Type: application_layer_protocol_negotiation (16) + Length: 14 + ALPN Extension Length: 12 + ALPN Protocol + ALPN string length: 2 + ALPN Next Protocol: h2 + ALPN string length: 8 + ALPN Next Protocol: http/1.1 + Extension: encrypt_then_mac (len=0) + Type: encrypt_then_mac (22) + Length: 0 + Extension: extended_master_secret (len=0) + Type: extended_master_secret (23) + Length: 0 + Extension: post_handshake_auth (len=0) + Type: post_handshake_auth (49) + Length: 0 + Extension: signature_algorithms (len=42) + Type: signature_algorithms (13) + Length: 42 + Signature Hash Algorithms Length: 40 + Signature Hash Algorithms (20 algorithms) + Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: ed25519 (0x0807) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (7) + Signature Algorithm: ed448 (0x0808) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (8) + Signature Algorithm: rsa_pss_pss_sha256 (0x0809) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (9) + Signature Algorithm: rsa_pss_pss_sha384 (0x080a) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (10) + Signature Algorithm: rsa_pss_pss_sha512 (0x080b) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (11) + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: SM2 (4) + Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (5) + Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (6) + Signature Algorithm: rsa_pkcs1_sha256 (0x0401) + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: rsa_pkcs1_sha384 (0x0501) + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: rsa_pkcs1_sha512 (0x0601) + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: SHA224 ECDSA (0x0303) + Signature Hash Algorithm Hash: SHA224 (3) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: SHA224 RSA (0x0301) + Signature Hash Algorithm Hash: SHA224 (3) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: SHA224 DSA (0x0302) + Signature Hash Algorithm Hash: SHA224 (3) + Signature Hash Algorithm Signature: DSA (2) + Signature Algorithm: SHA256 DSA (0x0402) + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: DSA (2) + Signature Algorithm: SHA384 DSA (0x0502) + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: DSA (2) + Signature Algorithm: SHA512 DSA (0x0602) + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: DSA (2) + Extension: supported_versions (len=5) TLS 1.3, TLS 1.2 + Type: supported_versions (43) + Length: 5 + Supported Versions length: 4 + Supported Version: TLS 1.3 (0x0304) + Supported Version: TLS 1.2 (0x0303) + Extension: psk_key_exchange_modes (len=2) + Type: psk_key_exchange_modes (45) + Length: 2 + PSK Key Exchange Modes Length: 1 + PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) + Extension: key_share (len=38) x25519 + Type: key_share (51) + Length: 38 + Key Share extension + Client Key Share Length: 36 + Key Share Entry: Group: x25519, Key Exchange length: 32 + Group: x25519 (29) + Key Exchange Length: 32 + Key Exchange: 87dbad85af787e263e159ce509567459d1d5cbd4a63bed3df63700e8dfe46176 + Extension: padding (len=202) + Type: padding (21) + Length: 202 + Padding Data [truncated]: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + [JA4: t13i3111h2_e8f1e7e78f70_b26ce05bbdd6] + [JA4_r [truncated]: t13i3111h2_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033_0403] + [JA3 Fullstring [truncated]: 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-257-] + [JA3: 78f0dc5ac5b19daf131a133cfdee9691] + +Frame 14: 609 bytes on wire (4872 bits), 609 bytes captured (4872 bits) + Encapsulation type: Linux cooked-mode capture v2 (210) + Arrival Time: Jun 15, 2026 11:28:28.323420000 MSK + UTC Arrival Time: Jun 15, 2026 08:28:28.323420000 UTC + Epoch Arrival Time: 1781512108.323420000 + [Time shift for this packet: 0.000000000 seconds] + [Time delta from previous captured frame: 0.003806000 seconds] + [Time delta from previous displayed frame: 0.017602000 seconds] + [Time since reference or first frame: 0.021999000 seconds] + Frame Number: 14 + Frame Length: 609 bytes (4872 bits) + Capture Length: 609 bytes (4872 bits) + [Frame is marked: False] + [Frame is ignored: False] + [Protocols in frame: sll:ethertype:ipv6:tcp:tls] +Linux cooked capture v2 + Protocol: IPv6 (0x86dd) + Interface index: 1 + Link-layer address type: Loopback (772) + Packet type: Unicast to us (0) + Link-layer address length: 6 + Source: 00:00:00_00:00:00 (00:00:00:00:00:00) + Unused: 0000 +Internet Protocol Version 6, Src: ::1, Dst: ::1 + 0110 .... = Version: 6 + .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) + .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) + .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0) + .... 1110 1001 1100 0100 0110 = Flow Label: 0xe9c46 + Payload Length: 549 + Next Header: TCP (6) + Hop Limit: 64 + Source Address: ::1 + Destination Address: ::1 +Transmission Control Protocol, Src Port: 49408, Dst Port: 8443, Seq: 1, Ack: 1, Len: 517 + Source Port: 49408 + Destination Port: 8443 + [Stream index: 1] + [Conversation completeness: Incomplete, ESTABLISHED (7)] + ..0. .... = RST: Absent + ...0 .... = FIN: Absent + .... 0... = Data: Absent + .... .1.. = ACK: Present + .... ..1. = SYN-ACK: Present + .... ...1 = SYN: Present + [Completeness Flags: ···ASS] + [TCP Segment Len: 517] + Sequence Number: 1 (relative sequence number) + Sequence Number (raw): 1663730631 + [Next Sequence Number: 518 (relative sequence number)] + Acknowledgment Number: 1 (relative ack number) + Acknowledgment number (raw): 813048789 + 1000 .... = Header Length: 32 bytes (8) + Flags: 0x018 (PSH, ACK) + 000. .... .... = Reserved: Not set + ...0 .... .... = Accurate ECN: Not set + .... 0... .... = Congestion Window Reduced: Not set + .... .0.. .... = ECN-Echo: Not set + .... ..0. .... = Urgent: Not set + .... ...1 .... = Acknowledgment: Set + .... .... 1... = Push: Set + .... .... .0.. = Reset: Not set + .... .... ..0. = Syn: Not set + .... .... ...0 = Fin: Not set + [TCP Flags: ·······AP···] + Window: 512 + [Calculated window size: 65536] + [Window size scaling factor: 128] + Checksum: 0x022d [unverified] + [Checksum Status: Unverified] + Urgent Pointer: 0 + Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps + TCP Option - No-Operation (NOP) + Kind: No-Operation (1) + TCP Option - No-Operation (NOP) + Kind: No-Operation (1) + TCP Option - Timestamps + Kind: Time Stamp Option (8) + Length: 10 + Timestamp value: 392863708: TSval 392863708, TSecr 392863704 + Timestamp echo reply: 392863704 + [Timestamps] + [Time since first frame in this TCP stream: 0.003839000 seconds] + [Time since previous frame in this TCP stream: 0.003806000 seconds] + [SEQ/ACK analysis] + [iRTT: 0.000033000 seconds] + [Bytes in flight: 517] + [Bytes sent since last PSH flag: 517] + TCP payload (517 bytes) +Transport Layer Security + TLSv1 Record Layer: Handshake Protocol: Client Hello + Content Type: Handshake (22) + Version: TLS 1.0 (0x0301) + Length: 512 + Handshake Protocol: Client Hello + Handshake Type: Client Hello (1) + Length: 508 + Version: TLS 1.2 (0x0303) + Random: a41fc1e02fdc70c280f6cdf744420af18adecd03b97aae66a652a9936d702189 + GMT Unix Time: Apr 3, 2057 20:31:12.000000000 MSK + Random Bytes: 2fdc70c280f6cdf744420af18adecd03b97aae66a652a9936d702189 + Session ID Length: 32 + Session ID: af048ed4d8bf335189046ed3d4d516b3dd0e3dfec0e23a82bb022d119fc7f0a2 + Cipher Suites Length: 62 + Cipher Suites (31 suites) + Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) + Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) + Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) + Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) + Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) + Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) + Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) + Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) + Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) + Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) + Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) + Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) + Compression Methods Length: 1 + Compression Methods (1 method) + Compression Method: null (0) + Extensions Length: 373 + Extension: server_name (len=14) name=localhost + Type: server_name (0) + Length: 14 + Server Name Indication extension + Server Name list length: 12 + Server Name Type: host_name (0) + Server Name length: 9 + Server Name: localhost + Extension: ec_point_formats (len=4) + Type: ec_point_formats (11) + Length: 4 + EC point formats Length: 3 + Elliptic curves point formats (3) + EC point format: uncompressed (0) + EC point format: ansiX962_compressed_prime (1) + EC point format: ansiX962_compressed_char2 (2) + Extension: supported_groups (len=22) + Type: supported_groups (10) + Length: 22 + Supported Groups List Length: 20 + Supported Groups (10 groups) + Supported Group: x25519 (0x001d) + Supported Group: secp256r1 (0x0017) + Supported Group: x448 (0x001e) + Supported Group: secp521r1 (0x0019) + Supported Group: secp384r1 (0x0018) + Supported Group: ffdhe2048 (0x0100) + Supported Group: ffdhe3072 (0x0101) + Supported Group: ffdhe4096 (0x0102) + Supported Group: ffdhe6144 (0x0103) + Supported Group: ffdhe8192 (0x0104) + Extension: application_layer_protocol_negotiation (len=14) + Type: application_layer_protocol_negotiation (16) + Length: 14 + ALPN Extension Length: 12 + ALPN Protocol + ALPN string length: 2 + ALPN Next Protocol: h2 + ALPN string length: 8 + ALPN Next Protocol: http/1.1 + Extension: encrypt_then_mac (len=0) + Type: encrypt_then_mac (22) + Length: 0 + Extension: extended_master_secret (len=0) + Type: extended_master_secret (23) + Length: 0 + Extension: post_handshake_auth (len=0) + Type: post_handshake_auth (49) + Length: 0 + Extension: signature_algorithms (len=42) + Type: signature_algorithms (13) + Length: 42 + Signature Hash Algorithms Length: 40 + Signature Hash Algorithms (20 algorithms) + Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: ed25519 (0x0807) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (7) + Signature Algorithm: ed448 (0x0808) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (8) + Signature Algorithm: rsa_pss_pss_sha256 (0x0809) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (9) + Signature Algorithm: rsa_pss_pss_sha384 (0x080a) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (10) + Signature Algorithm: rsa_pss_pss_sha512 (0x080b) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (11) + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: SM2 (4) + Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (5) + Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) + Signature Hash Algorithm Hash: Unknown (8) + Signature Hash Algorithm Signature: Unknown (6) + Signature Algorithm: rsa_pkcs1_sha256 (0x0401) + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: rsa_pkcs1_sha384 (0x0501) + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: rsa_pkcs1_sha512 (0x0601) + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: SHA224 ECDSA (0x0303) + Signature Hash Algorithm Hash: SHA224 (3) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Algorithm: SHA224 RSA (0x0301) + Signature Hash Algorithm Hash: SHA224 (3) + Signature Hash Algorithm Signature: RSA (1) + Signature Algorithm: SHA224 DSA (0x0302) + Signature Hash Algorithm Hash: SHA224 (3) + Signature Hash Algorithm Signature: DSA (2) + Signature Algorithm: SHA256 DSA (0x0402) + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: DSA (2) + Signature Algorithm: SHA384 DSA (0x0502) + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: DSA (2) + Signature Algorithm: SHA512 DSA (0x0602) + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: DSA (2) + Extension: supported_versions (len=5) TLS 1.3, TLS 1.2 + Type: supported_versions (43) + Length: 5 + Supported Versions length: 4 + Supported Version: TLS 1.3 (0x0304) + Supported Version: TLS 1.2 (0x0303) + Extension: psk_key_exchange_modes (len=2) + Type: psk_key_exchange_modes (45) + Length: 2 + PSK Key Exchange Modes Length: 1 + PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) + Extension: key_share (len=38) x25519 + Type: key_share (51) + Length: 38 + Key Share extension + Client Key Share Length: 36 + Key Share Entry: Group: x25519, Key Exchange length: 32 + Group: x25519 (29) + Key Exchange Length: 32 + Key Exchange: b90903595dea9a0f2a49c8c79e677e0337b55f87ee311e76e381508106d7a378 + Extension: padding (len=184) + Type: padding (21) + Length: 184 + Padding Data [truncated]: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + [JA4: t13d3112h2_e8f1e7e78f70_b26ce05bbdd6] + [JA4_r [truncated]: t13d3112h2_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,cca8,cca9,ccaa_000a,000b,000d,0015,0016,0017,002b,002d,0031,0033_0403] + [JA3 Fullstring [truncated]: 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-25] + [JA3: 0149f47eabf9a20d0893e2a44e5a6323] + diff --git a/submissions/attachments/lab4/curl-tls.txt b/submissions/attachments/lab4/curl-tls.txt new file mode 100644 index 000000000..f9e15e928 --- /dev/null +++ b/submissions/attachments/lab4/curl-tls.txt @@ -0,0 +1,64 @@ +* Host localhost:8443 was resolved. +* IPv6: ::1 +* IPv4: 127.0.0.1 + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying [::1]:8443... +* Connected to localhost (::1) port 8443 +* ALPN: curl offers h2,http/1.1 +} [5 bytes data] +* TLSv1.3 (OUT), TLS handshake, Client hello (1): +} [512 bytes data] +* TLSv1.3 (IN), TLS handshake, Server hello (2): +{ [122 bytes data] +* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): +{ [15 bytes data] +* TLSv1.3 (IN), TLS handshake, Certificate (11): +{ [928 bytes data] +* TLSv1.3 (IN), TLS handshake, CERT verify (15): +{ [80 bytes data] +* TLSv1.3 (IN), TLS handshake, Finished (20): +{ [36 bytes data] +* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): +} [1 bytes data] +* TLSv1.3 (OUT), TLS handshake, Finished (20): +} [36 bytes data] +* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey +* ALPN: server accepted h2 +* Server certificate: +* subject: [NONE] +* start date: Jun 15 08:27:43 2026 GMT +* expire date: Jun 15 20:27:43 2026 GMT +* issuer: CN=Caddy Local Authority - ECC Intermediate +* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. +* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256 +* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256 +{ [5 bytes data] +* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): +{ [122 bytes data] +* using HTTP/2 +* [HTTP/2] [1] OPENED stream for https://localhost:8443/health +* [HTTP/2] [1] [:method: GET] +* [HTTP/2] [1] [:scheme: https] +* [HTTP/2] [1] [:authority: localhost:8443] +* [HTTP/2] [1] [:path: /health] +* [HTTP/2] [1] [user-agent: curl/8.5.0] +* [HTTP/2] [1] [accept: */*] +} [5 bytes data] +> GET /health HTTP/2 +> Host: localhost:8443 +> User-Agent: curl/8.5.0 +> Accept: */* +> +{ [5 bytes data] +< HTTP/2 200 +< alt-svc: h3=":8443"; ma=2592000 +< content-type: application/json +< date: Mon, 15 Jun 2026 08:28:28 GMT +< server: Caddy +< content-length: 26 +< +{ [26 bytes data] + 100 26 100 26 0 0 2417 0 --:--:-- --:--:-- --:--:-- 2600 +* Connection #0 to host localhost left intact +{"notes":0,"status":"ok"} diff --git a/submissions/attachments/lab4/curl-verbose.txt b/submissions/attachments/lab4/curl-verbose.txt new file mode 100644 index 000000000..7c7a60dc4 --- /dev/null +++ b/submissions/attachments/lab4/curl-verbose.txt @@ -0,0 +1,25 @@ +Note: Unnecessary use of -X or --request, POST is already inferred. +* Host localhost:8080 was resolved. +* IPv6: ::1 +* IPv4: 127.0.0.1 + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying [::1]:8080... +* Connected to localhost (::1) port 8080 +> POST /notes HTTP/1.1 +> Host: localhost:8080 +> User-Agent: curl/8.5.0 +> Accept: */* +> Content-Type: application/json +> Content-Length: 39 +> +} [39 bytes data] +< HTTP/1.1 201 Created +< Content-Type: application/json +< Date: Mon, 15 Jun 2026 08:26:23 GMT +< Content-Length: 93 +< +{ [93 bytes data] + 100 132 100 93 100 39 43336 18173 --:--:-- --:--:-- --:--:-- 66000 +* Connection #0 to host localhost left intact +{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-15T08:26:23.202595101Z"} diff --git a/submissions/attachments/lab4/debug-commands.txt b/submissions/attachments/lab4/debug-commands.txt new file mode 100644 index 000000000..8598d6c0b --- /dev/null +++ b/submissions/attachments/lab4/debug-commands.txt @@ -0,0 +1,18 @@ +### 1. ss -tlnp | grep :8080 +LISTEN 0 4096 *:8080 *:* users:(("quicknotes",pid=67371,fd=3)) + +### 2. ip route show +default via 10.93.24.1 dev eth0 proto static +10.93.24.0/22 dev eth0 proto kernel scope link src 10.93.26.172 + +### 3. mtr -rwc 5 localhost +Start: 2026-06-15T11:26:25+0300 +HOST: capstone55 Loss% Snt Last Avg Best Wrst StDev + 1.|-- localhost 0.0% 5 0.1 0.1 0.1 0.1 0.0 + +### 4. dig +short example.com @1.1.1.1 +8.47.69.0 +8.6.112.0 + +### 5. journalctl --user -u quicknotes -n 20 || true +-- No entries -- diff --git a/submissions/attachments/lab4/lab4-tls.pcap b/submissions/attachments/lab4/lab4-tls.pcap new file mode 100644 index 000000000..97281ef08 Binary files /dev/null and b/submissions/attachments/lab4/lab4-tls.pcap differ diff --git a/submissions/attachments/lab4/lab4-tls.txt b/submissions/attachments/lab4/lab4-tls.txt new file mode 100644 index 000000000..714776e76 --- /dev/null +++ b/submissions/attachments/lab4/lab4-tls.txt @@ -0,0 +1,125 @@ +reading from file /root/lab4-work/DevOps-Intro/submissions/attachments/lab4/lab4-tls.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 +Warning: interface names might be incorrect +11:28:28.301421 lo In IP 127.0.0.1.44152 > 127.0.0.1.8443: Flags [S], seq 2157974, win 65495, options [mss 65495,sackOK,TS val 3708445151 ecr 0,nop,wscale 7], length 0 +E..<..@.@............x .. ...........0......... +. +a......... +11:28:28.301445 lo In IP 127.0.0.1.8443 > 127.0.0.1.44152: Flags [S.], seq 834201496, ack 2157975, win 65483, options [mss 65495,sackOK,TS val 3708445151 ecr 3708445151,nop,wscale 7], length 0 +E..<..@.@.<......... ..x1.... .......0......... +. +a.. +a..... +11:28:28.301465 lo In IP 127.0.0.1.44152 > 127.0.0.1.8443: Flags [.], ack 1, win 512, options [nop,nop,TS val 3708445151 ecr 3708445151], length 0 +E..4..@.@............x .. ..1........(..... +. +a.. +a. +11:28:28.305818 lo In IP 127.0.0.1.44152 > 127.0.0.1.8443: Flags [P.], seq 1:518, ack 1, win 512, options [nop,nop,TS val 3708445155 ecr 3708445151], length 517 +E..9..@.@............x .. ..1.............. +. +a.. +a.................(n..{N>.M./.+ $.P#...vk.... .....1..7....}$. l.eF..y.^od.....>.......,.0.........+./...$.(.k.#.'.g. +...9. ...3.....=.<.5./.....u......... +...............................h2.http/1.1.........1.....*.(........... . +...........................+........-.....3.&.$... .....x~&>... VtY.....;.=.7....av.............................................................................................................................................................................................................. +11:28:28.305843 lo In IP 127.0.0.1.8443 > 127.0.0.1.44152: Flags [.], ack 518, win 508, options [nop,nop,TS val 3708445155 ecr 3708445155], length 0 +E..4.X@.@.ti........ ..x1.... .......(..... +. +a.. +a. +11:28:28.306505 lo In IP 127.0.0.1.8443 > 127.0.0.1.44152: Flags [P.], seq 1:8, ack 518, win 512, options [nop,nop,TS val 3708445156 ecr 3708445155], length 7 +E..;.Y@.@.ta........ ..x1.... ......./..... +. +a.. +a.......P +11:28:28.306534 lo In IP 127.0.0.1.44152 > 127.0.0.1.8443: Flags [.], ack 8, win 512, options [nop,nop,TS val 3708445156 ecr 3708445156], length 0 +E..4..@.@............x .. ..1........(..... +. +a.. +a. +11:28:28.306601 lo In IP 127.0.0.1.8443 > 127.0.0.1.44152: Flags [F.], seq 8, ack 518, win 512, options [nop,nop,TS val 3708445156 ecr 3708445156], length 0 +E..4.Z@.@.tg........ ..x1.... .......(..... +. +a.. +a. +11:28:28.306829 lo In IP 127.0.0.1.44152 > 127.0.0.1.8443: Flags [F.], seq 518, ack 9, win 512, options [nop,nop,TS val 3708445156 ecr 3708445156], length 0 +E..4..@.@............x .. ..1........(..... +. +a.. +a. +11:28:28.306857 lo In IP 127.0.0.1.8443 > 127.0.0.1.44152: Flags [.], ack 519, win 512, options [nop,nop,TS val 3708445156 ecr 3708445156], length 0 +E..4.[@.@.tf........ ..x1.... .......(..... +. +a.. +a. +11:28:28.319581 lo In IP6 ::1.49408 > ::1.8443: Flags [S], seq 1663730630, win 65476, options [mss 65476,sackOK,TS val 392863704 ecr 0,nop,wscale 7], length 0 +`..F.(.@.................................. .c*...........0......... +.j.......... +11:28:28.319600 lo In IP6 ::1.8443 > ::1.49408: Flags [S.], seq 813048788, ack 1663730631, win 65464, options [mss 65476,sackOK,TS val 392863704 ecr 392863704,nop,wscale 7], length 0 +`..b.(.@................................ ...0v#.c*.......0......... +.j...j...... +11:28:28.319614 lo In IP6 ::1.49408 > ::1.8443: Flags [.], ack 1, win 512, options [nop,nop,TS val 392863704 ecr 392863704], length 0 +`..F. .@.................................. .c*..0v#......(..... +.j...j.. +11:28:28.323420 lo In IP6 ::1.49408 > ::1.8443: Flags [P.], seq 1:518, ack 1, win 512, options [nop,nop,TS val 392863708 ecr 392863704], length 517 +`..F.%.@.................................. .c*..0v#......-..... +.j...j................./.p.....DB +......z.f.R..mp!. ......3Q..n.......=...:...-......>.......,.0.........+./...$.(.k.#.'.g. +...9. ...3.....=.<.5./.....u........ localhost......... +...............................h2.http/1.1.........1.....*.(........... . +...........................+........-.....3.&.$... . .Y]...*I...g~.7._..1.v..P....x............................................................................................................................................................................................ +11:28:28.323443 lo In IP6 ::1.8443 > ::1.49408: Flags [.], ack 518, win 508, options [nop,nop,TS val 392863708 ecr 392863708], length 0 +`..b. .@................................ ...0v#.c*.......(..... +.j...j.. +11:28:28.324248 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1:1425, ack 518, win 512, options [nop,nop,TS val 392863708 ecr 392863708], length 1424 +`..b...@................................ ...0v#.c*............. +.j...j......z...v...S>89..z...A..;.X.(... %...V.<.u ......3Q..n.......=...:...-...........+.....3.$... m.T ...ER.O..5o..L^.s#...E....KM.......... .qR...2=.K-F...k.c4......36....C......b..Ce.7M.\\..p@.8}.....T..B.~.gNll"....Yh...^........../$...<8RV+.F.. Q.P..r..!..t..a..............x.^..&.].4...=.K._5.e.....)..5.q6./_.7...sv..j9.../....&....L.X.c.M....-..RJ.#.xl./=-..Z.......:lV.Oc..f`4..(4Z.....;.l...........~.a.-:.. +D.._?..&...y.X2..o..n.......h.V.q..`.@.r`X..*H..a.3I.Y.........'#.9.[B.o...l{.s...b-....s..=.X..nO...p....y..^..Vzm..v..uO...2d<.._......!.\\..:I3#.............M.....%RS..hm.;|....z.D.....{[v..........l...i.A......9q\30.@<.......KJ4.}49$G.".L.).M.g...s..>u..;...#w.>...4.L.W.T..8O.....vU.>.V... ..".$.U...x.|l......*djg.z.....V....;D.}.A.k.~.n,B.]...ep/l.....R.........8a...n.85.m".V.Ud.7m....>L@.#.......Y.|.b +.....%?.....Gv=....!..qd.DF7.H.....W=i...".{..._3$D.........SJS..}.:..Ot...seD...>.$..7... ..`d. .d.....2......n..7S.P.n.2R2.x.u.....(..M....)u..I...W1WK..DZ.....v8....3"W....... +j['....&}......r9!.0!.!&|..].7c(...K).r...h..i|.......R........ .......|.=.@...W..y>N...M..vA..=,..r.....p.<.~ .*g......a*.~..46E..H.p... .s..P.".M#..M~..Y.._HIR.7..c.W.^....S$..9..w.\.^.=......U%.g..;*.I..1..b..`....D....5`=....A..T..^.....O6\8.......i...(w...ty.(tB..3...."......dt.3...{_.=..LrXK'M.8........+_..{..i.L.....3.d=S/.;w..f/...<.....X.hjH ...e...r...x..}....~..4Q.GHv...1.`..t.>....^......S.G...VEF.&....L. +11:28:28.324293 lo In IP6 ::1.49408 > ::1.8443: Flags [.], ack 1425, win 617, options [nop,nop,TS val 392863708 ecr 392863708], length 0 +`..F. .@.................................. .c*..0v)e...i.(..... +.j...j.. +11:28:28.327012 lo In IP6 ::1.49408 > ::1.8443: Flags [P.], seq 518:582, ack 1425, win 617, options [nop,nop,TS val 392863711 ecr 392863708], length 64 +`..F.`.@.................................. .c*..0v)e...i.h..... +.j...j............5...F.5..S..n...a.R.....\...........Z[`..|{.......[... +11:28:28.327347 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1425:1486, ack 582, win 512, options [nop,nop,TS val 392863712 ecr 392863711], length 61 +`..b.].@................................ ...0v)ec*.......e..... +.j...j......8g.....5.........j_.\|......E......\.*.....dP...zd.{R.... +11:28:28.327474 lo In IP6 ::1.49408 > ::1.8443: Flags [P.], seq 582:677, ack 1486, win 617, options [nop,nop,TS val 392863712 ecr 392863712], length 95 +`..F...@.................................. .c*..0v)....i....... +.j...j......Zm6.A....L..0)r/O.......!.4+......C/d..u.H....B.u..J..z.'55.q._........N.@D...V.!...*..ZS.. +11:28:28.327629 lo In IP6 ::1.49408 > ::1.8443: Flags [P.], seq 677:747, ack 1486, win 617, options [nop,nop,TS val 392863712 ecr 392863712], length 70 +`..F.f.@.................................. .c*.k0v)....i.n..... +.j...j......A..< ....n..x....].D.....L....B..6....M..D.U..WY.....!8t.....%../. +11:28:28.327671 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1486:1521, ack 677, win 512, options [nop,nop,TS val 392863712 ecr 392863712], length 35 +`..b.C.@................................ ...0v).c*.k.....K..... +.j...j..........{6.'lt...|..,$..@..F>..>..( +11:28:28.328882 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1521:1552, ack 747, win 512, options [nop,nop,TS val 392863713 ecr 392863712], length 31 +`..b.?.@................................ ...0v).c*.......G..... +.j...j.......9]......... o.X.....s6.R7. +11:28:28.328948 lo In IP6 ::1.49408 > ::1.8443: Flags [.], ack 1552, win 617, options [nop,nop,TS val 392863713 ecr 392863712], length 0 +`..F. .@.................................. .c*..0v)....i.(..... +.j...j.. +11:28:28.329600 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1552:1657, ack 747, win 512, options [nop,nop,TS val 392863714 ecr 392863713], length 105 +`..b...@................................ ...0v).c*............. +.j...j......d......5..S...Yj...}QB.\%..Af..z.+..b..........J..........pr..e....\=.D.@..v.u.......F..I#...q....S.P +11:28:28.329651 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1657:1714, ack 747, win 512, options [nop,nop,TS val 392863714 ecr 392863713], length 57 +`..b.Y.@................................ ...0v*Mc*.......a..... +.j...j......4...U.ufz\`.f.4.<..2...x..i....R.N...J... ::1.8443: Flags [.], ack 1714, win 617, options [nop,nop,TS val 392863714 ecr 392863714], length 0 +`..F. .@.................................. .c*..0v*....i.(..... +.j...j.. +11:28:28.329999 lo In IP6 ::1.49408 > ::1.8443: Flags [P.], seq 747:771, ack 1714, win 617, options [nop,nop,TS val 392863714 ecr 392863714], length 24 +`..F.8.@.................................. .c*..0v*....i.@..... +.j...j..........(/wY .F/YD.M.q>. +11:28:28.330056 lo In IP6 ::1.49408 > ::1.8443: Flags [F.], seq 771, ack 1714, win 617, options [nop,nop,TS val 392863714 ecr 392863714], length 0 +`..F. .@.................................. .c*..0v*....i.(..... +.j...j.. +11:28:28.330118 lo In IP6 ::1.8443 > ::1.49408: Flags [P.], seq 1714:1738, ack 772, win 512, options [nop,nop,TS val 392863714 ecr 392863714], length 24 +`..b.8.@................................ ...0v*.c*.......@..... +.j...j............D......u +D...R +11:28:28.330136 lo In IP6 ::1.49408 > ::1.8443: Flags [R], seq 1663731402, win 0, length 0 +`..F...@.................................. .c*......P....... diff --git a/submissions/attachments/lab4/lab4-trace.pcap b/submissions/attachments/lab4/lab4-trace.pcap new file mode 100644 index 000000000..9ca8b77b2 Binary files /dev/null and b/submissions/attachments/lab4/lab4-trace.pcap differ diff --git a/submissions/attachments/lab4/lab4-trace.txt b/submissions/attachments/lab4/lab4-trace.txt new file mode 100644 index 000000000..739cab860 --- /dev/null +++ b/submissions/attachments/lab4/lab4-trace.txt @@ -0,0 +1,44 @@ +reading from file /root/lab4-work/DevOps-Intro/submissions/attachments/lab4/lab4-trace.pcap, link-type EN10MB (Ethernet), snapshot length 262144 +11:26:23.201919 IP6 ::1.54280 > ::1.8080: Flags [S], seq 603843237, win 65476, options [mss 65476,sackOK,TS val 392738586 ecr 0,nop,wscale 7], length 0 +` ul.(.@....................................#............0......... +.h.......... +11:26:23.201946 IP6 ::1.8080 > ::1.54280: Flags [S.], seq 3905677142, ack 603843238, win 65464, options [mss 65476,sackOK,TS val 392738586 ecr 392738586,nop,wscale 7], length 0 +`.R..(.@.......................................V#........0......... +.h...h...... +11:26:23.201968 IP6 ::1.54280 > ::1.8080: Flags [.], ack 1, win 512, options [nop,nop,TS val 392738586 ecr 392738586], length 0 +` ul. .@....................................#......W.....(..... +.h...h.. +11:26:23.202182 IP6 ::1.54280 > ::1.8080: Flags [P.], seq 1:175, ack 1, win 512, options [nop,nop,TS val 392738586 ecr 392738586], length 174: HTTP: POST /notes HTTP/1.1 +` ul...@....................................#......W........... +.h...h..POST /notes HTTP/1.1 +Host: localhost:8080 +User-Agent: curl/8.5.0 +Accept: */* +Content-Type: application/json +Content-Length: 39 + +{"title":"trace me","body":"in flight"} +11:26:23.202197 IP6 ::1.8080 > ::1.54280: Flags [.], ack 175, win 511, options [nop,nop,TS val 392738586 ecr 392738586], length 0 +`.R.. .@.......................................W#..T.....(..... +.h...h.. +11:26:23.203056 IP6 ::1.8080 > ::1.54280: Flags [P.], seq 1:207, ack 175, win 512, options [nop,nop,TS val 392738587 ecr 392738586], length 206: HTTP: HTTP/1.1 201 Created +`.R....@.......................................W#..T........... +.h...h..HTTP/1.1 201 Created +Content-Type: application/json +Date: Mon, 15 Jun 2026 08:26:23 GMT +Content-Length: 93 + +{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-15T08:26:23.202595101Z"} + +11:26:23.203084 IP6 ::1.54280 > ::1.8080: Flags [.], ack 207, win 511, options [nop,nop,TS val 392738587 ecr 392738587], length 0 +` ul. .@....................................#..T...%.....(..... +.h...h.. +11:26:23.203444 IP6 ::1.54280 > ::1.8080: Flags [F.], seq 175, ack 207, win 512, options [nop,nop,TS val 392738588 ecr 392738587], length 0 +` ul. .@....................................#..T...%.....(..... +.h...h.. +11:26:23.204491 IP6 ::1.8080 > ::1.54280: Flags [F.], seq 207, ack 176, win 512, options [nop,nop,TS val 392738589 ecr 392738588], length 0 +`.R.. .@.......................................%#..U.....(..... +.h...h.. +11:26:23.204535 IP6 ::1.54280 > ::1.8080: Flags [.], ack 208, win 512, options [nop,nop,TS val 392738589 ecr 392738589], length 0 +` ul. .@....................................#..U...&.....(..... +.h...h.. diff --git a/submissions/attachments/lab4/openssl-certs.txt b/submissions/attachments/lab4/openssl-certs.txt new file mode 100644 index 000000000..21d4b48dc --- /dev/null +++ b/submissions/attachments/lab4/openssl-certs.txt @@ -0,0 +1,91 @@ +depth=1 CN = Caddy Local Authority - ECC Intermediate +verify error:num=20:unable to get local issuer certificate +verify return:1 +depth=0 +verify return:1 +CONNECTED(00000003) +--- +Certificate chain + 0 s: + i:CN = Caddy Local Authority - ECC Intermediate + a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 + v:NotBefore: Jun 15 08:27:43 2026 GMT; NotAfter: Jun 15 20:27:43 2026 GMT +-----BEGIN CERTIFICATE----- +MIIBvzCCAWSgAwIBAgIRAKquu08BDKdgA65bpnl+BQ0wCgYIKoZIzj0EAwIwMzEx +MC8GA1UEAxMoQ2FkZHkgTG9jYWwgQXV0aG9yaXR5IC0gRUNDIEludGVybWVkaWF0 +ZTAeFw0yNjA2MTUwODI3NDNaFw0yNjA2MTUyMDI3NDNaMAAwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAATht3SV9/2dcpPDMEEJe4LofpK7i2wpJThrnc/sAaQgGRur +K7CMCga3q6fgVfNvdbv9gXanMxqRc1fgd4ZVZOdeo4GLMIGIMA4GA1UdDwEB/wQE +AwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFBAI +iX3xtLk4SK3GKo6dXHI++wBtMB8GA1UdIwQYMBaAFIVbkoLRsUTJJErKAanRJTJH +jhylMBcGA1UdEQEB/wQNMAuCCWxvY2FsaG9zdDAKBggqhkjOPQQDAgNJADBGAiEA +mURGUoB50P8wEaAwCQU4Oe7L9EBMJ/BtJGSTET0RFlACIQCl3IoSJMr2CCQLZTu0 +RJeHS47Ldk+meG11jjai4AInAg== +-----END CERTIFICATE----- + 1 s:CN = Caddy Local Authority - ECC Intermediate + i:CN = Caddy Local Authority - 2026 ECC Root + a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 + v:NotBefore: Jun 15 08:27:43 2026 GMT; NotAfter: Jun 22 08:27:43 2026 GMT +-----BEGIN CERTIFICATE----- +MIIBxzCCAW6gAwIBAgIRAOt6UeEa72U9bYlp8bYZ3C8wCgYIKoZIzj0EAwIwMDEu +MCwGA1UEAxMlQ2FkZHkgTG9jYWwgQXV0aG9yaXR5IC0gMjAyNiBFQ0MgUm9vdDAe +Fw0yNjA2MTUwODI3NDNaFw0yNjA2MjIwODI3NDNaMDMxMTAvBgNVBAMTKENhZGR5 +IExvY2FsIEF1dGhvcml0eSAtIEVDQyBJbnRlcm1lZGlhdGUwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAAQO5OpzwlHtYHzhiU/eiS2ueY4RtxN++ZOXvnYBQ+djiEWu +wkPTlfAdjbMQIXqQaJiDSypATP22kSAfj8AUu0wOo2YwZDAOBgNVHQ8BAf8EBAMC +AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUhVuSgtGxRMkkSsoBqdEl +MkeOHKUwHwYDVR0jBBgwFoAUj8hvWkReBldpfAgzC5wAtF0ceicwCgYIKoZIzj0E +AwIDRwAwRAIgORLHi6u0ECoL1tp05qL3kuqtaYU6EsDq43eUjsjiCPcCIDW9BrlG +i8uhtWKuYjVfVAXjsS1I/npoJHQZ5EaaaPbL +-----END CERTIFICATE----- +--- +Server certificate +subject= +issuer=CN = Caddy Local Authority - ECC Intermediate +--- +No client certificate CA names sent +Peer signing digest: SHA256 +Peer signature type: ECDSA +Server Temp Key: X25519, 253 bits +--- +SSL handshake has read 1270 bytes and written 375 bytes +Verification error: unable to get local issuer certificate +--- +New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 +Server public key is 256 bit +Secure Renegotiation IS NOT supported +Compression: NONE +Expansion: NONE +No ALPN negotiated +Early data was not sent +Verify return code: 20 (unable to get local issuer certificate) +--- +DONE +--- +Post-Handshake New Session Ticket arrived: +SSL-Session: + Protocol : TLSv1.3 + Cipher : TLS_AES_128_GCM_SHA256 + Session-ID: D4910A75E193BEE9177F49486D6F9BED5EA225F464486C58C41AF843AFE863BB + Session-ID-ctx: + Resumption PSK: C6F0256B16471C16B2609C2FA0539C6C3649873D4234637A90D80897A8581674 + PSK identity: None + PSK identity hint: None + SRP username: None + TLS session ticket lifetime hint: 604800 (seconds) + TLS session ticket: + 0000 - de 9e 0f 5c 8b b4 47 96-6e d5 ae b7 7d 31 65 f4 ...\..G.n...}1e. + 0010 - 92 35 86 fb d6 8a 3e e9-e3 40 9c d3 d5 fa 3d e3 .5....>..@....=. + 0020 - f5 45 18 28 7c 98 e4 cc-22 59 1b bb 2b 0f 31 24 .E.(|..."Y..+.1$ + 0030 - ce 50 df ca 8f 0c b9 e9-ab 73 47 d1 09 32 45 38 .P.......sG..2E8 + 0040 - 6c 0c bf da 24 e3 1c 59-c3 9e 64 ba 72 d1 8b e3 l...$..Y..d.r... + 0050 - ad cd 42 02 8c f0 c4 cd-71 23 cf 82 64 2d 30 b1 ..B.....q#..d-0. + 0060 - b6 36 e3 9a 49 e5 36 2f-5f .6..I.6/_ + + Start Time: 1781512110 + Timeout : 7200 (sec) + Verify return code: 20 (unable to get local issuer certificate) + Extended master secret: no + Max Early Data: 0 +--- +read R BLOCK diff --git a/submissions/attachments/lab4/serverhello.txt b/submissions/attachments/lab4/serverhello.txt new file mode 100644 index 000000000..5fb1a9d87 --- /dev/null +++ b/submissions/attachments/lab4/serverhello.txt @@ -0,0 +1,149 @@ +Frame 16: 1516 bytes on wire (12128 bits), 1516 bytes captured (12128 bits) + Encapsulation type: Linux cooked-mode capture v2 (210) + Arrival Time: Jun 15, 2026 11:28:28.324248000 MSK + UTC Arrival Time: Jun 15, 2026 08:28:28.324248000 UTC + Epoch Arrival Time: 1781512108.324248000 + [Time shift for this packet: 0.000000000 seconds] + [Time delta from previous captured frame: 0.000805000 seconds] + [Time delta from previous displayed frame: 0.000000000 seconds] + [Time since reference or first frame: 0.022827000 seconds] + Frame Number: 16 + Frame Length: 1516 bytes (12128 bits) + Capture Length: 1516 bytes (12128 bits) + [Frame is marked: False] + [Frame is ignored: False] + [Protocols in frame: sll:ethertype:ipv6:tcp:tls] +Linux cooked capture v2 + Protocol: IPv6 (0x86dd) + Interface index: 1 + Link-layer address type: Loopback (772) + Packet type: Unicast to us (0) + Link-layer address length: 6 + Source: 00:00:00_00:00:00 (00:00:00:00:00:00) + Unused: 0000 +Internet Protocol Version 6, Src: ::1, Dst: ::1 + 0110 .... = Version: 6 + .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) + .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) + .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0) + .... 0000 1000 0101 0110 0010 = Flow Label: 0x08562 + Payload Length: 1456 + Next Header: TCP (6) + Hop Limit: 64 + Source Address: ::1 + Destination Address: ::1 +Transmission Control Protocol, Src Port: 8443, Dst Port: 49408, Seq: 1, Ack: 518, Len: 1424 + Source Port: 8443 + Destination Port: 49408 + [Stream index: 1] + [Conversation completeness: Incomplete, DATA (15)] + ..0. .... = RST: Absent + ...0 .... = FIN: Absent + .... 1... = Data: Present + .... .1.. = ACK: Present + .... ..1. = SYN-ACK: Present + .... ...1 = SYN: Present + [Completeness Flags: ··DASS] + [TCP Segment Len: 1424] + Sequence Number: 1 (relative sequence number) + Sequence Number (raw): 813048789 + [Next Sequence Number: 1425 (relative sequence number)] + Acknowledgment Number: 518 (relative ack number) + Acknowledgment number (raw): 1663731148 + 1000 .... = Header Length: 32 bytes (8) + Flags: 0x018 (PSH, ACK) + 000. .... .... = Reserved: Not set + ...0 .... .... = Accurate ECN: Not set + .... 0... .... = Congestion Window Reduced: Not set + .... .0.. .... = ECN-Echo: Not set + .... ..0. .... = Urgent: Not set + .... ...1 .... = Acknowledgment: Set + .... .... 1... = Push: Set + .... .... .0.. = Reset: Not set + .... .... ..0. = Syn: Not set + .... .... ...0 = Fin: Not set + [TCP Flags: ·······AP···] + Window: 512 + [Calculated window size: 65536] + [Window size scaling factor: 128] + Checksum: 0x05b8 [unverified] + [Checksum Status: Unverified] + Urgent Pointer: 0 + Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps + TCP Option - No-Operation (NOP) + Kind: No-Operation (1) + TCP Option - No-Operation (NOP) + Kind: No-Operation (1) + TCP Option - Timestamps + Kind: Time Stamp Option (8) + Length: 10 + Timestamp value: 392863708: TSval 392863708, TSecr 392863708 + Timestamp echo reply: 392863708 + [Timestamps] + [Time since first frame in this TCP stream: 0.004667000 seconds] + [Time since previous frame in this TCP stream: 0.000805000 seconds] + [SEQ/ACK analysis] + [iRTT: 0.000033000 seconds] + [Bytes in flight: 1424] + [Bytes sent since last PSH flag: 1424] + TCP payload (1424 bytes) +Transport Layer Security + TLSv1.2 Record Layer: Handshake Protocol: Server Hello + Content Type: Handshake (22) + Version: TLS 1.2 (0x0303) + Length: 122 + Handshake Protocol: Server Hello + Handshake Type: Server Hello (2) + Length: 118 + Version: TLS 1.2 (0x0303) + Random: 8b533e3839dd967a90f30541b9923be258fe28caafa3202594c7cd56803c9175 + Session ID Length: 32 + Session ID: af048ed4d8bf335189046ed3d4d516b3dd0e3dfec0e23a82bb022d119fc7f0a2 + Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) + Compression Method: null (0) + Extensions Length: 46 + Extension: supported_versions (len=2) TLS 1.3 + Type: supported_versions (43) + Length: 2 + Supported Version: TLS 1.3 (0x0304) + Extension: key_share (len=36) x25519 + Type: key_share (51) + Length: 36 + Key Share extension + Key Share Entry: Group: x25519, Key Exchange length: 32 + Group: x25519 (29) + Key Exchange Length: 32 + Key Exchange: 6dbc5420d4ead44552044f0f13356f88834c5eba73238f97a745aeed041a4b4d + [JA3S Fullstring: 771,4865,43-51] + [JA3S: f4febc55ea12b31ae17cfb7e614afda8] + TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec + Content Type: Change Cipher Spec (20) + Version: TLS 1.2 (0x0303) + Length: 1 + Change Cipher Spec Message + TLSv1.3 Record Layer: Application Data Protocol: Application Data + Opaque Type: Application Data (23) + Version: TLS 1.2 (0x0303) + Length: 32 + Encrypted Application Data: 087152f8fff8323d8d4b2d461887fe6bfc6334ef1313c512913336dacfbb9843 + TLSv1.3 Record Layer: Application Data Protocol: Application Data + Opaque Type: Application Data (23) + Version: TLS 1.2 (0x0303) + Length: 945 + Encrypted Application Data [truncated]: bf62c3ef43659a374d9c5c5c02bd7040dc387dbbdbae80e054f3b642047e0d674e6c6c22ebc7e1ec59680d12bb5ec981de12cd1905e3deab2f24e496963c3852562bf2468ef020511250948572f68721bab074eb91611dacaa0bc78faa19eaaafaebcc1 + TLSv1.3 Record Layer: Application Data Protocol: Application Data + Opaque Type: Application Data (23) + Version: TLS 1.2 (0x0303) + Length: 97 + Encrypted Application Data: 2afb7ee4bb34364593ac48ef709ec99c20c173a311501e229a4d2391834d7ef8e659d81b5f484952a8377fa663a7571b5efe8281c85324cedd39a90577d75ce55e053dfacaf4992e135525d0671ad03b2ac049c5d13182a462e42e60b3e5ccd944 + TLSv1.3 Record Layer: Application Data Protocol: Application Data + Opaque Type: Application Data (23) + Version: TLS 1.2 (0x0303) + Length: 53 + Encrypted Application Data: 603d98eec1f34105ee54edce5eac83dfb19e4f365c38debee6a7c00eb069b8197f2877d604817479d8287442d6fe3305c6918b2282 + TLSv1.3 Record Layer: Application Data Protocol: Application Data + Opaque Type: Application Data (23) + Version: TLS 1.2 (0x0303) + Length: 139 + Encrypted Application Data [truncated]: 64749333d4fcc37b5fee3d8aa34c72584b274db238a9bc0717d8d0e6f62b5f8dd67ba0a969054c849d18e18333c3643d532ff43b77f1e0662ff5b9003cdecfb31b8a58a0686a4809bac9a46513a70d72fbf1197880f37de48b00d77e199e3451c847487 + diff --git a/submissions/attachments/lab4/task2-broken.txt b/submissions/attachments/lab4/task2-broken.txt new file mode 100644 index 000000000..b94daad62 --- /dev/null +++ b/submissions/attachments/lab4/task2-broken.txt @@ -0,0 +1,31 @@ +### 2.1 bind conflict +PID1=67398 +PID2=67406 +--- ps quicknotes --- +root 67398 67317 0 11:26 ? 00:00:00 /tmp/quicknotes +--- broken stderr/log --- +2026/06/15 11:26:38 quicknotes listening on :8080 (notes loaded: 5) +2026/06/15 11:26:38 listen: listen tcp :8080: bind: address already in use + +### 2.2 outside-in +--- 1) process running? --- +root 67398 67317 0 11:26 ? 00:00:00 /tmp/quicknotes +--- 2) listening? --- +LISTEN 0 4096 *:8080 *:* users:(("quicknotes",pid=67398,fd=3)) +--- 3) curl health HTTP code --- +200 +--- 4) firewall --- +Chain INPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + +Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + +Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination +--- 5) dig localhost --- +127.0.0.1 + +### 2.3 repair +{"notes":5,"status":"ok"} + diff --git a/submissions/lab4.md b/submissions/lab4.md new file mode 100644 index 000000000..1aa246162 --- /dev/null +++ b/submissions/lab4.md @@ -0,0 +1,159 @@ +# Lab 4 submission + +**Environment:** Ubuntu 24.04 VM. Tools: `tcpdump`, `ss`, `ip`, `dig`, `mtr`, `jq`, Go 1.24.2, Caddy 2.6 (bonus). QuickNotes built as `/tmp/quicknotes` (`ADDR=:8080`). + +**Artifacts:** `submissions/attachments/lab4/` — captures, command logs, TLS decode. + +--- + +## Task 1 — Trace a Request End-to-End + +### 1.1–1.2: Capture + decode + +**Commands (VM):** + +```bash +cd app && go build -o /tmp/quicknotes . +ADDR=:8080 /tmp/quicknotes & +tcpdump -i lo -nn -s 0 -A 'tcp port 8080' -w lab4-trace.pcap & +curl -v -X POST http://localhost:8080/notes \ + -H 'Content-Type: application/json' \ + -d '{"title":"trace me","body":"in flight"}' +``` + +Full decode: [`lab4-trace.txt`](attachments/lab4/lab4-trace.txt) · binary: [`lab4-trace.pcap`](attachments/lab4/lab4-trace.pcap) + +**Annotated highlights** (IPv6 loopback `::1` → `::1:8080`): + +| Phase | Packet / flag | Evidence | +|-------|---------------|----------| +| **TCP handshake** | SYN → SYN/ACK → ACK | `11:26:23.201919` `Flags [S]` · `11:26:23.201946` `Flags [S.]` · `11:26:23.201968` `Flags [.]` | +| **HTTP request** | `POST /notes HTTP/1.1` + JSON body | `11:26:23.202182` `Flags [P.]` — `POST /notes HTTP/1.1`, `Content-Type: application/json`, `{"title":"trace me","body":"in flight"}` | +| **HTTP response** | `HTTP/1.1 201 Created` + JSON | `11:26:23.203056` — `HTTP/1.1 201 Created`, body `{"id":5,"title":"trace me",...}` | +| **Connection close** | FIN handshake | Client `Flags [F.]` `11:26:23.203444` · Server `Flags [F.]` `11:26:23.204491` · final ACK | + +`curl -v` confirms the same at L7: [`curl-verbose.txt`](attachments/lab4/curl-verbose.txt) — `HTTP/1.1 201 Created`, connected via `[::1]:8080`. + +### 1.3: Five debugging commands + +Full output: [`debug-commands.txt`](attachments/lab4/debug-commands.txt) + +**1. What's listening?** + +```text +LISTEN 0 4096 *:8080 *:* users:(("quicknotes",pid=67371,fd=3)) +``` + +**Decision:** process is bound on all interfaces (`*:8080`); PID/name visible with root. + +**2. Routes** + +```text +default via 10.93.24.1 dev eth0 proto static +10.93.24.0/22 dev eth0 proto kernel scope link src 10.93.26.172 +``` + +**Decision:** default route via `eth0`; localhost traffic stays on `lo` (not shown — implicit). + +**3. Reachability (`mtr -rwc 5 localhost`)** + +```text +HOST: capstone55 Loss% 0.0% Snt 5 Avg 0.1 ms +``` + +**Decision:** loopback healthy; no packet loss. + +**4. DNS (`dig +short example.com @1.1.1.1`)** + +```text +8.47.69.0 +8.6.112.0 +``` + +**Decision:** external DNS resolver answers; not involved in `localhost:8080` path. + +**5. Logs (`journalctl --user -u quicknotes`)** + +```text +-- No entries -- +``` + +**Decision:** QuickNotes was run manually, not as a user unit — expected empty; would check app stdout or systemd unit logs in production. + +### 1.4: If QuickNotes returned 502? + +A **502 Bad Gateway** means a proxy reached an upstream but got an invalid/empty response — the failure is *between* the edge and the app, not in the client's TCP stack. I would check in order: (1) is the upstream process listening (`ss -tlnp | grep 8080`)? (2) does `curl -v http://127.0.0.1:8080/health` succeed *directly*, bypassing the proxy? (3) proxy error logs (Caddy/nginx) for `connection refused` vs `timeout`; (4) firewall/`iptables` on the path; (5) only then DNS or external routing. On this VM, Task 2 showed the classic case: port conflict left one instance healthy while a second failed to bind — a proxy might still route to a dead peer and emit 502 if misconfigured. + +--- + +## Task 2 — Outside-In Debugging on a Broken Deploy + +Full log: [`task2-broken.txt`](attachments/lab4/task2-broken.txt) + +### 2.1: Reproduce + +Started two instances on `:8080`. Second instance failed: + +```text +2026/06/15 11:26:38 quicknotes listening on :8080 (notes loaded: 5) +2026/06/15 11:26:38 listen: listen tcp :8080: bind: address already in use +``` + +**Root cause:** `bind: address already in use` — first process (PID 67398) held `:8080`. + +### 2.2: Outside-in chain + +| Step | Command | Output | Decision | +|------|---------|--------|----------| +| 1 — running? | `ps -ef \| grep quicknotes` | PID 67398 `/tmp/quicknotes` | One instance alive; second exited on bind error | +| 2 — listening? | `ss -tlnp \| grep 8080` | `quicknotes` pid 67398 on `*:8080` | Socket owned by first process | +| 3 — reachable? | `curl -w %{http_code} localhost:8080/health` | `200` | App healthy *despite* failed second start — misleading if you only check HTTP | +| 4 — firewall? | `iptables -L -n -v` | all chains `policy ACCEPT`, 0 packets | Not a firewall issue | +| 5 — DNS? | `dig +short localhost` | `127.0.0.1` | Name resolves; not DNS | + +### 2.3: Repair + +Killed PID1, started fresh instance → `curl /health` → `{"notes":5,"status":"ok"}`. + +### 2.4: Blameless mini-postmortem + +Two deploy scripts both used `ADDR=:8080` without coordination. The first instance succeeded; the second logged `address already in use` and exited, but monitoring that only checks HTTP 200 would still show green. **Systemic issue:** no port allocation, no systemd `Restart=on-failure` with alerting on bind errors, no pre-flight `ss` check in the deploy playbook. **Prevention:** declare the listen port in one place (unit file / Compose / Ansible template), use `systemd` socket activation or a single supervisor, and fail the deploy pipeline if `listen:` appears in stderr. A health check hitting `/health` is necessary but not sufficient — process-level checks (`systemctl is-active`, `ss -tlnp`) catch "wrong process on port" earlier than L7. + +--- + +## Bonus Task — TLS Handshake Decode + +Caddy terminates TLS on `localhost:8443` → reverse proxy → QuickNotes `:8080`. Capture used `tcpdump -i any` (IPv4 `127.0.0.1`; `-i lo` alone missed traffic on first attempt). + +Artifacts: [`lab4-tls.pcap`](attachments/lab4/lab4-tls.pcap) · [`curl-tls.txt`](attachments/lab4/curl-tls.txt) · [`openssl-certs.txt`](attachments/lab4/openssl-certs.txt) · [`clienthello.txt`](attachments/lab4/clienthello.txt) · [`serverhello.txt`](attachments/lab4/serverhello.txt) + +### ClientHello (tshark) + +- **Record version:** TLS 1.0 (0x0301) — legacy wrapper; real version in extension +- **Client version:** TLS 1.2 (0x0303) +- **`supported_versions` extension:** TLS 1.3, TLS 1.2 +- **SNI:** `localhost` +- **Cipher suites offered:** includes modern (`TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`, ECDHE-GCM) and legacy (`TLS_RSA_WITH_AES_128_CBC_SHA`, etc.) + +### ServerHello (tshark) + +- **Selected cipher:** `TLS_AES_128_GCM_SHA256` (0x1301) +- **`supported_versions` extension:** **TLS 1.3** (0x0304) — negotiation upgrades to TLS 1.3 +- Followed by Change Cipher Spec + encrypted Application Data (TLS 1.3) + +`curl -vk` confirms: `TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519`. + +### Certificate chain (`openssl s_client -showcerts`) + +```text + 0 s: (leaf, CN empty, SAN localhost) + i: CN = Caddy Local Authority - ECC Intermediate + 1 s: CN = Caddy Local Authority - ECC Intermediate + i: CN = Caddy Local Authority - 2026 ECC Root +``` + +Short-lived ECDSA leaf (~12 h), internal CA — expected for `tls internal`. + +### TLS 1.0 / 1.1 in 2026? + +The step that **kills TLS 1.0/1.1** is the **`supported_versions` extension** in ClientHello (client offers only 1.2+) combined with the server's **`supported_versions` in ServerHello picking TLS 1.3**. Neither side negotiates SSL 3.0 / TLS 1.0 / TLS 1.1. Browsers and libraries disabled 1.0/1.1 by default years ago; RFC 8996 deprecated them. Caddy/modern stacks refuse to complete handshakes at those versions even if legacy cipher names appear in the client's list for middlebox compatibility — the actual protocol version is chosen only from `supported_versions`, not from the legacy record-layer version field (still 0x0301 in the ClientHello wrapper).