Help us understand the problem. What is going on with this article?

Amazon S3 REST APIのHTTPプロトコルシーケンス

この記事は、Amazon S3 REST APIを呼び出した時のhttpプロトコルシーケンスをパケットキャプチャした結果を記録したものです(読んで面白いものではない)。

前提

  • S3のTokyoリージョン(ap-northeast-1)のバケット(samplebucket)に対して、オブジェクト(sample.txt)をPut/Get/Deleteしました。
  • APIの署名は、署名バージョン4を使用したものです。
  • アクセスキーID(AKIAXXXXXXXXXXXXXXXX)はダミーなので、HTTPリクエストのAuthorizationヘッダの署名とはリンクしません。
  • samplebucketには、ライフサイクルポリシー sample-lifecycleが設定済みです。
  • クライアントプログラムはC#で実装しています。また、ビルド時のターゲットフレームワークは.NET Framework 4.6.1を指定しています。
  • HTTPクライアントのクラスはSystem.Net.Http.HttpClientを使用しています。
クライアントプログラムの実装イメージ(C#)
var content = new ByteArrayContent("hoge\n".ToBytes());

//////// ここでhttpClientを作成(過程は省略)
//////// var httpClient = new HttpClient(...);

httpClient.PutAsync(new URI("http://samplebucket.s3.amazonaws.com"), content);
httpClient.PutAsync(new URI("http://samplebucket.s3-accelerate.amazonaws.com"), content);
httpClient.GetAsync(new URI("http://samplebucket.s3.amazonaws.com"));
httpClient.DeleteAsync(new URI("http://samplebucket.s3.amazonaws.com"));

1. HTTPプロトコルシーケンス

1.1 PutObject

1.1.1 クライアント → Amazon S3

PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T001244Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=d4de97b542321428a14c85c3d37c3ba508bd79d50cd40064850e376b804e3ffb
Host: samplebucket.s3.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive

1.1.2 クライアント ← Amazon S3

HTTP/1.1 100 Continue

1.1.3 クライアント → Amazon S3

PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T001244Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=d4de97b542321428a14c85c3d37c3ba508bd79d50cd40064850e376b804e3ffb
Host: samplebucket.s3.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive

hoge

1.1.4 クライアント ← Amazon S3

HTTP/1.1 200 OK
x-amz-id-2: 1gGAlxbb3z+elQEmbYNLEJ+hBL5X9jFSbOJFp3Kph91JwVzQybaQzYbDOnbQFU1kH4IxYjMP+Pc=
x-amz-request-id: 127EE4E6FAAF7A70
Date: Sun, 17 Nov 2019 00:12:44 GMT
x-amz-expiration: expiry-date="Tue, 19 Nov 2019 00:00:00 GMT", rule-id="sample-lifecycle"
ETag: "c59548c3c576228486a1f0037eb16a1b"
Content-Length: 0
Server: AmazonS3

1.2.PutObject (Transfer Acceleration)

1.2.1 クライアント → Amazon S3

PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T032908Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=b57a429bc93f01a0263f69791bd73359249b7e8a5259eb08e0dbb28d479191cc
Host: samplebucket.s3-accelerate.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive

1.2.2 クライアント ← Amazon S3

HTTP/1.1 100 Continue

1.2.3 クライアント → Amazon S3

PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T032908Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=b57a429bc93f01a0263f69791bd73359249b7e8a5259eb08e0dbb28d479191cc
Host: samplebucket.s3-accelerate.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive

hoge

1.2.4 クライアント ← Amazon S3

HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
x-amz-id-2: IhjWCgokNW4vHoZDAlgBmBj6FW/sWyjDeYYI5yPCCRe3wO6Y6n0wxWryDAwkIIBH5ucjGx4Mo2M=
x-amz-request-id: CBA86EAD08B58714
Date: Sun, 17 Nov 2019 03:29:08 GMT
x-amz-expiration: expiry-date="Tue, 19 Nov 2019 00:00:00 GMT", rule-id="sample-lifecycle"
ETag: "c59548c3c576228486a1f0037eb16a1b"
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 f8f7fa10720e88f937ab7011bfa41fb6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: NRT20-C4
X-Amz-Cf-Id: mnZLq--nNnfv6CaTRW2lBEKe5lfncyUNPP55FCBizHA5WhD8lFnd6A==

1.3. GetObject

1.3.1 クライアント → Amazon S3

GET /sample.txt HTTP/1.1
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20191117T030846Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=9075643d96f2632360561e07241a12073a2e24161bb160370520a4c3cca4f529
Host: samplebucket.s3.amazonaws.com

1.3.2 クライアント ← Amazon S3

HTTP/1.1 200 OK
x-amz-id-2: HcaZFDvu5473rQHE41W24Oc41VEEz9Wap83Of0yeYeqZ2nA91GtBLCJgj9gGiYcX4FMY8Lev+/k=
x-amz-request-id: 6B87E38BF4BACBAD
Date: Sun, 17 Nov 2019 03:08:46 GMT
Last-Modified: Sun, 17 Nov 2019 02:25:22 GMT
x-amz-expiration: expiry-date="Tue, 19 Nov 2019 00:00:00 GMT", rule-id="sample-lifecycle"
ETag: "c59548c3c576228486a1f0037eb16a1b"
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Content-Length: 5
Server: AmazonS3

hoge

1.4. DeleteObject

1.4.1 クライアント → Amazon S3

DELETE /sample.txt_1 HTTP/1.1
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20191117T043633Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=a3b9594cb11e4752b64dd1d86399fded7cfd3feddd6776be2d0a3d37e29b88ab
Host: samplebucket.s3.amazonaws.com
Content-Length: 0

1.4.2 クライアント ← Amazon S3

HTTP/1.1 204 No Content
x-amz-id-2: 3ObtFd4sB6or4i4TEAZFi+UvVqtDBx9s8YqkqaPZtLbchBNmNyV+b4YCc+0HVWa11sLP0sKe2fY=
x-amz-request-id: 83E10C229B619354
Date: Sun, 17 Nov 2019 04:36:33 GMT
Server: AmazonS3

1.5. DeleteObject (Transfer Acceleration)

GetObjectやDeleteObjectでTransfer Accelerationを使っても問題ないみたい(TAを使うことには意味はないけど、実装を切り替える必要がないという意味では意味がある)。
Cloud Frontを経由するかどうかの違いしかないからかな。

1.5.1 クライアント → Amazon S3

DELETE /sample.txt HTTP/1.1
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20191117T032225Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=87feb911b7dbcad7538738895feb88e33660b453b62b282b6dbde5f65496e454
Host: samplebucket.s3-accelerate.amazonaws.com
Content-Length: 0

1.5.2 クライアント ← Amazon S3

HTTP/1.1 204 No Content
Connection: keep-alive
x-amz-id-2: 8zkozysIbd19ycClxTyFvGOu3Esx4pJwL00XgJdDntvGMBHY9yt/KrIXijTaIsaCzWexPMimAwI=
x-amz-request-id: BFDC403D14CC0A69
Date: Sun, 17 Nov 2019 03:22:25 GMT
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 5fa8781927f0b3b53d2119c9d6e2e874.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: NRT20-C1
X-Amz-Cf-Id: _U_7MT7LFGrhYgQiylaqD5A_QsVawI6_P7IFl6NK1_EfZ0pOX39HSw==

2. アイドルソケットのタイムアウト秒数

S3のアイドルソケットのタイムアウト秒数は約20秒である様子。

$ time printf "PUT /sample.txt HTTP/1.1\r\nContent-Length: 1\r\n\r\n" | nc samplebucket.s3.amazonaws.com 80
HTTP/1.1 400 Bad Request
Date: Wed, 27 Nov 19 13:10:58 GMT
Connection: close
Transfer-Encoding: chunked
x-amz-id-2: AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2
x-amz-request-id: 7275DD5C1C197259
Content-Type: application/xml

17b
<?xml version="1.0" encoding="UTF-8"?><Error><Code>RequestTimeout</Code><Message>Your socket connection to the server was not read from or written to within the timeout period. Idle connections will be closed.</Message><RequestId>7275DD5C1C197259</RequestId><HostId>AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2</HostId></Error>
0


real    0m21.342s
user    0m0.000s
sys     0m0.000s
tcpdump
$ sudo tcpdump -vv port 80
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:10:38.055187 IP (tos 0x0, ttl 64, id 58310, offset 0, flags [DF], proto TCP (6), length 60)
    debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [S], cksum 0x416d (incorrect -> 0x5208), seq 2938391169, win 29200, options [mss 1460,sackOK,TS val 28289351 ecr 0,nop,wscale 7], length 0
22:10:38.103575 IP (tos 0x0, ttl 64, id 50316, offset 0, flags [none], proto TCP (6), length 44)
    s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [S.], cksum 0xfd35 (correct), seq 200128001, ack 2938391170, win 65535, options [mss 1460], length 0
22:10:38.103645 IP (tos 0x0, ttl 64, id 58311, offset 0, flags [DF], proto TCP (6), length 40)
    debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [.], cksum 0x4159 (incorrect -> 0xa2e2), seq 1, ack 1, win 29200, length 0
22:10:38.103999 IP (tos 0x0, ttl 64, id 58312, offset 0, flags [DF], proto TCP (6), length 87)
    debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [P.], cksum 0x4188 (incorrect -> 0x6e21), seq 1:48, ack 1, win 29200, length 47: HTTP, length: 47
        PUT /sample.txt HTTP/1.1
        Content-Length: 1

22:10:38.104554 IP (tos 0x0, ttl 64, id 50317, offset 0, flags [none], proto TCP (6), length 40)
    s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [.], cksum 0x14c4 (correct), seq 1, ack 48, win 65535, length 0
22:10:59.338162 IP (tos 0x0, ttl 64, id 50318, offset 0, flags [none], proto TCP (6), length 718)
    s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [P.], cksum 0x356b (correct), seq 1:679, ack 48, win 65535, length 678: HTTP, length: 678
        HTTP/1.1 400 Bad Request
        Date: Wed, 27 Nov 19 13:10:58 GMT
        Connection: close
        Transfer-Encoding: chunked
        x-amz-id-2: AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2
        x-amz-request-id: 7275DD5C1C197259
        Content-Type: application/xml

        17b
        <?xml version="1.0" encoding="UTF-8"?><Error><Code>RequestTimeout</Code><Message>Your socket connection to the server was not read from or written to within the timeout period. Idle connections will be closed.</Message><RequestId>7275DD5C1C197259</RequestId><HostId>AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2</HostId></Error>
        0

22:10:59.338212 IP (tos 0x0, ttl 64, id 58313, offset 0, flags [DF], proto TCP (6), length 40)
    debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [.], cksum 0x4159 (incorrect -> 0x9aef), seq 48, ack 679, win 30510, length 0
22:10:59.338335 IP (tos 0x0, ttl 64, id 50319, offset 0, flags [none], proto TCP (6), length 40)
    s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [F.], cksum 0x121d (correct), seq 679, ack 48, win 65535, length 0
22:10:59.338605 IP (tos 0x0, ttl 64, id 58314, offset 0, flags [DF], proto TCP (6), length 40)
    debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [F.], cksum 0x4159 (incorrect -> 0x9aed), seq 48, ack 680, win 30510, length 0
22:10:59.339222 IP (tos 0x0, ttl 64, id 50320, offset 0, flags [none], proto TCP (6), length 40)
    s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [.], cksum 0x121c (correct), seq 680, ack 49, win 65535, length 0

3. TLSハンドシェイク

3.1 Client Hello (184 bytes)

ClientHello
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 179
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 175
            Version: TLS 1.2 (0x0303)
            Random: 5de90933d57dc7688bbf5e479ce77ffe295944f9f4073a0a…
                GMT Unix Time: Dec  5, 2019 22:42:11.000000000 東京 (標準時)
                Random Bytes: d57dc7688bbf5e479ce77ffe295944f9f4073a0ab486c043…
            Session ID Length: 0
            Cipher Suites Length: 42
            Cipher Suites (21 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 92
            Extension: server_name (len=33)
                Type: server_name (0)
                Length: 33
                Server Name Indication extension
                    Server Name list length: 31
                    Server Name Type: host_name (0)
                    Server Name length: 28
                    Server Name: yz2cm-tokyo.s3.amazonaws.com
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms (len=20)
                Type: signature_algorithms (13)
                Length: 20
                Signature Hash Algorithms Length: 18
                Signature Hash Algorithms (9 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: SHA1 DSA (0x0202)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
            Extension: session_ticket (len=0)
                Type: session_ticket (35)
                Length: 0
                Data (0 bytes)
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0

3.2 Server Hello (96 bytes)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ServerHello
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 91
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 87
            Version: TLS 1.2 (0x0303)
            Random: a1a714e5c85a3c351e90d4c93bd643b56810b46da812714b…
                GMT Unix Time: Dec 11, 2055 05:00:37.000000000 東京 (標準時)
                Random Bytes: c85a3c351e90d4c93bd643b56810b46da812714b00c0a836…
            Session ID Length: 32
            Session ID: ea9ce5ca215eba15a90dcdf8df89b16b9dea041ea61cfd59…
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Compression Method: null (0)
            Extensions Length: 15
            Extension: server_name (len=0)
                Type: server_name (0)
                Length: 0
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0

3.3 Certificate (185 bytes)

Certificate
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 2900
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 2896
            Certificates Length: 2893
            Certificates (2893 bytes)
                Certificate Length: 1760
                Certificate: 308206dc308205c4a0030201020210082df68ee9c69315be… (id-at-commonName=*.s3.amazonaws.com,id-at-organizationName=Amazon.com, Inc.,id-at-localityName=Seattle,id-at-stateOrProvinceName=Washington,id-at-countryName=US)
                    signedCertificate
                        version: v3 (2)
                        serialNumber: 0x082df68ee9c69315bebf72079b3810fd
                        signature (sha256WithRSAEncryption)
                            Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
                        issuer: rdnSequence (0)
                            rdnSequence: 4 items (id-at-commonName=DigiCert Baltimore CA-2 G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=US)
                                    RelativeDistinguishedName item (id-at-countryName=US)
                                        Id: 2.5.4.6 (id-at-countryName)
                                        CountryName: US
                                RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
                                    RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
                                        Id: 2.5.4.10 (id-at-organizationName)
                                        DirectoryString: printableString (1)
                                            printableString: DigiCert Inc
                                RDNSequence item: 1 item (id-at-organizationalUnitName=www.digicert.com)
                                    RelativeDistinguishedName item (id-at-organizationalUnitName=www.digicert.com)
                                        Id: 2.5.4.11 (id-at-organizationalUnitName)
                                        DirectoryString: printableString (1)
                                            printableString: www.digicert.com
                                RDNSequence item: 1 item (id-at-commonName=DigiCert Baltimore CA-2 G2)
                                    RelativeDistinguishedName item (id-at-commonName=DigiCert Baltimore CA-2 G2)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: printableString (1)
                                            printableString: DigiCert Baltimore CA-2 G2
                        validity
                            notBefore: utcTime (0)
                                utcTime: 19-11-09 00:00:00 (UTC)
                            notAfter: utcTime (0)
                                utcTime: 21-03-12 12:00:00 (UTC)
                        subject: rdnSequence (0)
                            rdnSequence: 5 items (id-at-commonName=*.s3.amazonaws.com,id-at-organizationName=Amazon.com, Inc.,id-at-localityName=Seattle,id-at-stateOrProvinceName=Washington,id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=US)
                                    RelativeDistinguishedName item (id-at-countryName=US)
                                        Id: 2.5.4.6 (id-at-countryName)
                                        CountryName: US
                                RDNSequence item: 1 item (id-at-stateOrProvinceName=Washington)
                                    RelativeDistinguishedName item (id-at-stateOrProvinceName=Washington)
                                        Id: 2.5.4.8 (id-at-stateOrProvinceName)
                                        DirectoryString: printableString (1)
                                            printableString: Washington
                                RDNSequence item: 1 item (id-at-localityName=Seattle)
                                    RelativeDistinguishedName item (id-at-localityName=Seattle)
                                        Id: 2.5.4.7 (id-at-localityName)
                                        DirectoryString: printableString (1)
                                            printableString: Seattle
                                RDNSequence item: 1 item (id-at-organizationName=Amazon.com, Inc.)
                                    RelativeDistinguishedName item (id-at-organizationName=Amazon.com, Inc.)
                                        Id: 2.5.4.10 (id-at-organizationName)
                                        DirectoryString: printableString (1)
                                            printableString: Amazon.com, Inc.
                                RDNSequence item: 1 item (id-at-commonName=*.s3.amazonaws.com)
                                    RelativeDistinguishedName item (id-at-commonName=*.s3.amazonaws.com)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: uTF8String (4)
                                            uTF8String: *.s3.amazonaws.com
                        subjectPublicKeyInfo
                            algorithm (rsaEncryption)
                                Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
                            subjectPublicKey: 3082010a0282010100c95bce91b929589e2b5c147890dbdf…
                                modulus: 0x00c95bce91b929589e2b5c147890dbdf033c316a11a0b5d2…
                                publicExponent: 65537
                        extensions: 10 items
                            Extension (id-ce-authorityKeyIdentifier)
                                Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
                                AuthorityKeyIdentifier
                                    keyIdentifier: c012b22874684667e97025741a00455b067d5c44
                            Extension (id-ce-subjectKeyIdentifier)
                                Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
                                SubjectKeyIdentifier: ddf2260064b7caf75ca696a6d7accbe127150c13
                            Extension (id-ce-subjectAltName)
                                Extension Id: 2.5.29.17 (id-ce-subjectAltName)
                                GeneralNames: 2 items
                                    GeneralName: dNSName (2)
                                        dNSName: *.s3.amazonaws.com
                                    GeneralName: dNSName (2)
                                        dNSName: s3.amazonaws.com
                            Extension (id-ce-keyUsage)
                                Extension Id: 2.5.29.15 (id-ce-keyUsage)
                                critical: True
                                Padding: 5
                                KeyUsage: a0 (digitalSignature, keyEncipherment)
                                    1... .... = digitalSignature: True
                                    .0.. .... = contentCommitment: False
                                    ..1. .... = keyEncipherment: True
                                    ...0 .... = dataEncipherment: False
                                    .... 0... = keyAgreement: False
                                    .... .0.. = keyCertSign: False
                                    .... ..0. = cRLSign: False
                                    .... ...0 = encipherOnly: False
                                    0... .... = decipherOnly: False
                            Extension (id-ce-extKeyUsage)
                                Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
                                KeyPurposeIDs: 2 items
                                    KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
                                    KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
                            Extension (id-ce-cRLDistributionPoints)
                                Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
                                CRLDistPointsSyntax: 2 items
                                    DistributionPoint
                                        distributionPoint: fullName (0)
                                            fullName: 1 item
                                                GeneralName: uniformResourceIdentifier (6)
                                                    uniformResourceIdentifier: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl
                                    DistributionPoint
                                        distributionPoint: fullName (0)
                                            fullName: 1 item
                                                GeneralName: uniformResourceIdentifier (6)
                                                    uniformResourceIdentifier: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl
                            Extension (id-ce-certificatePolicies)
                                Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
                                CertificatePoliciesSyntax: 2 items
                                    PolicyInformation
                                        policyIdentifier: 2.16.840.1.114412.1.1 (US company arc.114412.1.1)
                                        policyQualifiers: 1 item
                                            PolicyQualifierInfo
                                                Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
                                                DirectoryString: https://www.digicert.com/CPS
                                    PolicyInformation
                                        policyIdentifier: 2.23.140.1.2.2 (joint-iso-itu-t.23.140.1.2.2)
                            Extension (id-pe-authorityInfoAccess)
                                Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
                                AuthorityInfoAccessSyntax: 2 items
                                    AccessDescription
                                        accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
                                        accessLocation: 6
                                            uniformResourceIdentifier: http://ocsp.digicert.com
                                    AccessDescription
                                        accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
                                        accessLocation: 6
                                            uniformResourceIdentifier: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt
                            Extension (id-ce-basicConstraints)
                                Extension Id: 2.5.29.19 (id-ce-basicConstraints)
                                critical: True
                                BasicConstraintsSyntax [0 length]
                            Extension (SignedCertificateTimestampList)
                                Extension Id: 1.3.6.1.4.1.11129.2.4.2 (SignedCertificateTimestampList)
                                Serialized SCT List Length: 359
                                Signed Certificate Timestamp (Google 'Pilot' log)
                                    Serialized SCT Length: 118
                                    SCT Version: 0
                                    Log ID: a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8…
                                    Timestamp: Nov  9, 2019 00:00:24.368000000 UTC
                                    Extensions length: 0
                                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                                        Signature Hash Algorithm Hash: SHA256 (4)
                                        Signature Hash Algorithm Signature: ECDSA (3)
                                    Signature Length: 71
                                    Signature: 304502210089f1d42959192169051ed1618ffebbc5a6f1cb…
                                Signed Certificate Timestamp (Unknown Log)
                                    Serialized SCT Length: 118
                                    SCT Version: 0
                                    Log ID: 4494652eb0eeceafc44007d8a8fe28c0dae682bed8cb31b5…
                                    Timestamp: Nov  9, 2019 00:00:24.360000000 UTC
                                    Extensions length: 0
                                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                                        Signature Hash Algorithm Hash: SHA256 (4)
                                        Signature Hash Algorithm Signature: ECDSA (3)
                                    Signature Length: 71
                                    Signature: 3045022100aefd4229ea2b9753d7f35ba6b65ea9186d441c…
                                Signed Certificate Timestamp (Google 'Skydiver' log)
                                    Serialized SCT Length: 117
                                    SCT Version: 0
                                    Log ID: bbd9dfbc1f8a71b593942397aa927b473857950aab52e81a…
                                    Timestamp: Nov  9, 2019 00:00:24.373000000 UTC
                                    Extensions length: 0
                                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                                        Signature Hash Algorithm Hash: SHA256 (4)
                                        Signature Hash Algorithm Signature: ECDSA (3)
                                    Signature Length: 70
                                    Signature: 304402201b83ac5f412f5e1d1559b99256a00f81f29a6f4a…
                    algorithmIdentifier (sha256WithRSAEncryption)
                        Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
                    Padding: 0
                    encrypted: 0c89a8b47822c2568af1a6369e0dac14324090870de1e484…
                Certificate Length: 1127
                Certificate: 308204633082034ba00302010202100182f8098ea2e626b9… (id-at-commonName=DigiCert Baltimore CA-2 G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
                    signedCertificate
                        version: v3 (2)
                        serialNumber: 0x0182f8098ea2e626b91a3b27841fb9af
                        signature (sha256WithRSAEncryption)
                            Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
                        issuer: rdnSequence (0)
                            rdnSequence: 4 items (id-at-commonName=Baltimore CyberTrust Root,id-at-organizationalUnitName=CyberTrust,id-at-organizationName=Baltimore,id-at-countryName=IE)
                                RDNSequence item: 1 item (id-at-countryName=IE)
                                    RelativeDistinguishedName item (id-at-countryName=IE)
                                        Id: 2.5.4.6 (id-at-countryName)
                                        CountryName: IE
                                RDNSequence item: 1 item (id-at-organizationName=Baltimore)
                                    RelativeDistinguishedName item (id-at-organizationName=Baltimore)
                                        Id: 2.5.4.10 (id-at-organizationName)
                                        DirectoryString: printableString (1)
                                            printableString: Baltimore
                                RDNSequence item: 1 item (id-at-organizationalUnitName=CyberTrust)
                                    RelativeDistinguishedName item (id-at-organizationalUnitName=CyberTrust)
                                        Id: 2.5.4.11 (id-at-organizationalUnitName)
                                        DirectoryString: printableString (1)
                                            printableString: CyberTrust
                                RDNSequence item: 1 item (id-at-commonName=Baltimore CyberTrust Root)
                                    RelativeDistinguishedName item (id-at-commonName=Baltimore CyberTrust Root)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: printableString (1)
                                            printableString: Baltimore CyberTrust Root
                        validity
                            notBefore: utcTime (0)
                                utcTime: 15-12-08 12:05:07 (UTC)
                            notAfter: utcTime (0)
                                utcTime: 25-05-10 12:00:00 (UTC)
                        subject: rdnSequence (0)
                            rdnSequence: 4 items (id-at-commonName=DigiCert Baltimore CA-2 G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=US)
                                    RelativeDistinguishedName item (id-at-countryName=US)
                                        Id: 2.5.4.6 (id-at-countryName)
                                        CountryName: US
                                RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
                                    RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
                                        Id: 2.5.4.10 (id-at-organizationName)
                                        DirectoryString: printableString (1)
                                            printableString: DigiCert Inc
                                RDNSequence item: 1 item (id-at-organizationalUnitName=www.digicert.com)
                                    RelativeDistinguishedName item (id-at-organizationalUnitName=www.digicert.com)
                                        Id: 2.5.4.11 (id-at-organizationalUnitName)
                                        DirectoryString: printableString (1)
                                            printableString: www.digicert.com
                                RDNSequence item: 1 item (id-at-commonName=DigiCert Baltimore CA-2 G2)
                                    RelativeDistinguishedName item (id-at-commonName=DigiCert Baltimore CA-2 G2)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: printableString (1)
                                            printableString: DigiCert Baltimore CA-2 G2
                        subjectPublicKeyInfo
                            algorithm (rsaEncryption)
                                Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
                            subjectPublicKey: 3082010a0282010100bbe700fe000173ef9b88f05c0875f0…
                                modulus: 0x00bbe700fe000173ef9b88f05c0875f05c70731fffb57a1f…
                                publicExponent: 65537
                        extensions: 7 items
                            Extension (id-ce-subjectKeyIdentifier)
                                Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
                                SubjectKeyIdentifier: c012b22874684667e97025741a00455b067d5c44
                            Extension (id-ce-authorityKeyIdentifier)
                                Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
                                AuthorityKeyIdentifier
                                    keyIdentifier: e59d5930824758ccacfa085436867b3ab5044df0
                            Extension (id-ce-basicConstraints)
                                Extension Id: 2.5.29.19 (id-ce-basicConstraints)
                                critical: True
                                BasicConstraintsSyntax
                                    cA: True
                                    pathLenConstraint: 0
                            Extension (id-ce-keyUsage)
                                Extension Id: 2.5.29.15 (id-ce-keyUsage)
                                critical: True
                                Padding: 1
                                KeyUsage: 86 (digitalSignature, keyCertSign, cRLSign)
                                    1... .... = digitalSignature: True
                                    .0.. .... = contentCommitment: False
                                    ..0. .... = keyEncipherment: False
                                    ...0 .... = dataEncipherment: False
                                    .... 0... = keyAgreement: False
                                    .... .1.. = keyCertSign: True
                                    .... ..1. = cRLSign: True
                                    .... ...0 = encipherOnly: False
                                    0... .... = decipherOnly: False
                            Extension (id-pe-authorityInfoAccess)
                                Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
                                AuthorityInfoAccessSyntax: 1 item
                                    AccessDescription
                                        accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
                                        accessLocation: 6
                                            uniformResourceIdentifier: http://ocsp.digicert.com
                            Extension (id-ce-cRLDistributionPoints)
                                Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
                                CRLDistPointsSyntax: 1 item
                                    DistributionPoint
                                        distributionPoint: fullName (0)
                                            fullName: 1 item
                                                GeneralName: uniformResourceIdentifier (6)
                                                    uniformResourceIdentifier: http://crl3.digicert.com/Omniroot2025.crl
                            Extension (id-ce-certificatePolicies)
                                Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
                                CertificatePoliciesSyntax: 1 item
                                    PolicyInformation
                                        policyIdentifier: 2.5.29.32.0 (anyPolicy)
                                        policyQualifiers: 1 item
                                            PolicyQualifierInfo
                                                Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
                                                DirectoryString: https://www.digicert.com/CPS
                    algorithmIdentifier (sha256WithRSAEncryption)
                        Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
                    Padding: 0
                    encrypted: 2fe23766c31acf9155ee2914fa5010be998de228f1741607…

3.4 Server Key Exchange (338 bytes)

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 333
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 329
            EC Diffie-Hellman Server Params
                Curve Type: named_curve (0x03)
                Named Curve: secp256r1 (0x0017)
                Pubkey Length: 65
                Pubkey: 049fb495ea14ab38a012f39ad8e686b827122f19c7242eda…
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Hash Algorithm Hash: SHA256 (4)
                    Signature Hash Algorithm Signature: RSA (1)
                Signature Length: 256
                Signature: 1d9e83b5921c6679fcc9d5557bdff9bff07de981ef82b6c3…

3.5 Server Hello Done (9 bytes)

ServerHelloDone
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

3.6 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message (126 bytes)

ClientKeyExchange,ChangeCipherSpec,EncryptedHandshakeMessage
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 70
        Handshake Protocol: Client Key Exchange
            Handshake Type: Client Key Exchange (16)
            Length: 66
            EC Diffie-Hellman Client Params
                Pubkey Length: 65
                Pubkey: 04af4ea916072eb6a58aaccde749064e170dbc22dbceede6…
    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 40
        Handshake Protocol: Encrypted Handshake Message

3.7 Change Cipher Spec (6 bytes)

ChangeCipherSpec
Transport Layer Security
    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message

3.8 Finished (45 bytes)

Finished
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 40
        Handshake Protocol: Encrypted Handshake Message

3.9 Finished (507 bytes)

Finished
Transport Layer Security
    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
        Content Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 502
        Encrypted Application Data: 00000000000000012b91bd82dd852eba9f2c38497b9d49d6…

3.10 Application Data (54 bytes)

ApplicationData
Transport Layer Security
    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
        Content Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 49
        Encrypted Application Data: 0000000000000001613b3503a917544189f53347f1acf2eb…

3.11 Application Data (30 bytes)

ApplicationData
Transport Layer Security
    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
        Content Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 25
        Encrypted Application Data: 0000000000000002560df9a5e059a8525b59a49fe9b4881a…

3.12 Application Data (386 bytes)

ApplicationData
Transport Layer Security
    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
        Content Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 381
        Encrypted Application Data: 0000000000000002b39f4fcde4ec922bbd358885e08293e3…

3.13 Encrypted Alert (31 bytes)

EncryptedAlert
Transport Layer Security
    TLSv1.2 Record Layer: Encrypted Alert
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 26
        Alert Message: Encrypted Alert

4. 参考

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away