Hello, welcome to the Wednesday, October 19th, 2016 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Baltimore, Maryland.

Thanks to data submitted by a listener, we came across an interesting behavior of Windows 10 and certain types of proxies.

These proxies are different from normal proxies in the way that they are in front of

multiple servers that actually serve different protocols.

In this particular case, we do have an HTTP web server. We do have an SSH server

behind the same proxy listening on the same port. This is commonly done to be able to expose

multiple services on Port 443 if, for example, corporate networks only allow outbound port 443 traffic.

The proxy will receive the connection and then decide which one of the servers behind it is most appropriate to answer.

Now apparently what's happening here is that Windows 10 is rather

specific in its initial client hello. If you're connecting with Internet Explorer or Edge to a web

server, the first client Hello will only allow for TLS 1.2. If that fails, then it will allow anything between TLS1.0 and 1.2.

Now, in this particular case, if the web server behind that proxy doesn't support TLS 1.2,

then the proxy will actually forward the connection to the SSH server.

The very interesting observation that you'll end up with here is that you have a web browser connecting to what looks like to be a website,

but in return you're getting an SSH banner. Of course, in the Explorer will then reissue the client Hello in the version variable

way and the connection will succeed.

There will be a little bit of delay, but if you have an intrusion detection system that alerts

you on SH banners on odd ports, you will get an alert that you just connected to an SSH server on port

443, which is correct.

The one proxy that I was able to reproduce this behavior with is HA proxy.

There is a very similar proxy SSLH, which works similarly but seems to be dealing better with these TLS1.2 handshakes.

...