Supported Signatures

TLS libraries create session secrets during the TLS session handshake. Each TLS library creates session keys in a unique way in the process memory space. Nubeva’s core IP finds the session keys using an algorithm designed specifically for each library or application and outputs a set of instructions called a signature. Such signatures are then used to gain access to the session keys at runtime in an extremely efficient manner. SKI Sensors use memory hooks and signatures to extract session secrets to TLS library memory. The ability to hook into memory depends on the Linux Kernel version and Windows OS version. Therefore SKI is applicable to any application that runs on a supported OS and kernel version, and is linked with a supported TLS library.

Application and Signature Categories

The following figure depicts categories of applications in relation to the TLS libraries they use.

  • Linux
    • Shared Libraries
      • OpenSSL, NSS, WolfSSL
    • Containers
      • Shared Libraries
        • OpenSSL, NSS, WolfSSL
    • Application Specific
      • BoringSSL
      • Others
    • Java
  • Windwos
    • Shared Libraries
      • Schanel
    • Application Specific
      • BoringSSL
      • Others
    • Java

The classification is based on the way TLS is included in the application executable. The TLS code could be a shared library, which is linked to the application code, or TLS code which is compiled with the rest of the application. Applications that are linked with TLS libraries share the library signature. Applications that use a private library or compile code, require an application specific signature.

Linux

On Linux, the vast majority of applications use standard TLS OpenSSL Libraries and NSS Libraries, and to a lesser extent WolfSSL Libraries. Nubeva provides signatures for every version of OpenSSL starting with version 0.9.7, every version of NSS Libraries starting with version NSS_3_15_1_RTM and WolfSSL versions starting from v4.3.0. This means that session keys can extracted from the vast majority of Linux applications. For containers, the signatures also include a unique method to find the path into the directories of the containers as those have a different namespace than the host Linux. Therefore each of the Supported Linux TLS Libraries listed below for OpenSSL, NSS and WolfSSL has two signatures. Application specific signatures are required for applications that use BoringSSL, since BoringSSL is provided by Google as a code repository on Github, and this code is compiled with the rest of the application code. Java applications use TLS functions included with each version of the JDK. Signatures for Java are supported for JDK version 8 through 17. TLS key extraction is supported for all Java applications using one of these JDK versions.

Please refer to Linux Systems for details on Linux Kernel version and Linux version support.

Supported Linux TLS Libraries

OpenSSL and NSS libraries are included with the Linux OS. Applications link to the shared libraries. Therefore key extraction is supported for the vast majority (over 99%) of applications that use OpenSSL or NSS.

OpenSSL Libraries

OpenSSL-0.9.7
OpenSSL-0.9.7-beta4
OpenSSL-0.9.7-beta5
OpenSSL-0.9.7-beta5
OpenSSL-0.9.7-beta6
OpenSSL-0.9.7a
OpenSSL-0.9.7b
OpenSSL-0.9.7c
OpenSSL-0.9.7d
OpenSSL-0.9.7e
OpenSSL-0.9.7f
OpenSSL-0.9.7g
OpenSSL-0.9.7h
OpenSSL-0.9.7i
OpenSSL-0.9.7j
OpenSSL-0.9.7k
OpenSSL-0.9.7l
OpenSSL-0.9.7m
OpenSSL-0.9.8
OpenSSL-0.9.8-beta1
OpenSSL-0.9.8-beta2
OpenSSL-0.9.8-beta3
OpenSSL-0.9.8-beta4
OpenSSL-0.9.8-beta5
OpenSSL-0.9.8-beta6
OpenSSL-0.9.8-post-auto-reformat
OpenSSL-0.9.8-post-reformat
OpenSSL-0.9.8-pre-auto-reformat
OpenSSL-0.9.8-pre-reformat
OpenSSL-0.9.8a
OpenSSL-0.9.8b
OpenSSL-0.9.8c
OpenSSL-0.9.8d
OpenSSL-0.9.8e
OpenSSL-0.9.8f
OpenSSL-0.9.8g
OpenSSL-0.9.8h
OpenSSL-0.9.8i
OpenSSL-0.9.8j
OpenSSL-0.9.8k
OpenSSL-0.9.8l
OpenSSL-0.9.8m
OpenSSL-0.9.8m-beta1
OpenSSL-0.9.8n
OpenSSL-0.9.8o
OpenSSL-0.9.8p
OpenSSL-0.9.8q
OpenSSL-0.9.8r
OpenSSL-0.9.8s
OpenSSL-0.9.8t
OpenSSL-0.9.8u
OpenSSL-0.9.8v
OpenSSL-0.9.8w
OpenSSL-0.9.8x
OpenSSL-0.9.8y
OpenSSL-0.9.8za
OpenSSL-0.9.8zb
OpenSSL-0.9.8zc
OpenSSL-0.9.8zd
OpenSSL-0.9.8ze
OpenSSL-0.9.8zf
OpenSSL-0.9.8zg
OpenSSL-0.9.8zh
OpenSSL-1.0.0
OpenSSL-1.0.0-beta1
OpenSSL-1.0.0-beta2
OpenSSL-1.0.0-beta3
OpenSSL-1.0.0-beta4
OpenSSL-1.0.0-beta5
OpenSSL-1.0.0-post-auto-reformat
OpenSSL-1.0.0-post-reformat
OpenSSL-1.0.0-pre-auto-reformat
OpenSSL-1.0.0-pre-reformat
OpenSSL-1.0.0a
OpenSSL-1.0.0b
OpenSSL-1.0.0c
OpenSSL-1.0.0d
OpenSSL-1.0.0e
OpenSSL-1.0.0f
OpenSSL-1.0.0g
OpenSSL-1.0.0h
OpenSSL-1.0.0i
OpenSSL-1.0.0j
OpenSSL-1.0.0k
OpenSSL-1.0.0l
OpenSSL-1.0.0m
OpenSSL-1.0.0n
OpenSSL-1.0.0o
OpenSSL-1.0.0p
OpenSSL-1.0.0q
OpenSSL-1.0.0r
OpenSSL-1.0.0s
OpenSSL-1.0.0t
OpenSSL-1.0.1
OpenSSL-1.0.1-beta1
OpenSSL-1.0.1-beta2
OpenSSL-1.0.1-beta3
OpenSSL-1.0.1-post-auto-reformat
OpenSSL-1.0.1-post-reformat
OpenSSL-1.0.1-pre-auto-reformat
OpenSSL-1.0.1-pre-reformat
OpenSSL-1.0.1a
OpenSSL-1.0.1b
OpenSSL-1.0.1c
OpenSSL-1.0.1d
OpenSSL-1.0.1e
OpenSSL-1.0.1f
OpenSSL-1.0.1g
OpenSSL-1.0.1h
OpenSSL-1.0.1i
OpenSSL-1.0.1j
OpenSSL-1.0.1k
OpenSSL-1.0.1l
OpenSSL-1.0.1m
OpenSSL-1.0.1n
OpenSSL-1.0.1o
OpenSSL-1.0.1p
OpenSSL-1.0.1q
OpenSSL-1.0.1r
OpenSSL-1.0.1s
OpenSSL-1.0.1t
OpenSSL-1.0.1u
OpenSSL-1.0.2
OpenSSL-1.0.2-beta1
OpenSSL-1.0.2-beta1-fips
OpenSSL-1.0.2-beta2
OpenSSL-1.0.2-beta2-fips
OpenSSL-1.0.2-beta3
OpenSSL-1.0.2-beta3-fips
OpenSSL-1.0.2-fips
OpenSSL-1.0.2-post-auto-reformat
OpenSSL-1.0.2-post-auto-reformat-fips
OpenSSL-1.0.2-post-reformat
OpenSSL-1.0.2-post-reformat-fips
OpenSSL-1.0.2-pre-auto-reformat
OpenSSL-1.0.2-pre-auto-reformat-fips
OpenSSL-1.0.2-pre-reformat
OpenSSL-1.0.2-pre-reformat-fips
OpenSSL-1.0.2a
OpenSSL-1.0.2a-fips
OpenSSL-1.0.2b
OpenSSL-1.0.2b-fips
OpenSSL-1.0.2c
OpenSSL-1.0.2c-fips
OpenSSL-1.0.2d
OpenSSL-1.0.2d-fips
OpenSSL-1.0.2e
OpenSSL-1.0.2e-fips
OpenSSL-1.0.2f
OpenSSL-1.0.2f-fips
OpenSSL-1.0.2g
OpenSSL-1.0.2g-fips
OpenSSL-1.0.2h
OpenSSL-1.0.2h-fips
OpenSSL-1.0.2i
OpenSSL-1.0.2i-fips
OpenSSL-1.0.2j
OpenSSL-1.0.2j-fips
OpenSSL-1.0.2k
OpenSSL-1.0.2k-fips
OpenSSL-1.0.2l
OpenSSL-1.0.2l-fips
OpenSSL-1.0.2m
OpenSSL-1.0.2m-fips
OpenSSL-1.0.2n
OpenSSL-1.0.2n-fips
OpenSSL-1.0.2o
OpenSSL-1.0.2o-fips
OpenSSL-1.0.2p
OpenSSL-1.0.2p-fips
OpenSSL-1.0.2q
OpenSSL-1.0.2q-fips
OpenSSL-1.0.2r
OpenSSL-1.0.2r-fips
OpenSSL-1.0.2s
OpenSSL-1.0.2s-fips
OpenSSL-1.0.2t
OpenSSL-1.0.2t-fips
OpenSSL-1.0.2u
OpenSSL-1.0.2u-fips
OpenSSL-1.1.0
OpenSSL-1.1.0-pre1
OpenSSL-1.1.0-pre2
OpenSSL-1.1.0-pre3
OpenSSL-1.1.0-pre4
OpenSSL-1.1.0-pre5
OpenSSL-1.1.0-pre6
OpenSSL-1.1.0a
OpenSSL-1.1.0b
OpenSSL-1.1.0c
OpenSSL-1.1.0d
OpenSSL-1.1.0e
OpenSSL-1.1.0f
OpenSSL-1.1.0g
OpenSSL-1.1.0h
OpenSSL-1.1.0i
OpenSSL-1.1.0j
OpenSSL-1.1.0k
OpenSSL-1.1.0l
OpenSSL-1.1.1
OpenSSL-1.1.1-pre1
OpenSSL-1.1.1-pre2
OpenSSL-1.1.1-pre3
OpenSSL-1.1.1-pre4
OpenSSL-1.1.1-pre5
OpenSSL-1.1.1-pre6
OpenSSL-1.1.1-pre7
OpenSSL-1.1.1-pre8
OpenSSL-1.1.1-pre9
OpenSSL-1.1.1a
OpenSSL-1.1.1b
OpenSSL-1.1.1c
OpenSSL-1.1.1d
OpenSSL-1.1.1e
OpenSSL-1.1.1f
OpenSSL-1.1.1g
OpenSSL-1.1.1h
OpenSSL-1.1.1i
OpenSSL-1.1.1j
OpenSSL-1.1.1k
OpenSSL-1.1.1l
OpenSSL 1.1.1m
OpenSSL-FIPS.1.0
OpenSSL-fips-1.2.0
OpenSSL-fips-1.2.1
OpenSSL-fips-1.2.2
OpenSSL-fips-1.2.3
OpenSSL-fips-2.0
OpenSSL-fips-2.0-pl1
OpenSSL-fips-2.0-rc1
OpenSSL-fips-2.0-rc2
OpenSSL-fips-2.0-rc3
OpenSSL-fips-2.0-rc4
OpenSSL-fips-2.0-rc5
OpenSSL-fips-2.0-rc6
OpenSSL-fips-2.0-rc7
OpenSSL-fips-2.0-rc8
OpenSSL-fips-2.0-rc9
OpenSSL-fips-2.0.1
OpenSSL-fips-2.0.2
OpenSSL-fips-2.0.3
OpenSSL-fips-2.0.4
OpenSSL-fips-2.0.5
OpenSSL-fips-2.0.6
OpenSSL-fips-2.0.7
OpenSSL-fips-2.0.8
OpenSSL-fips-2.0.9
OpenSSL-fips-2.0.10
OpenSSL-fips-2.0.11
OpenSSL-fips-2.0.12
OpenSSL-fips-2.0.13
OpenSSL-fips-2.0.14
OpenSSL-fips-2.0.15
OpenSSL-fips-2.0.16

Sample Linux Applications that use OpenSSL

The samples below show application versions that use OpenSSL. All versions are in the supported list above.

Python 3.9.2, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.9.1, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.9.0, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.8, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.7, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.6, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.5, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.4, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.3, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.2, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.1, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.8.0, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.10, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.9, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.8, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.7, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.6, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.5, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.4, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.3, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.2, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.1, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.7.0, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.13, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.12, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.11, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.10, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.9, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.8, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.7, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.6, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.5, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.4, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.3, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.2, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.1, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.6.0, OpenSSL 1.0.2, 1.1.0, and 1.1.1
Python 3.5.7 OpenSSL 0.9.8, 1.0.2
Python 3.5.6 OpenSSL 0.9.8, 1.0.2
Python 3.5.5 OpenSSL 0.9.8, 1.0.2
Python 3.5.4 OpenSSL 0.9.8, 1.0.2
Python 3.5.3 OpenSSL 0.9.8, 1.0.2
Python 3.5.2 OpenSSL 0.9.8, 1.0.2
Python 3.5.1 OpenSSL 0.9.8, 1.0.2
Python 2.7.8 OpenSSL 0.9.8, 1.0.1
Python 2.7.7 OpenSSL 0.9.8, 1.0.1
Python 2.7.6 OpenSSL 0.9.8, 1.0.1
Python 2.7.5 OpenSSL 0.9.8, 1.0.1
Python 2.7.4 OpenSSL 0.9.8, 1.0.1
Python 2.7.3 OpenSSL 0.9.8, 1.0.1
Python 2.7.2 OpenSSL 0.9.8, 1.0.1
Python 2.7.1 OpenSSL 0.9.8, 1.0.1
Python 2.7 OpenSSL 0.9.8, 1.0.1

AWS CLI depends on Python versions:

AWS CLI v2 requires Python 3.6+
AWS CLI v1 1.19.0 - current requires Python 3.6*
AWS CLI v1 1.17 - 1.18.x requires Python 2.7+ or Python 3.6+

curl 7.76.0 OpenSSL 1.1.0, 1.1.1
curl 7.75.0 OpenSSL 1.1.0, 1.1.1
curl 7.74.0 OpenSSL 1.1.0, 1.1.1
curl 7.73.0 OpenSSL 1.1.0, 1.1.1
curl 7.72.0 OpenSSL 1.1.0, 1.1.1
curl 7.71.1 OpenSSL 1.1.0, 1.1.1
curl 7.71.0 OpenSSL 1.1.0, 1.1.1
curl 7.69.1 OpenSSL 1.1.0, 1.1.1
curl 7.69.0 OpenSSL 1.1.0, 1.1.1
curl 7.68.1 OpenSSL 1.1.0, 1.1.1
curl 7.68.0 OpenSSL 1.1.0, 1.1.1

NSS Libraries

Released versions starting with v3.15 (released 2013-05-28 23:37:46)

NSS_3_15_1_RTM
NSS_3_15_2_RTM
NSS_3_15_3_1_RTM
NSS_3_15_3_RTM
NSS_3_15_4_RTM
NSS_3_15_5_RTM
NSS_3_15_RTM
NSS_3_16_1_RTM
NSS_3_16_2_1_RTM
NSS_3_16_2_2_RTM
NSS_3_16_2_3_RTM
NSS_3_16_2_RTM
NSS_3_16_3_RTM
NSS_3_16_4_RTM
NSS_3_16_5_RTM
NSS_3_16_6_RTM
NSS_3_16_RTM
NSS_3_17_1_RTM
NSS_3_17_2_RTM
NSS_3_17_3_RTM
NSS_3_17_4_RTM
NSS_3_17_RTM
NSS_3_18_1_RTM
NSS_3_18_RTM
NSS_3_19_1_RTM
NSS_3_19_1_WITH_CKBI_1_98_RTM
NSS_3_19_2_1_RTM
NSS_3_19_2_2_RTM
NSS_3_19_2_3_RTM
NSS_3_19_2_4_RTM
NSS_3_19_2_RTM
NSS_3_19_3_RTM
NSS_3_19_4_RTM
NSS_3_19_RTM
NSS_3_20_1_RTM
NSS_3_20_2_RTM
NSS_3_20_RTM
NSS_3_21_1_RTM
NSS_3_21_2_RTM
NSS_3_21_3_RTM
NSS_3_21_4_RTM
NSS_3_21_RTM
NSS_3_22_1_RTM
NSS_3_22_2_RTM
NSS_3_22_3_RTM
NSS_3_22_RTM
NSS_3_23_RTM
NSS_3_24_RTM
NSS_3_25_1_RTM
NSS_3_25_RTM
NSS_3_26_1_RTM
NSS_3_26_2_RTM
NSS_3_26_RTM
NSS_3_27_1_RTM
NSS_3_27_2_RTM
NSS_3_27_RTM
NSS_3_28_1_RTM
NSS_3_28_2_RTM
NSS_3_28_3_RTM
NSS_3_28_4_RTM
NSS_3_28_5_RTM
NSS_3_28_6_RTM
NSS_3_28_RTM
NSS_3_29_1_RTM
NSS_3_29_2_RTM
NSS_3_29_3_RTM
NSS_3_29_5_RTM
NSS_3_29_RTM
NSS_3_30_1_RTM
NSS_3_30_2_RTM
NSS_3_30_RTM
NSS_3_31_1_RTM
NSS_3_31_RTM
NSS_3_32_1_RTM
NSS_3_32_RTM
NSS_3_33_RTM
NSS_3_34_1_RTM
NSS_3_34_RTM
NSS_3_35_RTM
NSS_3_36_1_RTM
NSS_3_36_2_RTM
NSS_3_36_4_RTM
NSS_3_36_5_RTM
NSS_3_36_6_RTM
NSS_3_36_7_RTM
NSS_3_36_RTM
NSS_3_37_1_RTM
NSS_3_37_3_RTM
NSS_3_37_RTM
NSS_3_38_RTM
NSS_3_39_RTM
NSS_3_40_1_RTM
NSS_3_40_RTM
NSS_3_41_1_RTM
NSS_3_41_RTM
NSS_3_42_1_RTM
NSS_3_42_RTM
NSS_3_43_RTM
NSS_3_44_1_RTM
NSS_3_44_2_RTM
NSS_3_44_3_RTM
NSS_3_44_4_RTM
NSS_3_44_RTM
NSS_3_45_RTM
NSS_3_46_1_RTM
NSS_3_46_RTM
NSS_3_47_1_RTM
NSS_3_47_RTM
NSS_3_48_1_RTM
NSS_3_48_RTM
NSS_3_49_1_RTM
NSS_3_49_2_RTM
NSS_3_49_RTM
NSS_3_50_RTM
NSS_3_51_1_RTM
NSS_3_51_RTM
NSS_3_52_1_RTM
NSS_3_52_RTM
NSS_3_53_1_RTM
NSS_3_53_RTM
NSS_3_54_RTM
NSS_3_55_RTM
NSS_3_56_RTM
NSS_3_57_RTM
NSS_3_58_RTM
NSS_3_59_1_RTM
NSS_3_59_RTM
NSS_3_60_1_RTM
NSS_3_60_RTM
NSS_3_61_RTM
NSS_3_62_RTM
NSS 3_63_RTM
NSS_3_63_1_RTM
NSS_3_64_RTM
NSS_3_65_RTM
NSS 3_66_RTM
NSS_3_68_RTM
NSS_3_69_RTM
NSS_3_70_RTM
NSS_3_71_RTM
NSS_3_72_RTM
NSS 3.68.1
NSS 3.72_RTM
NSS 3.73_RTM
NSS_3_68_2_RTM
NSS_3_72_1_RTM
NSS_3_73_1_RTM
NSS 3.74

WolfSSL Libraries

Version v4.3.0
Version v4.4.0
Version v4.5.0
Version v4.6.0
Version v4.7.0

BoringSSL

Google’s BoringSSL code is available on Github. Applications using BoringSSL require application specific signatures.

Application Signatures

Envoy

1.9.0
1.9.1
1.10.0
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.6
1.12.7
1.13.0
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.13.6
1.13.6
1.13.8
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.14.5
1.14.6
1.14.7
1.15.0
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.16.0
1.16.1
1.16.2
1.16.3
1.16.4
1.16.5
1.17.0
1.17.1
1.17.2
1.17.3
1.17.4
1.18.0
1.18.1
1.18.2
1.18.3
1.18.4
1_18_dev
1_19_dev
1.19.1
1.20.1

MS Windows

On Windows, the majority of applications use the standard TLS Schannel library. Nubeva provides signatures for every version of Schannel starting with version 6.3.9600.19941. Application specific signatures are required for applications that use BoringSSL, since BoringSSL is provided by Google as a code repository on Github, and this code is compiled with the rest of the application code. Two such applications are Google Chrome and MS Edge Chromium. Their supported versions are listed below. Until Recently DropBox used a specific version of TLS that required an application signatures. The supported versions of DropBox are also provided. DropBox has recently switched to using Schannel, and therefore future versions of DropBox will no longer require dedicated signatures.

Please refer to MS Windows Systems for a list of supported operating system versions.

Supported TLS DLLs

Schannel

Schannel.dll versions supported:

6.1.7601.17514
6.2.9200.16384
6.2.9200.22562
6.2.9200.23258
6.2.17763.802
6.3.9600.17031
6.3.9600.17415
6.3.9600.18454
6.3.9600.19473
6.3.9600.19941
6.3.9600.19805
6.3.9600.19747
6.3.9600.19140
6.3.9600.18659
6.3.9600.20244
10.0.14393.0
10.0.14393.953
10.0.14393.1613
10.0.14393.2363
10.0.14393.3269
10.0.14393.3750
10.0.14393.3808
10.0.14393.3930
10.0.14393.4225
10.0.17763.1
10.0.17763.1217
10.0.17763.1282
10.0.17763.1339
10.0.17763.1457
10.0.17763.1728
10.0.17763.802
10.0.18362.1082
10.0.18362.418
10.0.18362.900
10.0.18362.959
10.0.18362.997
10.0.19041.1
10.0.19041.329
10.0.19041.388
10.0.19041.508
10.0.19041.546
10.0.19041.789
10.0.22000.1
10.0.20295.1
10.0.20348.1
10.0.20348.143
10.0.20348.380
10.0.20348.469
10.0.19041.1466

Applications that use SChannel on these Microsoft platforms include but are not limited to:

Access, Cortana, Excel, Groove Music, InfoPath, Internet Explorer, Microsoft Store, Microsoft News, Microsoft Sway, Microsoft Teams, Microsoft Word, Movies and TV, MS Dynamics 365 CRM, MSN Money, MSN Sports, MSN Weather, OneDrive, OneNote, Outlook, Power BI Desktop, PowerPoint, Publisher, Skype.

BoringSSL

Google’s BoringSSL code is available on Github. Applications using BoringSSL require application specific signatures. In the Windows Applications examples below Google Chrome and MS Edge Chromium use BoringSSL.

Windows Applications

Specific signatures are provided for the following applications that do not use the above libraries:

Application Version
Dropbox 91.4.548, 92.4.382, 94.4.384, 93.4.237, 93.4.273, 94.4.384, 95.4.441, 96.4.172, 97.4.467, 98.4.158, 99.4.501, 100.4.409, 101.4.434, 102.4.431, 103.4.383, 104.4.175, 105.4.651, 106.4.368, 107.4.443, 108.4.453, 109.4.517 110.4.458, 111.4.472. 112.4.321, 113.4.507, 114.4.426, 115.4.601, 116.4.368, 117.4.378, 119.4.1772
Google Chrome 64 bit 80.0.3987.132, 80.0.3987.149, 80.0.3987.163, 81.0.4044.113, 83.0.4103.97, 81.0.4044.113, 81.0.4044.122, 81.0.4044.129, 81.0.4044.138, 81.0.4044.92, 83.0.4103.61, 83.0.4103.97, 83.0.4103.106, 83.0.4103.116, 84.0.4147.89, 84.0.4174.105, 84.0.4147.125, 84.0.4147.135, 85.0.4183.83, 85.0.4183.102, 85.0.4183.102, 85.0.4183.121, 86.0.4240.111, 86.0.4240.75, 86.0.4240.183, 86.0.4240.193, 86.0.4240.198, 87.0.4280.66, 87.0.4280.88, 87.0.4280.141, 88.0.4324.104, 88.0.4324.146, 88.0.4324.150, 88.0.4324.182, 88.0.4324.190, 89.0.4389.72, 89.0.4389.82, 89.0.4389.90, 89.0.4389.114, 89.0.4389.128, 90.0.4430.72, 90.0.4430.85, 90.0.4430.93, 90.0.4430.212, 91.0.4472.77, 91.0.4472.101, 91.0.4472.106, 91.0.4472.114, 91.0.4472.124, 91.0.4472.164, 92.0.4515.107, 92.0.4515.131, 92.0.4515.159, 94.0.4606.61, 94.0.4606.71, 95.0.4638.54, 95.0.4638.69. 96.0.4664.45, 97.0.4692.71, 97.0.4692.99
MS Edge Chromium 64 bit 80.0.361.66, 80.0.361.69, 80.0.361.109, 83.0.478.44, 83.0.478.45, 83.0.478.54, 83.0.478.56, 83.0.478.58, 83.0.478.61, 84.0.522.44, 84.0.522.49, 84.0.522.52, 84.0.522.59, 84.0.522.63, 85.0.564.41, 85.0.564.44, 85.0.564.51, 85.0.564.63, 86.0.4240.75, 86.0.622.38, 86.0.622.43, 86.0.622.51, 86.0.622.56, 86.0.622.61, 86.0.622.69, 87.0.664.41, 87.0.664.47, 87.0.664.52, 87.0.664.55, 87.0.664.57, 87.0.664.60, 87.0.664.66, 87.0.664.75, 87.0.664.75, 88.0.705.50, 88.0.705.53, 88.0.705.56, 88.0.705.62, 88.0.705.63, 88.0.705.68, 88.0.705.74, 88.0.705.81, 89.0.774.45, 89.0.774.48, 89.0.774.50, 89.0.774.54, 89.0.774.57, 89.0.774.63, 89.0.774.68, 89.0.774.75, 89.0.774.76, 89.0.774.77, 90.0.818.41, 90.0.818.42, 90.0.818.46, 90.0.818.49, 90.0.818.51, 90.0.818.56, 90.0.818.62, 90.0.818.66, 91.0.864.37, 91.0.864.41, 91.0.864.53, 91.0.864.54, 91.0.864.59, 91.0.864.64, 91.0.864.70, 91.0.864.71, 92.0.902.55, 92.0.902.62, 92.0.902.73, 92.0.902.78, 92.0.902.84, 93.0.4577.82, 93.0.961.38, 94.0.992.31, 94.0.992.37, 94.0.992.38, 94.0.4606.81, 94.0.992.47, 94.0.992.50, 95.0.1020.30, 95.0.1020.40, 96.0.1054.29 96.0.1054.34, 96.0.1054.41, 96.0.1054.43, 96.0.4664.93, 96.0.1054.53, 96.0.1054.57, 96.0.1054.62, 97.0.1072.55
MS Edge (old) 44.18362.449.0
Zscaler App 2.1.0.210

Java

Key extraction works on Windows and Linux for all Java applications using supported JDK versions on the supported operating system versions listed above.

Java 8
Java 9
Java 10
Java 11
Java 12
Java 13
Java 14
Java 15
Java 16
Java 17

Frequently Asked Questions

Q: My program is using standard libraries but the sensor is not extracting keys
It could be that the libraries are not in a standard location. Make copies of the libraries for safe keeping and replace them with symbolic links to the standard TLS libraries.

Note

Sensors instrument all libraries in the output of ldconfig -p. If ldconfig doesn’t exist (like alpine) the list is set to: /lib:/usr/local/lib:/usr/lib. You can manually get a list of all the libraries that a currently running process is actually loading by running cat /proc/<pid>/maps as shown below.

root@ubuntu-dev:~# pgrep openssl
21312
root@ubuntu-dev:~# cat /proc/21312/maps
562b48c0a000-562b48ca6000 r-xp 00000000 fd:00 4718820                    /usr/bin/openssl
562b48ea6000-562b48eb3000 r--p 0009c000 fd:00 4718820                    /usr/bin/openssl
562b48eb3000-562b48ebb000 rw-p 000a9000 fd:00 4718820                    /usr/bin/openssl
...
7f0034b34000-7f0034dcf000 r-xp 00000000 fd:00 4724158                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f0034dcf000-7f0034fce000 ---p 0029b000 fd:00 4724158                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f0034fce000-7f0034ffa000 r--p 0029a000 fd:00 4724158                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f0034ffa000-7f0034ffc000 rw-p 002c6000 fd:00 4724158                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7f0034ffc000-7f0034fff000 rw-p 00000000 00:00 0
7f0034fff000-7f0035080000 r-xp 00000000 fd:00 4724476                    /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f0035080000-7f003527f000 ---p 00081000 fd:00 4724476                    /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f003527f000-7f0035288000 r--p 00080000 fd:00 4724476                    /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f0035288000-7f003528c000 rw-p 00089000 fd:00 4724476                    /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f003528c000-7f00352b5000 r-xp 00000000 fd:00 4202343                    /lib/x86_64-linux-gnu/ld-2.27.so
Q: Why does the Windows sensor download jre-minimal?
The Windows sensor uses jre-minimal to extract keys from Java applications.