Re: TLSv1 versus TLSv1.2 how to tell which is whch

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Mon, Jan 2, 2017 at 11:42 AM, noah davids <ndav1 () cox net> wrote:

> I have 2 files, file-u.pcap and file-c.pacp, taken from 2 different
> clients. In file-u Wireshark reports a TLSv1 while in file-c Wireshark
> reports TLSv1.2. In both cases the upper vesion is 0x0301 and the lower
> version is 0x0303. I cannot see how Wireshark decides which TLSv1 and which
> is TLSv1.2. What am I not seeing?
>
>
> output from Wireshark print of file-u.pcap
>
> Secure Sockets Layer
>     TLSv1 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.0 (0x0301)
>         Length: 284
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 280
>             Version: TLS 1.2 (0x0303)
>             Random
> . . . .
>
>
> output from Wireshark print of file-c.pcap
>
> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.0 (0x0301)
>         Length: 284
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 280
>             Version: TLS 1.2 (0x0303)
>             Random

Browsing the SSL dissector's code it appears that the SSL session version
is based on not just the client hello but also the server hello.  So it
would seem that in file-c.pcap the server has responded that TLS v1.2 is
used while in file-u.pcap either the server's response was not seen or
responded that TLS 1.0 will be used.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe