Wireshark mailing list archives
Re: TLSv1 versus TLSv1.2 how to tell which is whch
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Tue, 3 Jan 2017 09:41:22 -0500
On Mon, Jan 2, 2017 at 11:42 AM, noah davids <ndav1 () cox net> wrote:
I have 2 files, file-u.pcap and file-c.pacp, taken from 2 different clients. In file-u Wireshark reports a TLSv1 while in file-c Wireshark reports TLSv1.2. In both cases the upper vesion is 0x0301 and the lower version is 0x0303. I cannot see how Wireshark decides which TLSv1 and which is TLSv1.2. What am I not seeing? output from Wireshark print of file-u.pcap Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 284 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 280 Version: TLS 1.2 (0x0303) Random . . . . output from Wireshark print of file-c.pcap Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 284 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 280 Version: TLS 1.2 (0x0303) Random
Browsing the SSL dissector's code it appears that the SSL session version is based on not just the client hello but also the server hello. So it would seem that in file-c.pcap the server has responded that TLS v1.2 is used while in file-u.pcap either the server's response was not seen or responded that TLS 1.0 will be used.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TLSv1 versus TLSv1.2 how to tell which is whch noah davids (Jan 02)
- Re: TLSv1 versus TLSv1.2 how to tell which is whch Jeff Morriss (Jan 03)