First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How does wireshark identify tls1.3?

  • retag add tags

How does wireshark identify tls1.3? I have three questions that I described it in the below screenshot. that would be thankful if someone could help me out if these three questions

image description

bianmingkai's avatar
1
bianmingkai
asked 2021-09-12 09:51:18 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

In TLSv1.3, there is a new extension that negotiates the TLS version. It reuses the TLSv1.2 version on the handshake messages for compatilbility (to not break traffic when intermediate devices don't support TLSv1.3). So in the ClientHello message, there is an extension that tells the server that the client supports TLSv1.3. Then wehn the server supports TLSv1.3, it will also use this extension in the ServerHello message to tell the client that it has chosen to use TLSv1.3.

So to answer your questions:

  • A1: Wireshark uses a two-pass process to analyze a capture file, so on the first pass, it sees that TLSv1.3 was chosen and so on the second pass, it can show that TLSv1.3 is being used, even though that only becomes clear later on in the conversation.
  • A2: TLSv1.2 version is chosen for compatilibity
  • A3: The TLS record version indicates the minimum supported version. So in this case, the client tells the server it supports TLS versions 1.0, 1.1, 1.2 and 1.3 (assuming the version extension is present, which I assume it is,, otherwise wireshark would not show this conversation as using TLSv1.3)
SYN-bit's avatar
18.5k
SYN-bit
answered 2021-09-12 12:31:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for the swift answer, these answers are really meticulous that I never found them before.but I am still a little bit confused about the A1 . Could you please help to explain A1 in more details? thanks

bianmingkai's avatar bianmingkai (2021-09-13 01:58:44 +0000) edit
more
  • delete

In your picture in frame 57, it is not yet known by the endpoints which version of TLS will be used, as they are just entering that negotiation. But Wireshark has run through the packtes once before and has seen that in frame 59, the server agrees to use TLSv1.3. That's why wireshark can show TLSv1.3 already in frame 57.

Have a look at the TLS extensions in the ClientHello and the ServerHello to see the actual TLS version negotiation.

SYN-bit's avatar SYN-bit (2021-09-13 17:00:28 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer