Re: [openssl-users] Any advice/recommendation for watching TLS version negotiation
> From: Wall, Stephen, Monday, November 28, 2016 6:52 AM > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > > Behalf Of Ludwig, Mark > > > > A customer claims to have configured the web (app) server to only allow > > TLS 1.2 > > (by disallowing up through TLS 1.1), and says that the client code > > (which we > > know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS > > 1.1. We > > are setting up a similar environment internally to diagnose what's > > happening, > > and I wonder if anyone has any advice on the "best" tool for "watching" > > the TLS > > version negotiation when the connection is being established. > > I've typically used Wireshark for this type of thing. If you are using RSA > and have > a copy of the server key, you can also examine the encrypted channel content. Yes, thanks, a colleague today enlightened me that Wireshark will read the captured data from snoop. Voila! I didn't bother to get the key -- not sure it's RSA -- because I'm not interested in the encrypted data. I only want to see the TLS handshake, which Wireshark decodes nicely. Best, Mark -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Any advice/recommendation for watching TLS version negotiation
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Ludwig, Mark > > A customer claims to have configured the web (app) server to only allow > TLS 1.2 > (by disallowing up through TLS 1.1), and says that the client code > (which we > know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS > 1.1. We > are setting up a similar environment internally to diagnose what's > happening, > and I wonder if anyone has any advice on the "best" tool for "watching" > the TLS > version negotiation when the connection is being established. I've typically used Wireshark for this type of thing. If you are using RSA and have a copy of the server key, you can also examine the encrypted channel content. -Steve Wall -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Any advice/recommendation for watching TLS version negotiation
Greetings, We have embedded OpenSSL 1.0.2j in our application order to securely communicate with a Java Servlet engine (such as Tomcat). Our application uses SSLv23_method(), so I expect it to negotiate up through TLS 1.2 (right?). A customer claims to have configured the web (app) server to only allow TLS 1.2 (by disallowing up through TLS 1.1), and says that the client code (which we know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS 1.1. We are setting up a similar environment internally to diagnose what's happening, and I wonder if anyone has any advice on the "best" tool for "watching" the TLS version negotiation when the connection is being established. The client environment is Solaris 10. I'm obtaining the necessary privileges to use the snoop command. Does anyone have any do's or don'ts for using snoop? Thanks in advance! Mark Ludwig Siemens Product Lifecycle Management Software Inc. Communications and Government Affairs Product Lifecycle Management Lifecycle Coll 5939 Rice Creek Parkway Shoreview, MN 55126 United States Tel. :+1 (651) 855-6140 Fax :+1 (651) 855-6280 ludwig.m...@siemens.com www.siemens.com/plm -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users