https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16114
Peter Wu <pe...@lekensteyn.nl> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|TLS handshake client hello |TLS Client Hello reported
| packet protocol labeled |as TLSv1 even though
|differently, TLSv1 or |supported_versions reports
|TLSv1.2 |TLSv1.2 only
Status|INCOMPLETE |CONFIRMED
--- Comment #3 from Peter Wu <pe...@lekensteyn.nl> ---
This capture only contains a TLS Client Hello packet in frame 8 and a
retransmission of exactly the same packet in packet 9:
$ tshark -r dockerlogin.19.03.1.pcap.pcapng -Y "tcp.len>0"
8 0.051827 135.105.195.142 → 135.8.96.38 TLSv1 250 Client Hello
9 0.051908 135.105.195.142 → 135.8.96.38 TCP 250 [TCP Retransmission]
53258 → 443 [PSH, ACK] Seq=1 Ack=1 Win=66560 Len=196
The only packets that come from the server are empty TCP SYN/ACK and ACK
segments with no payload, and TCP FIN segments to close the connection.
Like Alexis said, the Protocol version is only updated to the correct version
once the server responded with a Server Hello. Your capture lacks this
handshake message, and thus Wireshark is only able to report that TLSv1 is used
at minimum. In general, claiming TLSv1.2 would not be fully accurate either
since the server can pick any version between TLS 1.0 and 1.2:
$ tshark -r dockerlogin.19.03.1.pcap.pcapng -Y frame.number==8 -O tls
...
Transport Layer Security
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301) <-- minimum version
Length: 191
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 187
Version: TLS 1.2 (0x0303) <-- maximum version
...
Extension: supported_versions (len=3)
Type: supported_versions (43)
Length: 3
Supported Versions length: 2
Supported Version: TLS 1.2 (0x0303)
In this case specifically, I suppose it could report TLS 1.2 because the
"supported_versions" extension reports that version only. This extension is
normally used for negotiating TLS 1.3, but it could also be used to negotiate
earlier versions per https://tools.ietf.org/html/rfc8446#section-4.2.1
When "supported_versions" is present, both the record layer version (marked
"minimum version" above) and the Client Hello version (marked "maximum version"
above) should be ignored. The safest thing to do would be reporting the minimum
known version reported in the "supported_versions" extension.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
