[openssl-users] Any advice/recommendation for watching TLS version negotiation

Ludwig, Mark ludwig.mark at siemens.com
Mon Nov 28 20:38:22 UTC 2016


> From: Wall, Stephen, Monday, November 28, 2016 6:52 AM
> 
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> > Behalf Of Ludwig, Mark
> >
> > A customer claims to have configured the web (app) server to only allow
> > TLS 1.2
> > (by disallowing up through TLS 1.1), and says that the client code
> > (which we
> > know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS
> > 1.1.  We
> > are setting up a similar environment internally to diagnose what's
> > happening,
> > and I wonder if anyone has any advice on the "best" tool for "watching"
> > the TLS
> > version negotiation when the connection is being established.
> 
> I've typically used Wireshark for this type of thing.  If you are using RSA and have
> a copy of the server key, you can also examine the encrypted channel content.

Yes, thanks, a colleague today enlightened me that Wireshark will read the 
captured data from snoop.  Voila!

I didn't bother to get the key -- not sure it's RSA -- because I'm not interested 
in the encrypted data.  I only want to see the TLS handshake, which Wireshark 
decodes nicely.

Best,
Mark


More information about the openssl-users mailing list