[openssl-users] Any advice/recommendation for watching TLS version negotiation
Ludwig, Mark
ludwig.mark at siemens.com
Mon Nov 28 20:38:22 UTC 2016
> From: Wall, Stephen, Monday, November 28, 2016 6:52 AM
>
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> > Behalf Of Ludwig, Mark
> >
> > A customer claims to have configured the web (app) server to only allow
> > TLS 1.2
> > (by disallowing up through TLS 1.1), and says that the client code
> > (which we
> > know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS
> > 1.1. We
> > are setting up a similar environment internally to diagnose what's
> > happening,
> > and I wonder if anyone has any advice on the "best" tool for "watching"
> > the TLS
> > version negotiation when the connection is being established.
>
> I've typically used Wireshark for this type of thing. If you are using RSA and have
> a copy of the server key, you can also examine the encrypted channel content.
Yes, thanks, a colleague today enlightened me that Wireshark will read the
captured data from snoop. Voila!
I didn't bother to get the key -- not sure it's RSA -- because I'm not interested
in the encrypted data. I only want to see the TLS handshake, which Wireshark
decodes nicely.
Best,
Mark
More information about the openssl-users
mailing list