Saturday, June 5, 2021

Wireshark - Why TLS version is different in Record Layer and Handshake Protocol

When I look at the TLS handshake in Wireshark, I see that the version field says TLS 1.0 under Record Layer: Handshake Protocol: Client Hello, and then another version field inside the same Client Hello says TLS 1.2 under Handshake Protocol: Client Hello. Why is that?

<TLS v1.2 - AES256GCM>

It is expected behavior because of backward compatibility.
The Handshake layer version number is important. In fact, any TLS1.2 compliant server MUST accept any value {03,XX} as the Record layer version number for ClientHello as per RFC5246.

See RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2) - Appendix E. Backward Compatibility for more detail.

In TLS 1.2, the client sends a range of supported versions, while a TLS 1.3 client sends a list of supported versions. The server will then pick a single version, but it will use a new field for selecting TLS 1.3 or newer for compatibility purposes.

In this case, the client sends the maximum supported TLS version with 1.2, and the server responds with the Server Hello, including the same version.

Here are Wireshark packet capture images and more details.
You may download this Wireshark PCAP file - tls12-aes256gcm.pcap to see these packets.

<Client Hello in TLS>

TLS sessions begin with a handshake to negotiate parameters such as the protocol version and ciphers. The client sends a Client Hello handshake message in a TLS record containing:

TLS Record - Version: minimum supported TLS version (in TLS 1.2 and before). In TLS 1.3, this field is not really used and MUST be 0x0303 ("TLS 1.2") or 0x301 ("TLS 1.0") for compatibility purposes. 
* Reference: RFC 8446 (page 79)

Client Hello - Version: maximum supported TLS version (in TLS 1.2 and before). In TLS 1.3, this field is not used but MUST be set to 0x0303 ("TLS 1.2"). 
* Reference: RFC 8446 (4.1.2. Client Hello)

Client Hello - Supported Versions Extension: list of supported versions. This is the only value used by TLS 1.3 implementations (which may agree TLS 1.3, 1.2 or other versions).
* Reference: RFC 8446 (4.2.1. Supported Versions)

<Server Hello in TLS>

The server sends a Server Hello handshake message with:
Server Hello - Version: negotiated version (for TLS 1.2 and before). If TLS 1.3 is negotiated, it MUST be set to 0x0303 ("TLS 1.2").
Server Hello - Supported Versions: a single negotiated version (for TLS 1.3). Cannot be used to negotiate earlier versions.

No comments: