Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

In TLSv1.3, there is a new extension that negotiates the TLS version. It reuses the TLSv1.2 version on the handshake messages for compatilbility (to not break traffic when intermediate devices don't support TLSv1.3). So in the ClientHello message, there is an extension that tells the server that the client supports TLSv1.3. Then wehn the server supports TLSv1.3, it will also use this extension in the ServerHello message to tell the client that it has chosen to use TLSv1.3.

So to answer your questions:

  • A1: Wireshark uses a two-pass process to analyze a capture file, so on the first pass, it sees that TLSv1.3 was chosen and so on the second pass, it can show that TLSv1.3 is being used, even though that only becomes clear later on in the conversation.
  • A2: TLSv1.2 version is chosen for compatilibity
  • A3: The TLS record version indicates the minimum supported version. So in this case, the client tells the server it supports TLS versions 1.0, 1.1, 1.2 and 1.3 (assuming the version extension is present, which I assume it is,, otherwise wireshark would not show this conversation as using TLSv1.3)