Ask Your Question

TLS 1.3 certificate

asked 2020-02-27 15:33:07 +0000

alajeb gravatar image

I'm analyzing a TLS1.3 handshake using latest version of wireshark and I can't find the certificate in the handshake (I know that the certificate in TLS1.3 is sent encrypted). In which packet can I find the certificate sent by the server ?

edit retag flag offensive close merge delete


2 0.007021 TLSv1.3 1330 Server Hello, Encrypted Extensions, Certificate, Certificate Verify, Finished

Chuckc gravatar imageChuckc ( 2020-02-27 23:09:28 +0000 )edit

could you please give me a screenshot

alajeb gravatar imagealajeb ( 2020-02-28 13:03:45 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2020-02-28 13:22:42 +0000

Chuckc gravatar image

Capture file tls13-20-chacha20poly1305.pcaphere:

Key file tls13-20-chacha20poly1305.keyshere:

image description

edit flag offensive delete link more


What version of wireshark are you using please?

alajeb gravatar imagealajeb ( 2020-02-28 14:02:03 +0000 )edit

3.2.1 (Git commit bf38a67724d0) on Ubuntu

Same display in Version 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Chuckc gravatar imageChuckc ( 2020-02-28 14:08:03 +0000 )edit

How could I get the same display as in the screenshot. When I open the pcap there is only Client Hello, Server Hello and Application Data

alajeb gravatar imagealajeb ( 2020-02-28 14:52:35 +0000 )edit

What version of Wireshark?
Did you add the keyfile to the TLS/SSL protocol settings?

Chuckc gravatar imageChuckc ( 2020-02-28 15:04:34 +0000 )edit

What does the keyfile do ?

alajeb gravatar imagealajeb ( 2020-02-28 20:07:09 +0000 )edit

answered 2020-08-13 05:39:54 +0000

It's not you. It appears the TLS 1.3 Handshake now encrypts the certificate. Please see RFC-8446. Specifically, what you are seeing is that everything after the Server Hello are encrypted:

  "All handshake messages after the ServerHello are now encrypted.
  The newly introduced EncryptedExtensions message allows various
  extensions previously sent in the clear in the ServerHello to also
  enjoy confidentiality protection"

Great Question! I just noticed this myself, this past Sunday and it freaked me out!

Live Long & Prosper!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-02-27 15:33:07 +0000

Seen: 9,982 times

Last updated: Aug 13 '20