Ask Your Question

TLS record layer and Handshake protocol

asked 2020-07-30 17:43:18 +0000

I was looking at the some of the TLS handshake in wire shark and I could see that version field says TLS 1.0 under record layer: Handshake protocol:client Hello(I am looking at the client hello) and then another version field inside the same client hello says TLS 1.2 under handshake protocol:client hello. In both cases, I dont see any fields that said TLS1.3. I saw one version field that said 1.0 and another version filed that said 1.2 in my client hello. But, wireshark protocol field says it is TLS1.3. How wire shark came to that conclusion?

edit retag flag offensive close merge delete


@technologyevangelist, we don't generally close questions here, instead if an answer has answered your question, please accept it for the benefit of others with the same question by clicking the checkmark icon to the left of it.

grahamb gravatar imagegrahamb ( 2020-07-31 09:36:18 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-07-30 19:26:08 +0000

grahamb gravatar image

See the TLS 1.3 RFC 8446, section 4.2.1 where the SupportedVersions extension is discussed. For TLS 1.3, if the SupportedVersions extension is present, the Client Hello Version field is regarded as a legacy version and is usually ignored.

edit flag offensive delete link more


Thanks Grahamb for your time in explaining me with the RFC. This is what I understood, client hello always contains supported version field which tells all the version it supports. He will equip the client hello message with all the pieces needed for 1.3 without having a confirmation on whether the server support it or not. Now, the server is the one who decides whether to use 1.3 or 1.2 or any other TLS version. If the the server supports TLS 1.3, the server hello message contains an extensions called "Supported version" which going to be TLS1.3. Other TLS version server hello do not ontain this field. And the client receiving this server hello message, by looking at this field, ignores other details and simply go ahead with 1.3.

So, only when the server hello comes, the client will get a clear picture of ...(more)

technologyevangelist gravatar imagetechnologyevangelist ( 2020-07-31 06:00:24 +0000 )edit

Wireshark is setting the protocol as TLS 1.3 because that version is supported by the client. As you imply, the server may not support it, so will be using the legacy version so from that point on the protocol will be TLS 1.2 and Wireshark should show that.

I'd be interested to see what does actually happen with a TSL 1.3 client and TLS 1.2 server, do you have such a capture you can publicly share?

grahamb gravatar imagegrahamb ( 2020-07-31 07:43:27 +0000 )edit

Thanks again for your quick response. I can see that my WIN10 PC always sends a TLS1.3 client hello (How I am saying a it is a 1.3 client Hello? By looking at the supported version fields in the extensions and Record layer version being set to 1.0 and handshake protocol being set to 1.2). Now, if I am going to immediately disconnect the internet(Only let the client hello to go out and not giving the time for server hellos to come back), wireshark says it is TLSV1 for the client hello message:) But, if I do not disconnect the internet and let the server hello to come back then wiresshark will look at the server hello field and recalculates the protocol field to TLSv2 or V3 in the client hello. This is interesting. By the way, I think most modern PC always sends a ...(more)

technologyevangelist gravatar imagetechnologyevangelist ( 2020-07-31 07:58:49 +0000 )edit

Think of all the billions of older IoT type devices and home routers etc. that know nothing about TLS 1.3. the earlier versions will be with us for some time.

An article by the IETF from last year discussing TLS 1.3 adoption can be found here.

The Qualys SSL Pulse page shows only 31% of servers offering 1.3 (Protocol Support panel).

grahamb gravatar imagegrahamb ( 2020-07-31 08:16:13 +0000 )edit

Great information. Thanks Grahamb. I think, I got what I was looking for. Thank you so much for your timely help.

technologyevangelist gravatar imagetechnologyevangelist ( 2020-07-31 08:27:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-07-30 17:43:18 +0000

Seen: 63 times

Last updated: Jul 30