Ask Your Question

How to find what cipher TLS1.2 is using

asked 2021-03-09 00:14:33 +0000

JWK gravatar image

Our security auditor is requiring I show them the exact cipher our SSL-VPN traffic is using. I have captured a packet from our firewall and am deciphering it in WireShark. In the Client Hello, it shows that the two ends are using TLS1.2 and will accept 19 different ciphers, 18 AES128 or AES256 and 1 DES. But I can't find where it says which cipher they eventually agree on and use. Where do I find exactly what cipher is being used in their communications? Any help will be GREATLY appreciated, as these auditors are driving me crazy, lol.

edit retag flag offensive close merge delete


Just give them the PCAP file and tel them it contains the answer. They are the auditor so let them sort this out ;-)

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2021-03-09 08:33:33 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2021-03-09 08:37:40 +0000

grahamb gravatar image

The client (in the Client Hello handshake message) sends the cipher suites it's prepared to handle, and the server returns the one it has chosen in its Server Hello response.

See RFC 5846, Sect, Server Hello:


  The single cipher suite selected by the server from the list in
  ClientHello.cipher_suites.  For resumed sessions, this field is
  the value from the state of the session being resumed.

The Wireshark field name is tls.handshake.ciphersuite, if you add this as a column you will see all the suites offered by the client in the Client Hello and the single suite chosen by the server in the server Hello. Ideally, these fields should have different field names allowing easier extraction.

edit flag offensive delete link more


Thank you so very much for you answer. It was EXACTLY what I needed to know. Took 2 minutes to get the screenshot that I needed for the security auditors. Thank you again for your excellent reply

JWK gravatar imageJWK ( 2021-03-15 22:26:16 +0000 )edit

Not sure which answer you're referring to so can you "Accept" the answer that helped you by clicking the checkmark icon to the left of it to help others who may have the same question.

grahamb gravatar imagegrahamb ( 2021-03-16 09:32:27 +0000 )edit

answered 2021-03-09 08:31:11 +0000

hugo.vanderkooij gravatar image

In simpel terms: 1. Client hello presents all options the client can support 2. Server hello presents the option choosen by the server (among other things)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-03-09 00:14:33 +0000

Seen: 6,602 times

Last updated: Mar 15 '21