capture filter for deprecated SSL/TLS protocols
We're trying to identify applications which are still connecting to our shared SQL servers with deprecated SSL/TLS protocols, so anything older than TLS 1.2. I imagine that's not that uncommon to be curious about, but to my surprise I couldn't find much on how to build a proper capture filter for this.
I know, the display filter for showing SSL 3.0, TLS 1.0 & TLS 1.1 packets is pretty simple:
tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302
But I want to avoid capturing everything, as these are very active servers. So I want to filter out everything we're not interested in, only capturing the deprecated protocols.
I found this page with a quite complex capture filter:
(((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02))
(I'm not going to pretend I understand all of it. There's a breakdown on the page)
But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured. Anyone who could jump to the rescue?
"There's still TLSv1.2 packets being captured"
From the linked page:
"I wanted to capture all packets that were of TLS version < 1.2" seems to indicate 1.2 would be allowed to pass.
Has your filter been modified to exclude 1.2?
I'm using the capture filter as described on the webpage. "TLS version < 1.2" means 'less than', so in my book that's SSL 2.0, 3.0, TLS 1.0 and 1.1, leaving out TLS 1.2 & 1.3. Otherwise he'd say <= 1.2.
But like I mentioned, I'm not going to pretend I fully understand the filter. But from these parts I interpret that the protocol should be less than 0x0303 (=TLS1.2):
(tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03)(tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03)Ok. I misread the final comments - "But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured." What passes the filter into your capture that should be dropped?
Embarrassing... It turns out I didn't apply the capture filter properly. The machine we test on has several interfaces, and the filter was applied on the wrong one. So we were still capturing everything. Anyhow, I 'fixed' that and asked our DBA to redo a test on TLS 1.0 and TLS 1.2. I'm still capturing some data (much less obviously), but when I put a display filter on the IP of the machine he was testing from, I get nothing. Nor the TLS 1.0 nor the TLS 1.2 test. When I start over without a capture filter, only with the display filter on the source IP, I do see both TLSv1 and TLSv1.2 being captured. I think we're ready to start the weekend. We'll have another look at this next week with a fresh mind... :-)