I was trying to capture some IEC 61850 secure MMS packets to understand the handshake mechanism, but I encountered some confusing behavior. The protocol version shown in the main capture window and the frame details window doesn't match. It appears as TLS 1.3 in the capture window, but in the details, it shows as TLS 1.2.
Where in the details does it show as TLS 1.2? What version of Wireshark are you using?
If you are using Wireshark 4.4.0 or later, there should be an expert info item added in the ServerHelllo which notes that if the supported_versions extension is present, then the legacy_version field, which always indicates TLS 1.2 for backwards compatibility with middleboxes, MUST be ignored and the version in supported_versions used instead. That is almost certainly what is going on here; you are looking at the legacy_version field which only indicates the version in older versions of TLS, but always indicates TLS 1.2 in TLS 1.3.
Asked: 2025-05-12 11:15:30 +0000
Seen: 20 times
Last updated: 2 days ago
