different TLS handshake versions in the ClientHello from the same client

asked 2018-08-05 16:14:24 +0000

anonymous user


updated 2018-08-05 16:48:34 +0000

I have a python client. Using "ssl.SSLContext()" and "set_ciphers(myciphers)" I can contol the list of the client ciphersuites. The default context disable SSL 2.0 and SSL 3.0 by default and I do not any change to the versions.

I send 3 handshakes to the website using different ciphersuite list in each one. I do not change the version.

In Wireshark, the ClientHello in the "protocol" column, I see different versions? I am contacting the same site. The client does not change the version.

1) Can you please explain to me why I see different TLS protocol version? 2) If this is not the actual version the client offer (which should be TLS 1.2), where can I get the actual client offered TLS version?

Please help!

edit retag flag offensive close merge delete


Wireshark version?

Can you share the capture file, e.g. Cloudshark, Google Drive, DropBox etc?\

grahamb gravatar imagegrahamb ( 2018-08-05 17:17:03 +0000 )edit
Bob Jones gravatar imageBob Jones ( 2018-08-06 00:08:45 +0000 )edit

I use Wireshark 2.4.5-1 on Ubuntu 18. The client underlying TLS library is OpenSSL 1.1.0g.

Here is a screenshot. I think I have not saved the capture file but have a screenshot. https://ibb.co/ff3kJz

My questions:

  1. From where can I inspect the "definite" TLS version that the client offers to the server in the TLS handshake?
  2. Why The "protocol" column in Wireshark shows TLSv1 then TLSv1.2 for the same client that I did not change its offered TLS version which is supposed to be TLSv1.2 based on python's default settings I'm using (I only changed the offered ciphersuites)? the ClientHellos are sent from the same client to the same server?
anon gravatar imageanon ( 2018-08-06 05:08:03 +0000 )edit

@grahamb@Bob Jones plz advise. I added an (anonymized) screenshot. Hope it explains the problem.

anon gravatar imageanon ( 2018-08-07 00:29:40 +0000 )edit

Did you check the link posted? That provides a lot of information related to your questions. In addition, this should as well:


Finally, certain cipher suites are defined for only certain versions; for example, TLSv1.2 via RFC 5246 says:

Added HMAC-SHA256 cipher suites

so presumably if you changed from some other suite to one of these, you would now be at TLSv1.2 because they did not exist before, which could be a version change. An expert could probably look at the different suites offered by the client and help you better, but you decided not to provide a trace, as was suggested by @grahemeb.

Bob Jones gravatar imageBob Jones ( 2018-08-07 15:15:56 +0000 )edit