Ask Your Question
0

How to verify what protocol was used in an encrypted file transfer?

asked 2017-11-29 16:18:34 +0000

mredd22 gravatar image

updated 2017-11-29 16:19:20 +0000

We have a transfer which uses IBM's Connect:Direct aka NDM. IBM says the transfer uses TLS1.2, and the log for the transfer also shows TLS1.2 and the cipher used.

I traced this using Wireshark, and I only see "SSL" in the protocol where I am expecting to see TLS1.2 and cipher.

I have already added the ports used at the following location: edit--> preferences -->http: SSL/TLS Ports

When using other applications (with proper ports added), I am able to see TLS1.2 is used in the trace.

Is it possible this is not actually using TLS1.2? Or do I need to add the ports to another protocol? I raised a ticket with IBM and they said if the debug shows TLS1.2, then that is what was used. Any help would be much appreciated.

Thanks,

mredd22

edit retag flag offensive close merge delete

Comments

Can you share the capture, or at least a part of it with the TLS handshake frames?

grahamb gravatar imagegrahamb ( 2017-11-29 16:48:19 +0000 )edit

Hi grahamb and thank you for your response.

I am restricted from sharing this. I would include a screenshot of the Protocol and Info columns to show what I am seeing vs what I think I should see, but I am too green on this site to upload files yet.

They probably wouldn't have been helpful anyways, but would appreciate any thoughts or ideas. Thank you!

mredd22 gravatar imagemredd22 ( 2017-11-29 17:41:46 +0000 )edit

Analysis via text or screenshot is always painful. What we would need to see are the contents of the TLS handshake. You can see these in the example traffic as shown on the SSL Wiki page. We only need the expanded contents of the SSL Layer from the tree.

You can use tshark on the command line to output the required text, use tshark -r your_capture -Y ssl -O ssl > ssl.txt and then post the contents of ssl.txt by editing your question.

grahamb gravatar imagegrahamb ( 2017-11-29 17:54:31 +0000 )edit

grahamb, thank you for offering to help! I'll have to look into tshark, as I've never heard of it. Matthias' answer works for me

mredd22 gravatar imagemredd22 ( 2017-12-05 00:24:55 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-03 09:54:40 +0000

mrEEde gravatar image

updated 2017-12-03 13:45:19 +0000

The TCP payload of NDM packets doesn't start with a SSL record.
C:D adds a 20 byte header in front of the SSL records.
This is why wireshark cannot dissect the SSL record at offset 0 after the TCP header. image description

In this case the session is using TLS1.0

image description

If you are interested in the SSL/TLS Version being used only you can create a coloring rule to give you a hint.

@C:D TLS1.2@data[0:4]== "TCP2" and data[21:2]==0303@[56198,46230,57775][0,0,0]
@C:D TLS1.1@data[0:4]== "TCP2" and data[21:2]==0302@[56198,46230,57775][0,0,0]
@C:D TLS1.0@data[0:4]== "TCP2" and data[21:2]==0301@[56198,46230,57775][0,0,0]
@C:D SSL_V3@data[0:4]== "TCP2" and data[21:2]==0300@[56198,46230,57775][0,0,0]

Regards Matthias

edit flag offensive delete link more

Comments

Matthias,

This is perfect, thank you! Also, we did appreciate your San Antonio SHARE presentations last year!

Thanks,

mredd22

mredd22 gravatar imagemredd22 ( 2017-12-05 00:26:51 +0000 )edit

Glad you liked it - Say Hi to Marc .L ;-)

mrEEde gravatar imagemrEEde ( 2017-12-06 18:45:57 +0000 )edit

Now that NDM supports TLS1.3, I wanted to verify via a Wireshark trace that TLS1.3 was used in an NDM transfer.

Since TLS 1.3 messages disguise themselves as TLS 1.2 messages in the version field, I had to point to what I think is the new "Extension: supported_versions" field. For NDM, I found it only appears on a single packet in the data[73.2] location.

Using the rules Matthias gave above, I added this rule to the top:

@C:D TLS1.3@data[0:4]== "TCP2" and data[21:2]==0303 and data[73:2]==0304@[4626,57825,4626][0,0,0]

@mrEEde, do you have a better way to accomplish identifying TLS1.3 packets in Wireshark? :)

mredd22 gravatar imagemredd22 ( 2022-03-16 18:21:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-29 16:18:34 +0000

Seen: 5,070 times

Last updated: Dec 03 '17