Ask Your Question

Revision history [back]

Can I assume the elements in tls.handshake.certificate are in order?

Hi guys, I'm using tshark to parse pcap into json, my command is as following: tshark -r xxx.pcap -T json --no-duplicate-keys tls > xxx.json

Then I need to get certs from tls's Certificate record. I find out that the certs are stored as list of strings with the key "tls.handshake.certificate", like this:

"tls.handshake.certificate": [ "30:82:06:f8:30:82:05:e0:a0:03:02:01:02:02:0c:4b:ad...", "30:82:04:69:30:82:03:51:a0:03:02:01:02:02:0b:04:00..." ]

My question is, can I assume that the certs is in order? In another word, the first element of this list is leaf cert and the last one is root?

Thanks in advance