Forum Discussion

alex100's avatar
alex100
Icon for Cirrostratus rankCirrostratus
Mar 17, 2017

TLS Version and SSLDUMP

Hi all,

I am trying to figure out if server behind Big-IP is capable of doing TLS 1.2 Supposedly it should.

I have taken a tcpdump of target traffic as below:

tcpdump -vvv -s 0 -nni 0.0 -w /var/tmp/www-ssl-l7_3.cap host 4O.81.38.X29 and port 7008
ssldump -nr /var/tmp/www-ssl-l7_3.cap > /var/tmp/ssl_out.txt

ssldump output looks like this:

New TCP connection 1: 10.XX.17.86(30809) <-> 4O.81.38.X29(7008)
1 1  0.0161 (0.0161)  C>S  Handshake
  ClientHello
    Version 3.3 
    cipher suites
    Unknown value 0xc02c
    Unknown value 0xc024
    Unknown value 0xc00a
    Unknown value 0xc030
    Unknown value 0xc028
    Unknown value 0xc014
    Unknown value 0xc02b
    Unknown value 0xc023
    Unknown value 0xc009
    Unknown value 0xc02f
    Unknown value 0xc027
    Unknown value 0xc013
    Unknown value 0xc008
    Unknown value 0xc012
    Unknown value 0xc007
    Unknown value 0xc011
    Unknown value 0x9f
    Unknown value 0xa3
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Unknown value 0x9d
    TLS_RSA_WITH_AES_256_CBC_SHA
    Unknown value 0x9e
    Unknown value 0xa2
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Unknown value 0x9c
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    Unknown value 0xff
    compression methods
              NULL
              1 2  0.0297 (0.0136)  S>C  Handshake
  ServerHello
    Version 3.3 
    session_id[32]=
      57 ca a1 8d 7b 9e 64 80 df b3 28 3a 82 06 ad 29 
      ba f3 e6 a5 bf e7 bb a9 24 64 32 5c 93 d6 3d 78 
    cipherSuite         Unknown value 0x9d
    compressionMethod                   NULL
            1 3  0.0390 (0.0092)  S>C  Handshake
                  Certificate
                  1 4  0.0390 (0.0000)  S>C  Handshake
  ServerHelloDone
  1 5  0.0973 (0.0583)  C>S  Handshake
  ClientKeyExchange
  1 6  0.0973 (0.0000)  C>S  ChangeCipherSpec
  1 7  0.0973 (0.0000)  C>S  Handshake
  1 8  0.1112 (0.0138)  S>C  ChangeCipherSpec
  1 9  0.1122 (0.0010)  S>C  Handshake
  1 10 0.1150 (0.0028)  C>S  application_data
  1 11 0.1281 (0.0131)  S>C  application_data
  1    0.1282 (0.0000)  S>C  TCP FIN
  1 12 9.5960 (9.4678)  C>S  Alert
  1    9.5982 (0.0022)  C>S  TCP FIN

Is there a way to read TLS version the client is offering in client Hello?

Thanks.

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    alex100,

     

    The TLS version can be retrieved from the Version line in client and server hellos. Version 3.3 means TLS 1.2. So looks like both client and server agreed upon TLS 1.2.

     

    Version 3.0 is SSLv3, 3.1 is TLS1.0, 3.2 is TLS 1.1

     

    Hope this helps,

     

    N