Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

TLS Version and SSLDUMP

Hi all,

I am trying to figure out if server behind Big-IP is capable of doing TLS 1.2 Supposedly it should.

I have taken a tcpdump of target traffic as below:

tcpdump -vvv -s 0 -nni 0.0 -w /var/tmp/www-ssl-l7_3.cap host 4O.81.38.X29 and port 7008
ssldump -nr /var/tmp/www-ssl-l7_3.cap > /var/tmp/ssl_out.txt

ssldump output looks like this:

New TCP connection #1: 10.XX.17.86(30809) <-> 4O.81.38.X29(7008)
1 1  0.0161 (0.0161)  C>S  Handshake
  ClientHello
    Version 3.3 
    cipher suites
    Unknown value 0xc02c
    Unknown value 0xc024
    Unknown value 0xc00a
    Unknown value 0xc030
    Unknown value 0xc028
    Unknown value 0xc014
    Unknown value 0xc02b
    Unknown value 0xc023
    Unknown value 0xc009
    Unknown value 0xc02f
    Unknown value 0xc027
    Unknown value 0xc013
    Unknown value 0xc008
    Unknown value 0xc012
    Unknown value 0xc007
    Unknown value 0xc011
    Unknown value 0x9f
    Unknown value 0xa3
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Unknown value 0x9d
    TLS_RSA_WITH_AES_256_CBC_SHA
    Unknown value 0x9e
    Unknown value 0xa2
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Unknown value 0x9c
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    Unknown value 0xff
    compression methods
              NULL
              1 2  0.0297 (0.0136)  S>C  Handshake
  ServerHello
    Version 3.3 
    session_id[32]=
      57 ca a1 8d 7b 9e 64 80 df b3 28 3a 82 06 ad 29 
      ba f3 e6 a5 bf e7 bb a9 24 64 32 5c 93 d6 3d 78 
    cipherSuite         Unknown value 0x9d
    compressionMethod                   NULL
            1 3  0.0390 (0.0092)  S>C  Handshake
                  Certificate
                  1 4  0.0390 (0.0000)  S>C  Handshake
  ServerHelloDone
  1 5  0.0973 (0.0583)  C>S  Handshake
  ClientKeyExchange
  1 6  0.0973 (0.0000)  C>S  ChangeCipherSpec
  1 7  0.0973 (0.0000)  C>S  Handshake
  1 8  0.1112 (0.0138)  S>C  ChangeCipherSpec
  1 9  0.1122 (0.0010)  S>C  Handshake
  1 10 0.1150 (0.0028)  C>S  application_data
  1 11 0.1281 (0.0131)  S>C  application_data
  1    0.1282 (0.0000)  S>C  TCP FIN
  1 12 9.5960 (9.4678)  C>S  Alert
  1    9.5982 (0.0022)  C>S  TCP FIN

Is there a way to read TLS version the client is offering in client Hello?

Thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

alex100,

The TLS version can be retrieved from the Version line in client and server hellos. Version 3.3 means TLS 1.2. So looks like both client and server agreed upon TLS 1.2.

Version 3.0 is SSLv3, 3.1 is TLS1.0, 3.2 is TLS 1.1

Hope this helps,

N

1
Comments on this Answer
Comment made 17-Mar-2017 by alex100 317

Nice one. Side question...

How do you interpret ciphers displayed as "unknown value"?

Unknown value 0xc02c
Unknown value 0xc024
Unknown value 0xc00a
Unknown value 0xc030
Unknown value 0xc028
Unknown value 0xc014
Unknown value 0xc02b
Unknown value 0xc023
0
Comment made 17-Mar-2017 by alex100 317

OK, I was able to find the answer myself... Not sure why but some of them are displayed in hex...

Seems like we agree on following cipher:

1 2  0.0297 (0.0136)  S>C  Handshake
  ServerHello
    Version 3.3 
    session_id[32]=
      57 ca a1 8d 7b 9e 64 80 df b3 28 3a 82 06 ad 29 
      ba f3 e6 a5 bf e7 bb a9 24 64 32 5c 93 d6 3d 78 
    cipherSuite         Unknown value 0x9d

which is:

CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0x9D}
0
Comment made 17-Mar-2017 by nathan 7337

sorry for the delay, yes you're right. I was going to point you in this direction as some of the IDs are listed here: https://devcentral.f5.com/questions/output-hexadecimal-id-of-ssl-tls-cipher-suite-49842

0