This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTPS over TLS - encrypted type

0

Hi,

How does wireshark recognizes: Handshake protocol: Encrypted Handshake message. From the rfc, it doesn't seem to have this type? how can we recognize it from the bytes?

Diana & Shahar

asked 18 Mar '15, 06:33

Dianalab9's gravatar image

Dianalab9
26161620
accept rate: 0%

edited 19 Mar '15, 03:42

grahamb's gravatar image

grahamb ♦
19.8k330206

3 Answers:

2

Wireshark lists this as an "Encrypted Handshake" message because:

  1. It sees from the SSL record that it is a handshake message
  2. The communication is encrypted, as "ChangeCipherSpec" indicates that the negtiated session keys will from that point on be used to encrypt the communication.

When you tell Wireshark to do SSL decryption (by using the private key of the server), the message would have been decrypted and you would see that it is indeed one of the listed handshake messages.

answered 19 Mar '15, 02:59

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks alot!

(19 Mar '15, 03:15) Dianalab9

1

Handshake messages are encrypted after ChangeCipherSpec message with appropriate preceding parameters.

From RFC 5246 (TLS 1.2), section 7.4. Handshake protocol:

The TLS Handshake Protocol is one of the defined higher-level clients of the TLS Record Protocol. This protocol is used to negotiate the secure attributes of a session. Handshake messages are supplied to the TLS record layer, where they are encapsulated within one or more TLSPlaintext structures, which are processed and transmitted as specified by the current active session state.

The current state is described in section 6.1. Connection states:

The security parameters for the pending states can be set by the TLS Handshake Protocol, and the ChangeCipherSpec can selectively make either of the pending states current, in which case the appropriate current state is disposed of and replaced with the pending state; the pending state is then reinitialized to an empty state. It is illegal to make a state that has not been initialized with security parameters a current state. The initial current state always specifies that no encryption, compression, or MAC will be used.

In practice, you will see unencrypted Client Hello, Server Hello, Certificate, Server Key Exchange, Certificate Request, Certificate Verify and Client Key Exchange messages. The Finished handshake message is encrypted since it occurs after the Change Cipher Spec message.

answered 19 Mar '15, 06:26

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Thank you. The above helped but we have one more question: We have a single frame that the beginning of it's SSL Bytes are (Hex) 16 03 03 00 40 01 ..... 16 - is content type HANDSHAKE 03 03 - version 00 40 - length 01 - message type 'Client Hello'

For some reason wireshark recognizes it as Encrypted Handshake Message. We assume wireshark is right but we don't understand how it recognizes it as Encrypted Handshake Message instead of Client Hello.

Can you please explain?

(20 Jul '15, 02:27) Dianalab9

Does it really dissect said part as encrypted handshake message? ContentType 16 (=22, Handshake) and HandshakeType 1 (ClientHello) can actually be dissected. Got a packet capture that you can share?

(20 Jul '15, 03:41) Lekensteyn

alt text

(21 Jul '15, 05:12) Dianalab9

I've published below partial screen shot; can you take a look?

(21 Jul '15, 05:13) Dianalab9

@Dianalab9 that screenshot is not helpful, it contains no additional information. Can you reproduce it with a recent Wireshark stable version, say, the 1.12.z series?

(22 Jul '15, 11:54) Lekensteyn

0

You are talking about HTTP over TLS, so you should look for SSL.

TLS 1.0 (0x0301) TLS 1.1 (0x0302) TLS 1.2 (0x0303)

answered 18 Mar '15, 07:41

Roland's gravatar image

Roland
7642415
accept rate: 13%

We've looked at this but it only has the following: case hello_request: HelloRequest; case client_hello: ClientHello; case server_hello: ServerHello; case certificate: Certificate; case server_key_exchange: ServerKeyExchange; case certificate_request: CertificateRequest; case server_hello_done: ServerHelloDone; case certificate_verify: CertificateVerify; case client_key_exchange: ClientKeyExchange; case finished: Finished;

How do we recognize: "Handshake protocol: Encrypted Handshake message"

(18 Mar '15, 08:19) Dianalab9

What are you trying to achieve? Do you want to filter only for packets that contain "Encrypted Handshake message" or do you want to write some script/program and you want to know how to identify it?

(18 Mar '15, 12:29) Roland