Ssl – TLS 1.3 Client-/Server-Hello Version 1.2

opensslsslwireshark

I started a TLS1.3-server via openSSL (version 1.1.1-pre4 (beta) 3 Apr 2018
)

$ openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1_3

and a TLS1.3 client

$ openssl s_client -connect 127.0.0.1:44330 -tls1_3

I captured the traffic via wirehark (version: 2.9.0-55):

Why is version 1.2 concerning the handshake protocol and even 1.0 for the record layer detected/defined?

While reading the rfc-draft, I found this:

In order to maximize backwards compatibility, records containing an
initial ClientHello SHOULD have version 0x0301 and a record containing
a second ClientHello or a ServerHello MUST have version 0x0303,
reflecting TLS 1.0 and TLS 1.2 respectively.

Looking at my pcap, this record containing a second ClientHello can not be found. And the following ServerHello is indeed version 0x0303.

But it seems, that client and server do speak TLS1.3 after all:

I do not understand this. Can you help me?

Best Answer

Because poor implementations broke when presented with 1.3.

Cloudflare: Why TLS 1.3 isn't in browsers yet

When presented with a client hello with version 3.4, a large percentage of TLS 1.2-capable servers would disconnect instead of replying with 3.3. Internet scans by Hanno Böck, David Benjamin, SSL Labs, and others confirmed that the failure rate for TLS 1.3 was very high, over 3% in many measurements.

The controversial choice was to accept a proposal from David Benjamin to make the first TLS 1.3 message (the client hello) look like it TLS 1.2. The version number from the client was changed back to (3, 3) and a new “version” extension was introduced with the list of supported versions inside. The server would return a server hello starting with (3, 4) if TLS 1.3 was supported and (3, 3) or earlier otherwise. Draft 16 of TLS 1.3 contained this new and “improved” protocol negotiation logic.

The original protocol negotiation mechanism is unrecoverably burnt. That means it likely can’t be used in a future version of TLS without significant breakage.

Related Solutions

TLS 1.2 – How to Verify if TLS 1.2 is Supported on a Remote Web Server

You should use openssl s_client, and the option you are looking for is -tls1_2.

An example command would be:

openssl s_client -connect google.com:443 -tls1_2

If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you see don't see the certificate chain, and something similar to "handshake error" you know it does not support TLS 1.2. You can also test for TLS 1 or TLS 1.1 with -tls1 or tls1_1 respectively.

Ssl – Centos 5.11 OpenSSL TLS 1.2 for Paypal

Doh, Thank you Hakan, so simple.

ldd /usr/local/bin/curl showed the new curl to not be linked to the new OpenSSL (ran out out of scroll buffer to copy here).

I re ran the configure, make and make install of curl:

ldd /usr/local/bin/curl
    linux-gate.so.1 =>  (0xb77be000)
    libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0xb7764000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0xb76fe000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0xb7560000)
    libz.so.1 => /lib/libz.so.1 (0xb754d000)
    librt.so.1 => /lib/librt.so.1 (0xb7543000)
    libc.so.6 => /lib/libc.so.6 (0xb73e7000)
    libidn.so.11 => /usr/lib/libidn.so.11 (0xb73b6000)
    libdl.so.2 => /lib/libdl.so.2 (0xb73b1000)
    libpthread.so.0 => /lib/libpthread.so.0 (0xb7397000)
    /lib/ld-linux.so.2 (0xb77bf000)

and it now works:

/usr/local/bin/curl https://tlstest.paypal.com
PayPal_Connection_OK

Thank you!

Best Answer

Cloudflare: Why TLS 1.3 isn't in browsers yet

Related Solutions

TLS 1.2 – How to Verify if TLS 1.2 is Supported on a Remote Web Server

Ssl – Centos 5.11 OpenSSL TLS 1.2 for Paypal

Related Topic