nDPI icon indicating copy to clipboard operation
nDPI copied to clipboard
verified publisher icon ntop

struct tls_quic -> ssl_version possibly incorrect ?

Open alihushyar opened this issue 3 years ago • 1 comments

Attached is a pcap where the server supports 1.3 but the session falls back to TLS 1.2. However, ssl_version field still shows 1.3 as the version.

In fact, when I take a look at the JA3 and JA3S strings which I had to modify nDPI to see, I get:

Client JA3: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-41,29-23-24,0

Server JA3S: 771,4866,43-51-41

tls_foxnews.zip

The 771 indicated TLS 1.2.

Thanks,

alihushyar avatar Jul 18 '22 00:07 alihushyar

Attached is a pcap where the server supports 1.3 but the session falls back to TLS 1.2

No, it doesn't. This is a valid TLS 1.3 version. You can check it with Wireshark, too. Note that in TLS 1.3 the field tls.handshake.version is always 1.2 and it is not the negotiated version; see TLS 1.3 RFC for details

The 771 indicated TLS 1.2.

The JA3 values are right: in Ja3* strings the used field is tls.handshake.version, not the negotiated version

Thanks,

IvanNardi avatar Jul 18 '22 08:07 IvanNardi

Closing for inactivity. If you still have some issues, please open a new updated ticket. Thanks

IvanNardi avatar Aug 30 '22 10:08 IvanNardi