Wiresharking TLS - What happens during TLS 1.2 and TLS 1.3 Handshake

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what is going on guys my name is Hussein and welcome to Wireshark the mall where we basically Wireshark every single protocol in existence and today's TLS we're gonna water shock TLS 1.2 we're gonna wash out TLS 1.3 and we're gonna shower Wireshark any failure where the client supports us one boy three but the server doesn't how about we jump into a guy so this is Wireshark we're actually captures low-level TCP packets and as a back-end engineers really I don't think front-engine you need to worry about that but back in engineer if you want to debug and especially when you write code that uses a lot of networking traffic you want to know what's going on in every protocol and I talked about what sockets talked about what happened WebSocket I talked about what happened HTTP 1 1 I'm still gonna make a sh t be 2 & 3 and I'm gonna I'm making TLS and all of this stuff guys like all this when you make a request what really happens behind the scene and you really start to appreciate the work that happens and base of that you can change your mind says ok this is more expensive than this and I'm gonna go do do this right and and if we if we start doing silly things like doing opening and closing connection in a for loop for example and I've done this mistake many times in my career right and I didn't think much of it because it works who cares right but it will make you appreciate how about we jump into it yes alright so what I'm gonna do here is I'm gonna curl engine X write an engine X only support TLS 1.2 the server for some reason right they didn't update their certificates or to actually support nginx you would think the nginx website will support the other 1.3 would never mind it's actually a good opportunity for us to test this stuff so what I'm gonna do is curl nginx actually a HTTP and gin XCOM and then I'm gonna do specifically I'm gonna ask I'm gonna tell the server that I only support TLS version 1.2 and the moment I - V this is just to tell us more details and the curl that's what's gonna happen right and there's like these details we're gonna go through them from Kerr perspective but from or Jacques so this is the IP address that we hit when we hit nginx apparently there's a load balancer so I'm gonna do here is that I'm gonna filter it here so that IP address is equal to my and only 443 and only this so when you do this and Wireshark is actually gonna filter only the packets between the distillation and the source so that you see a nice stuff here so alright that's all what happens so how many packets do we have here ah Wireshark it doesn't start from scratch that sucks so 49 - 71 nevermind so a few packets alright so let's go through alright we're doing TS 1.2 for sure right that means this is the long handshake and we talked about TLS check it out here so what we're gonna do here is this thing ever since it's TCP 3-way handshake baby three-way handshake so we can agree on this sequence number so the server can send their own data and the clients can send their own data was sequenced and this sequence can be acknowledged right we talked about all the stuff all that stuff alright once we do that TLS handshake and that the TCP handshake then next thing is what the client actually sends a client hello and it says TLS version 1.1 let's expand that and I love this about the I love this a lot in water shirts actually expand the TLS and show you all the header so we're gonna go through that a little bit so until that's 1.2 guys before I go through that there is depends on the algorithm being used but there's usually two round-trips so the client hello and server hello and then the client change server spec and the server server then change the cypher spec right so there's like four four requests right and basically two round-trips until that's 1.3 it's just one roundtrip it's very right so client hello what do we do we basically say hey I'm doing client hello this is this is the ciphers I support right this is the extensions and all that stuff right this is the server name extension the server name indication we talked about that right hey I'm going to nginx cipher suites that's all the ciphers so I support that's a lot right I support so many the core supports so many ciphers and says ok I support all of the zest stuff pick anything you want server that do you think it's secure and I'm gonna go through this stuff like application layer protocol negotiation that's a LPN that says hey by the way if you support it I also support HTTP - right but it seems like yeah look at the hey I supposed to be - but if you don't then let's stick with the one one in this case right and yeah that's just how you basically negotiate all of that stuff in the TLS TLS client hello is is really big right only 500 bytes but there's so much stuff they they they make it a bit bit operated but yeah look at this hash algorithms and here's one of the interesting thing supported version since we said I won't here's one point to the client offer tears for points through and at 1.2 and 1.3 that's how cold does it when you say hey I want to communicate with the TOS 1.2 that means I support 1.2 and above so it will add 1.2 and add 1.3 okay and obviously this is the key exchange mode it's for a curl is actually forcing the diffie-hellman which is awesome right because you don't want RSA ours is not perfectly forward and it can be really it can be easily cracked right all right that's the current hello guys what's next right there is some TCP window update that's just the server telling the client hey by the way I can receive more than that right just you know that right just send me more data don't worry about it all right and then that the next thing here is like we didn't we didn't acknowledge that yet I think well we do technology how about that and this we updated the packet and we also acknowledged that client hello awesome server hello then now the server response is hey all right let's talk up the server name all right this is the application layer negotiation we're gonna talk in HTTP one so it doesn't support TB - I was surprised right engine X really so I thought it's kind of support in gdb - but it doesn't that's a good this for us we're gonna next we're gonna talk to Google I think and we're gonna show that it actually supports all that stuff and look at that they say I picked one point two because I don't support the eyes from poetry awesome awesome possible this is the TLS elliptic curve diffie-hellman RSA would okay so this is the the cipher that I picked alright and yeah look at all that stuff that's the server hello all right and now the client just sent the information the server responds back right and now now that they actually negotiated what ciphers to pick the next thing is actually to to exchange the key itself and TLS 1.3 we don't have that which is you don't have a choice server always communicating diffie-hellman always and here are my key parameters and just we let's exchange the key from the first thing in TS 1.3 we all we finish everything here okay and all right and obviously oh what did I do server hello and then immediately the server will respond with almost the same packet size one four four eight one four four eight and now it's it's clearly a different packet right because we're sending two different packets and here's server hello and now we're sending the certificate what does the certificate have and as the public key of the server it has a certificate authority signature all that stuff right and now the server key exchange right so it's the clients actually the server is actually sending multiple packets and all of these stuff needs to be acknowledged right so the client now says okay I acknowledge your server hello acknowledge your certificate and I am about to exchange my side of the key and I'm about to also change the software spec immediately right so okay we changed the self-respect we send that information look at how many house house chatty this thing is right and then this server the client says okay I acknowledge that previous message and then that's it immediately what we get back is I start the server the client whenever you see application data that means that the the encryption started that means even one shark cannot look what this data is it's impossible right wash I cannot do it be a proxy like a debugging proxy like Federer can actually look at this data and decrypt it if you because it will act like a man in the middle right it will terminate the TLS and it will it will establish its own communication between your client and itself and then they clipped and re-encrypt this back-end right but yeah your washer cannot do anything so now encrypted alert and all that cell and then the fin who's initiating the fin is actually the coin that's Carlos is okay we send a confirmation we actually got back the data from the server right not back Yuja but sure all right we got it back and then once we get it back this the client says ok I want to close everything the server says ok I want to close - and there's some packets out of order for some reason that's it that's TLS 1.2 guys a little bit longer huh right so how about we fail engine X I'm gonna refresh all this stuff and let's now do this all right so we're gonna say now what we're gonna do is we're gonna curl engine XCOM HTTP and we're gonna tell nginx don't come that hey we as a client only support es 1.3 that's bad but it's actually that's bad because most of the connections will fail because not all servers actually support 1.3 but it's good for you because it's always better to use one for free right it's faster it's it's more secure actually and then we do that look at this we didn't try that stuff we're gonna do all that so this is my IP address of the nginx and all of that stuff here we fail this is handshake failure and that's okay because in Jacob actually doesn't support the s103 so that failure is expected so let's look at what happened here look at that beautiful stuff hi all right so nothing fancy here three-way handshake syn syn ack ack and the client hello let's expand a little bit the server here says yeah I support the Virgin is 1.2 but look at that if we go all the way and says same thing application negotiation we go to the supported version look at that stuff I only support 1.3 right so that freaked out when when the server actually received that or we got an error since handshake failure this is like I'm sorry man I do not support TLS 1.3 I only support one point to write the error message is a little bit weird handshake failure I would expect that says okay at one point three is not support or whatever but yeah that's what we get back from the server and then obviously immediately the client says not the client actually the server huh I don't know that so it's like sorry I'm sorry sorry client you're just too advanced to me I am going to close them there connection ID Finnick I'm gonna a queue and then I'm gonna act that the message that I send which happens to be a failure and then I'm gonna finish in the neck that's that right that's actually that's what happened when you when the server doesn't support you that's 1.3 right so that's another second case how about we go to a case where the server actually supports on port 3 let's jump into it all right guys how about we test we see a TLS 1.3 right so to do that I don't want to go to Google because I try to go to Google and it is so complicated Google does so much differ thing and I don't want to go through that right because it just treat their treated differently for some reason they try to optimize so I'm gonna go to my website I say nothing to come which is supposed Els 1.3 shockingly TLS V 1.3 I'm gonna force that and then - B let's do it and this is the content says okay I'm Maximo connection whatever that's the content don't don't pay attention to what it says it's just hey this is it right and now where I want to actually filter on my server which is this one right so if I do that go back to my server here it says okay filter it up and that's it that's not much all right that's reasonable let's do it let's talk about it so the first thing sing syn ack ack not fancy and then the client hello the client hello here in the server says okay here's the version like support i only support 1.3 that is awesome right but that's what we want right and the server will say canola gee that client hello and then the server will immediately in the client hello what's yours 1.3 we will have everything we need for the server to assemble the the symmetric key and we talked about tears from bo3 check it out right so the the server will say ok server hello changed our perspective here's my certificate here's everything you need right here so it will change the software spec and will say yes I do support 1.3 let's start communicating with 1.3 from now on and and awesome I don't know why says version 1.2 here just odd but the record is actually 1.3 but yeah it's 1.3 alright and then the the server acknowledges that stuff and then we start sending application data that means just like that we started in corrupting and again what's is that what you mean Warshaw cannot look at this data obviously right so yeah comment acknowledges this information flow de choclo ninjas that the data and then change our respect the client says oh now I'm ready I changed let's go ahead and send information so this now the server actually sending some the data I think this is the get request that we made that's a lot of data we cannot tell what what it is but well we were interested in that is the essentially the TLS handshake which is just literally two steps right unless the final step is just another request but but but here just work by the time we got that information we are ready to rock and roll so tell us one point three is way faster and obviously there's still the data going back and forth and finally when we actually close the connection and there goes a connection for some reason and on my server sorcery setting so it's a bug in my end maybe I'll you look at that it's resetting the connection for some reason right so my connection is not closing gracefully and I need to look at that in my end and my server right so there is no fin there's no beautiful fin that it's just a hard stop like this reset which which is nasty anyway guys that's what we wanted to look at today TLS Wireshark Ingvar sharking TLS hope you enjoyed this video guys I'm gonna see you on the next one you guys stay awesome [Music]
Info
Channel: Hussein Nasser
Views: 17,584
Rating: undefined out of 5
Keywords: wireshark tls, wiresharking tls, wireshark transport layer security, tls 1.2, tls 1.3, tls 1.3 handshake fail
Id: 06Kq50P01sI
Channel Id: undefined
Length: 16min 45sec (1005 seconds)
Published: Mon Jun 29 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.