Saturday, June 3, 2017

how to debug "TLS server extensions" that are supported by a server

TLS server extensions are a function of the various version of the TLS protocol. But how do you know what extensions are supported by the server?


1st you need to know the defined  TLS server extension "IDs", this  listing is maintained by IANA and the listed IDs and RFCs are documented by IANA.



Next,  by using  openssl with the tls extension debug  (-tlsextdebug ) you can validate the server support for TLS server extensions and what extensions are  actually supported.

Here's some  examples  I've put together to show you  various differences that's commonly encountered.


Microsoft    IDs 65281, 35, &  5


Cisco         IDs 65281 and 35


Here's  heartbeat support  id15 which did not  translated in the  debug output via openssl

A local email-appliance IDs   65281 and 15



Since the  tls server extension happens before the SSL session is  negotiated,   these messages can easily be displayed via tshark/wireshark and by monitoring the client/server hellos.



Be advise  that that various  forward-proxies can change or remove various extension during the negotiation.








example in my office behind a proxy  the same  microsoft site  now shows;

Now just the single   IDs 65281  shows up.

























Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

No comments:

Post a Comment