Understanding the TLS Handshake using Wireshark – HTTPS

Wireshark is a powerful tool for understanding or troubleshooting TLS/SSL connections, as it allows you to capture, filter, and analyze network traffic to diagnose issues in secure communication. Here’s a high-level p guide on how to use Wireshark for TLS/SSL troubleshooting:

1. Setting up the packet capture on Cisco ISE

2. Start the BYOD onboarding process OR initiate TLS traffic
3. Open the Wireshark capture – Locate the TLS handshake process to see how the connection is being established.

Locate the TLS handshake process to see how the connection is being established. Look for key messages:

  • Client Hello: The client initiates the connection and sends supported TLS versions, cipher suites, and extensions.
  • Server Hello: The server responds with its chosen TLS version, cipher suite, and certificate.
  • Certificate: The server sends its certificate for client verification.
  • Server Key Exchange (for ephemeral key exchanges): The server provides key material for generating the session key.

Ephemeral key exchanges are cryptographic methods that generate temporary, short-lived keys for each session. In TLS/SSL connections, ephemeral key exchanges are often used to establish a secure communication channel while providing Perfect Forward Secrecy (PFS). This means that even if a private key is compromised in the future, past communications remain secure, as each session has its own unique key.

Extracting certificates from Wireshark
  1. Right-click on the last certificate

2. Save the certificate

3. Repeat the steps for each certificate in the chain.

In the example below, three certificates were extracted from Wireshark.

  • Client Key Exchange: The client sends a portion of the key material and completes the key agreement.
  • Finished Messages: Both client and server send a “Finished” message to confirm a successful handshake.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.