Analyzing a TLS handshake can reveal critical details about a server's identity and software configuration. This process is invaluable for security assessments, network diagnostics, and penetration testing. Here's how it works:
Key Elements Revealed During a TLS Handshake
-
Server Certificate (X.509)
-
Purpose: Authenticates the server to the client.
-
Details Extracted:
-
Common Name (CN) and Subject Alternative Names (SANs): Indicate the domain names the certificate secures.
-
Issuer Information: Identifies the Certificate Authority (CA) that issued the certificate.
-
Validity Period: Specifies the certificate's active dates.
-
Public Key: Used for encrypting data sent to the server.
-
Use Case: By examining the certificate, one can determine the server's domain, the CA hierarchy, and the encryption standards in use.
-
TLS Version and Cipher Suites
-
Server Name Indication (SNI)
-
Purpose: Allows a client to specify the hostname it's trying to connect to during the handshake.
-
Details Extracted:
-
Use Case: Useful for identifying the target domain, especially in environments where multiple domains are hosted on a single IP address.
-
TLS Extensions and Parameters
Tools for TLS Handshake Analysis
-
Wireshark: A network protocol analyzer that can capture and dissect TLS handshakes, revealing certificates, cipher suites, and more.
-
OpenSSL: A toolkit for the TLS and SSL protocols; it can initiate handshakes and display certificate details.
-
JA3 Fingerprinting: Generates fingerprints of TLS clients and servers based on handshake parameters, aiding in identifying specific software implementations.
Practical Example
Suppose you're analyzing traffic to a web server. By capturing the TLS handshake:
-
Certificate Analysis: You discover the certificate is issued to www.example.com by Let's Encrypt, valid for 90 days.
-
Cipher Suites: The server supports modern cipher suites like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, indicating up-to-date security practices.
-
ALPN Extension: The presence of h2 suggests the server supports HTTP/2.
From this information, you infer that the server is likely running a modern web server like Nginx or Apache with HTTP/2 enabled and uses Let's Encrypt for SSL certificates.