I think a deep dive would be great. I interview people quite often and most do not fully understand the steps to completing a TLS handshake. Everything from 'What are the 3 main things TLS/SSL provides?', to 'Walk me thru a TLS/SSL handshake in detail...', 'How does client authentication work?', or 'How does renegotiation work?' etc etc. Keep up the great work!

Great vidio Mr. Chris for certificate initial analysis and view We would like to you to present more vidios regarding the certificate topic , as it not clear for most of specialists , and deals with certificate tasks or troubleshooting by dummy steps with shortage of knowledge and deep understand . It would be useful vidios if you continued to make vidios for wireshark certificate capture with common certificate issues to be diagnosed by the capture analysis Like , untrusted certificates or self signed , and missmatch of TLS version issue or application version issue ... etc

Thank you for the comment tom!

Thank you! I can’t wait to make it!

Thank you Roland! And a special shout-out to Sake for looking it over first to make sure I didn't say anything completely stupid. 😄

Hi Seth, totally agreed. But I think there will start to be instances where we see it encrypted in the near future. Here is one reference www.cloudflare.com/learning/ssl/what-is-encrypted-sni/

​@@ChrisGreer First I'd heard of ESNI and ECH. I found the draft RFC in the link you provided. (first impression) Looks like ECH is compatible with the middle-box scenario I outlined (which the RFC calls a split-mode topology). It's distributing a public key via DNS, and providing a fallback where a client can complete negotiation with a server to learn the ECH public key direct from the server (at the cost of an extra round trip). Looks like the middle-boxes performing ECH would need access to the ECH private key, but not the TLS private keys of the backends that terminate TLS. I also found RFC8744 which outlines "unanticipated use of SNI" in section 2.1 which provides the motivation for ECH. I didn't previously understand how SNI was being abused. The reason why Cloudflare is working on ESNI/ECH seems clear. datatracker.ietf.org/doc/rfc8744/ Thank you for sharing your knowledge. I just found your channel today and now I got some binge-watching to do. 🙂

Great suggestion!

Awesome! Thanks for the comment. I hope this video and the ones to follow help you to understand TLS!

Thanks Faran! For sure, hope to meet you in person one day.

Thank you for the comment!

I agree! Too bad it probably won't be here forever. But hey, I will enjoy it while it lasts... www.cloudflare.com/learning/ssl/what-is-encrypted-sni/

Thank you!

Thanks for the suggestion!

If they put TLS 1.3 immediately at the handshake layer, what would a middlebox do that is inspecting TLS? If it doesn't yet support 1.3, it will probably drop and reset the connection. I'm very sure a ton of research and testing went into that aspect. The same is true for TCP and other protocols. It is hard to migrate things to new features over boxes that don't yet support those features, all the while still supporting endpoints that have not migrated either.

Thanks for the feedback!

Didn’t mean to be unclear… by “going away” I meant that there are efforts to encrypt it. ESNI - so yeah, not sure how widely it will be implemented, but one day we may not have it in the clear anymore…

www.cloudflare.com/learning/ssl/what-is-encrypted-sni/

@@ChrisGreer I guessed it would be encrypted rather than removed. It's kinda important nowadays ^_^

Agreed! Which is why when it gets encrypted a very useful troubleshooting data point will be lost!

Thank you! Please share with anyone you think could benefit.

Thank you!

I ran into the same about a month or so ago, now that I saw this video I understand why there's TLS 1.0 in the first part and TLS 1.2 in the next. I think the issue is related to ciphers not being supported by the server because I also see no reponse from the server after the client hello. Hopefully Chris can confirm if that it is indeed expected behavior (or could be).

Glad you think so!

Thank you!

kzbin.info/www/bejne/h4O1eXSVas2GaMU I did a video on how to capture the TLS 1.3 keys on the client side. I include the pcap and keylog in the video so you can follow along.

At that point, the only way I have seen it done is with a TLS proxy. But I am sure if you Google hard enough you will find others…here is an example. www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/m-ssl-proxy.pdf

Yeah there are several certs in the industry where having a good sense of packet analysis and protocols will help. CCNA, Net+, even Sec+ just to name a few

Glad you like the content! I have been hoping to do this content for some time. It's gonna be fun to dig into.

Typically, the client gives a list of supported ciphers, the server selects one, then in 1.3, changes cipher spec to start using it. After that the client does the same and we complete the handshake. Hope that helps

@@ChrisGreer thanks chris for the help

Glad you enjoyed it!

Thanks for the comment!

That is correct, the server should return an error and the handshake will fail if there is a cipher mismatch. I am looking for a pcap to demo that - it would make a nice video!

Thank you so much!!! You are the best!!!

Ok Gerardo, thanks for the feedback!

Glad you enjoyed it

Thanks!

No problem 👍

For sure! I will make a video for that

@@ChrisGreer Cant wait :) ! Love your videos !! :)) Thanks for sharing your knowladge !

Need to add quotes around the word your are searching for in new release of Wireshark. tcp contains "wireshark"

Could you share the pcap? packetpioneer (at) gmail.com

Look no further! kzbin.info/www/bejne/hYaQcmV7orulgbM this video on my channel is great for beginners to learn wireshark.

I know we need the theory but the practical stuff you teach is very interesting.