Get ssl server name from ssl handshake - tshark

user371 · April 28, 2017, 3:22pm

Hey everyone,
I am trying to verify certificates using openssl. I verified the certificate chain itself and I want to check if the subject of the certificate matches the server name from the SSL field.

My code runs over the ssl sessions, First I want to extracted the server name from the packet (for this purpose I’m trying to use ssl.handshake.extensions_server_name field in tshark) and check it against the domains in the output of the command openssl x509 -text -noout cert.pem under the title: “X509v3 Subject Alternative Name”.

It worked good on my test files, but while running the code on large file, it seems that there are ssl sessions that has no packet with the mentioned field (even though the browser didn’t alert anything).

how can I still verify the name of the server ?

My question is - How is it possible that the server name is not included in the handshake? And when such situation happens, how can I get a name that is supposed to be verified against the one in the certificate?

Pastebin of a certificate in which i have seen the problem (happens in another different cases) https://pastebin.com/QehLJjLX
Thank you !

jmorahan · April 28, 2017, 4:48pm

Some applications will send the name using the Server Name Indication (SNI) extension, as you’ve seen. Others (especially older ones) will not, instead relying on the server to have a single default certificate covering any and all valid names that might legitimately refer to it. The application knows which domain it requested, and it can check that the certificate is valid for that name.

If you’re just sniffing traffic, you don’t have access to the application’s internal state, so in the absence of SNI you can’t reliably determine what name it was expecting. In this case, the best you can do is to make a guess based on recently observed DNS packets referring to the same IP address.

(before you ask me how to actually do that with tshark - sorry, I have no idea)

user371 · April 28, 2017, 5:07pm

Thank you very much !

ahaw021 · April 29, 2017, 12:45am

https://ask.wireshark.org/questions/50476/how-to-extract-a-list-of-server-names-of-all-ssl-handshakes-present-in-log

system · May 29, 2017, 12:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Curl: (60) SSL: no alternative certificate subject name matches target host name Help	4	324	January 16, 2025
CN doen't match to serverName Help	5	907	June 2, 2018
Web server certificate doesnot include an ID matching to the server name Help	8	790	September 7, 2018
I have mixed up two certificates. One for my subdomain one for my actual domain. Need help to fix Help	7	1313	July 13, 2017
Server or Certificate issue? Help	25	1451	December 19, 2023

Get ssl server name from ssl handshake - tshark

Related topics