Get ssl server name from ssl handshake - tshark


Hey everyone,
I am trying to verify certificates using openssl. I verified the certificate chain itself and I want to check if the subject of the certificate matches the server name from the SSL field.

My code runs over the ssl sessions, First I want to extracted the server name from the packet (for this purpose I’m trying to use ssl.handshake.extensions_server_name field in tshark) and check it against the domains in the output of the command openssl x509 -text -noout cert.pem under the title: “X509v3 Subject Alternative Name”.

It worked good on my test files, but while running the code on large file, it seems that there are ssl sessions that has no packet with the mentioned field (even though the browser didn’t alert anything).

how can I still verify the name of the server ?

My question is - How is it possible that the server name is not included in the handshake? And when such situation happens, how can I get a name that is supposed to be verified against the one in the certificate?

Pastebin of a certificate in which i have seen the problem (happens in another different cases)
Thank you !


Some applications will send the name using the Server Name Indication (SNI) extension, as you’ve seen. Others (especially older ones) will not, instead relying on the server to have a single default certificate covering any and all valid names that might legitimately refer to it. The application knows which domain it requested, and it can check that the certificate is valid for that name.

If you’re just sniffing traffic, you don’t have access to the application’s internal state, so in the absence of SNI you can’t reliably determine what name it was expecting. In this case, the best you can do is to make a guess based on recently observed DNS packets referring to the same IP address.

(before you ask me how to actually do that with tshark - sorry, I have no idea)


Thank you very much !



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.