0

I captured my network traffic to a web server and the SSL Handshake consists only of two packets. Why does that happen and why aren't there all the other packets?

ysdx
  • 851
  • 6
  • 14
Viktor
  • 1
  • 1
  • probably is the session ID functionality, check the session id of the client hello in order to verify if you have a value, also if you upload the pcap file will help us – camp0 Sep 18 '19 at 09:01

1 Answers1

2

You're probably seeing session resumption. If the Client Hello and Server Hello packets both have the same Session ID value, then the handshake is shortened as the Client and Server 'recognize' each other.

To quote RFC 5246:

The client sends a ClientHello using the Session ID of the session to be resumed. The server then checks its session cache for a match. If a match is found, and the server is willing to re-establish the connection under the specified session state, it will send a ServerHello with the same Session ID value. At this point, both client and server MUST send ChangeCipherSpec messages and proceed directly to Finished messages.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • For TLS 1.2 and below; in 1.3 (since 2018) this field is 'legacy' and always contains a dummy value whether or not resumption (and a correspondingly short handshake) is used. And in 1.2 and below, clienthello can contain no session-id but a previously issued and still valid ticket, which server accepts, per rfc4507/rfc5077. – dave_thompson_085 Feb 05 '22 at 04:28