I'm trying to send a ClientHello packet from my program for study purposes, the packet is recognized without any errors, but the problem is in the version, my intention is to assemble a packet whose TLS version is 1.3, but in Wireshark it continues to recognize it as TLS 1.2 !
I'm at loss to understand why Wireshark and several others don't recognize this as a packet of type ClientHello as TLS version 1.3
The raw packet (the full frame)
0000 02 00 00 00 45 02 00 af a7 f2 40 00 80 06 00 00
0010 7f 00 00 01 7f 00 00 01 c4 0f d4 31 4f 7f e8 b3
0020 13 d7 3d b8 50 18 20 fa 1f 5c 00 00 16 03 03 00
0030 82 01 00 00 7e 03 03 31 32 33 34 35 36 37 38 39
0040 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35
0050 36 37 38 39 30 31 32 20 31 32 33 34 35 36 37 38
0060 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34
0070 35 36 37 38 39 30 31 32 00 04 13 03 13 04 01 00
0080 00 31 00 33 00 26 00 24 00 1d 00 20 e8 c6 6d fc
0090 ee 62 22 8d 82 d2 78 dd d5 1c 0b 92 3e 03 9f 00
00a0 d1 11 63 b8 7c 77 3f f7 a8 72 b9 47 00 2b 00 03
00b0 02 03 04
The raw packet (starting from Transport Layer Security)
0000 16 03 03 00 82 01 00 00 7e 03 03 31 32 33 34 35
0010 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31
0020 32 33 34 35 36 37 38 39 30 31 32 20 31 32 33 34
0030 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30
0040 31 32 33 34 35 36 37 38 39 30 31 32 00 04 13 03
0050 13 04 01 00 00 31 00 33 00 26 00 24 00 1d 00 20
0060 e8 c6 6d fc ee 62 22 8d 82 d2 78 dd d5 1c 0b 92
0070 3e 03 9f 00 d1 11 63 b8 7c 77 3f f7 a8 72 b9 47
0080 00 2b 00 03 02 03 04
The wireshark interpretation:
Frame 16287: 179 bytes on wire (1432 bits), 179 bytes captured (1432 bits) on interface \Device\NPF_Loopback, id 0
Null/Loopback
Family: IP (2)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 50191, Dst Port: 54321, Seq: 1, Ack: 1, Len: 135
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 130
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 126
Version: TLS 1.2 (0x0303)
Random: 3132333435363738393031323334353637383930313233343536373839303132
Session ID Length: 32
Session ID: 3132333435363738393031323334353637383930313233343536373839303132
Cipher Suites Length: 4
Cipher Suites (2 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 49
Extension: key_share (len=38)
Type: key_share (51)
Length: 38
Key Share extension
Client Key Share Length: 36
Key Share Entry: Group: x25519, Key Exchange length: 32
Group: x25519 (29)
Key Exchange Length: 32
Key Exchange: e8c66dfcee62228d82d278ddd51c0b923e039f00d11163b87c773ff7a872b947
Extension: supported_versions (len=3)
Type: supported_versions (43)
Length: 3
Supported Versions length: 2
Supported Version: TLS 1.3 (0x0304)
[JA3 Fullstring: 771,4867-4868,51-43,,]
[JA3: cfa5afddedc4688ce18a7378a388d916]
I'm waiting for Wireshark to recognize the versioned packet as TLS 1.3
Based on how you construct your data you are aware that with TLS 1.3 the version is communicated not through the protocol version in record layer or handshake messages, but through the supported_versions extension.
But Wireshark does not display the version offered by the client. Instead it tries to display the version agreed by the server. If the server would return a ServerHello with supported_versions TLS 1.3, then Wireshark would show the version for the connection as TLS 1.3.
But if there is no response from the server (as in your case), the version from the TLS record layer gets used - which is TLS 1.2 even if the client offers TLS 1.3 support.