Determine SSL/TLS version using Wireshark
(Adding a new answer which should be definitive, leaving the old around as it's useful debug for how we got here. Credit for pointing to the actual answer in comments goes to @P4cK3tHuNt3R and @dave_thompson_085)
Using Wireshark, I am trying to determine the version of SSL/TLS that is being used with the encryption of data between a client workstation and another workstation on the same LAN running SQL Server.
You are viewing a connection which uses MS-TDS ("Tabular Data Stream Protocol"):
...the Tabular Data Stream Protocol, which facilitates interaction with
a database server and provides for authentication and channel encryption
negotiation; specification of requests in SQL (including Bulk Insert);
invocation of a stored procedure, also known as a Remote Procedure Call
(RPC); returning of data; and Transaction Manager Requests. It is an
application layer request/response protocol.
If you view the TDS protocol documentation, it specifies that the SSL packets are encapsulated within a TDS wrapper:
A TLS/SSL negotiation packet is a PRELOGIN (0x12) packet header encapsulated
with TLS/SSL payload.
In the Microsoft Message Analyzer screencap you posted, we can see the TDS header (boxed in Red, starts with 0x12), followed several bytes later by the TLS CLIENT_HELLO packet (boxed in Blue, starts with 0x16 0x03 0x03):
0x16
is the TLS "Handshake" header indicator,0x03 0x03
is the TLS version (TLS 1.2, as per RFC 5246):The version of the protocol being employed. This document describes TLS Version 1.2, which uses the version { 3, 3 }. The version value 3.3 is historical, deriving from the use of {3, 1} for TLS 1.0.
So the simple answer to your question, "determine the version of SSL/TLS", is "TLS 1.2".
Now, I've seen varying reports as to whether Wireshark can properly parse TDS packets with encoded TLS. I think that the answer is what you started with - it will tell you TLS is there, but won't parse the details as it would with a native TLS session.
As per this StackOverflow question, it appears that Microsoft Network Monitor is capable of parsing both levels of encapsulation. And a comment therein states that Microsoft Message Analyzer is the newer equivalent of that tool.
(Ignore this answer, which I'm leaving for historical data, and read my other answer, which explains what's actually going on)
Update after an example packet was added to the question -
The packet you've provided is clearly not a TLS packet. Looking at the hex you've provided, the first three octets of the TCP data are 12 01 00
, but for a TLS packet the first three bytes should be 16 03 0X
, where 0x16 means TLS "Handshake" record type, 0x03 means SSLv3/TLSv1.*, and the 0x0X indicates the TLS version - 0x01 for TLS 1.0, 0x02 for TLS 1.1, and 0x03 for TLS 1.2.
Additionally, there's a cleartext "sqlexpress2012" string in the packet, which wouldn't be there if this was a TLS Client Hello.
(How did I decide 12 01 00
was the beginning of the data? The first 14 bytes of the packet are the Ethernet header. The next 20 bytes are the IP header. The 13th byte of the TCP header is 0x50, and the first nibble of that byte times 4 is the TCP header length, so 5*4 = 20. So the first bytes of actual data start 54 bytes in at 12 01 00 6c 00 00 ...
)
So if Wireshark won't display this as TLS, that's because it isn't. You should revisit your server configuration.
Original answer:
Because those packets are not on a standard TLS port (e.g., 443) you need to tell Wireshark to interpret them as TLS packets. By default port 1433 is not interpreted as having TLS; the default for TDS is to be unencrypted. So by itself Wireshark will not parse it as TLS:
In order to change this, right-click on one of the packets and select "Decode As". Make sure the port "value" is set to 1433 and then set "Current" to SSL:
Click OK and when you return to the packets you'll see they're now interpreted in more detail:
Finally, if you look at the detail pane for one of the packets (I suggest using the server hello, not the client hello, in case protocol was adjusted) you'll see the TLS version quite clearly:
I just use this filter in Wireshark to find TLS 1.0 traffic:
ssl.handshake.version==0x0301
0x0302
is TLS 1.1 and 0x0303
is TLS 1.2.