README: TLS Authentication and Encryption Algorithm Testing (Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - DHE-RSA + AES-256 CBC + SHA256) Purpose ------- Verify server supports TLS 1.2 with DHE-RSA-AES256-SHA256 cipher by capturing TLS handshake via curl and Wireshark. Prerequisites ------------- - curl installed - Wireshark installed - Network access to server 10.91.239.125 Testing Procedure ----------------- 1. Run: curl -v --tlsv1.2 --ciphers DHE-RSA-AES256-SHA256 https://10.91.239.125 2. Start Wireshark capture on your interface. 3. Apply filter: tls.handshake 4. Observe Server Hello, Certificate, Server Hello Done packets for encryption and authentication details. Wireshark Packet Summary ------------------------ Frame 6: 1952 bytes on wire (15616 bits), 1952 bytes captured (15616 bits) on interface wlp4s0, id 0 Ethernet II, Src: Tp-LinkT_00:51:e0 (50:d4:f7:00:51:e0), Dst: Chongqin_0b:ac:5b (c0:b5:d7:0b:ac:5b) Internet Protocol Version 4, Src: 10.91.239.125, Dst: 192.168.0.36 Version: 4, Header Length: 20 bytes Total Length: 1938 Identification: 0x13dc (5084) Flags: Don't fragment Time to Live: 63 Protocol: TCP (6) Source Address: 10.91.239.125 Destination Address: 192.168.0.36 Transmission Control Protocol, Src Port: 443, Dst Port: 44410, Seq: 1, Ack: 518, Len: 1886 Flags: PSH, ACK Window: 506 (scaled to 64768) Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 104 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 100 Version: TLS 1.2 (0x0303) Random: fcf08ba77709d71e8259e9b5f357ab796d7b48d6d06a46825ec3bd6306cc4956 Session ID Length: 32 Session ID: 740c0801a19d189cb2f35a8927a4875aa240ef1545fab8b603008f9235ce3a0c Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Compression Method: null (0) Extensions Length: 28 Extension: renegotiation_info (len=1) Extension: application_layer_protocol_negotiation (len=11) Extension: encrypt_then_mac (len=0) Extension: extended_master_secret (len=0) [JA3S Fullstring: 771,107,65281-16-22-23] [JA3S: 3cdb590e8a41cdc80f1a4ebe2ea8e340] TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 975 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 971 Certificates Length: 968 Certificates (968 bytes) Certificate Length: 965 Certificate: 308203c1308202a9a00302010202143a1c6e7542b6bedcd6cbf6bf3c048453eefd009a30… (id-at-commonName=10.91.239.125, id-at-organizationName=Internet Widgits Pty Ltd, id-at-localityName=BENGALURU, id-at-stateOrProvinceName=KARNATAKA) TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 783 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 779 Diffie-Hellman Server Params TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 Interpretation -------------- - Server supports TLS 1.2. - Cipher suite uses DHE-RSA for authentication with AES-256 CBC encryption and SHA-256 MAC. - Server certificate authenticates the server identity. - Server Hello Done indicates handshake completion. - Successful handshake confirms cipher and authentication support. Notes ----- - Handshake failure indicates the cipher is unsupported by the server. - Verify you capture the correct network interface in Wireshark. - Use filter `tls.handshake` to isolate handshake packets during analysis. --- End of Document