How to test which version of TLS my .NET client is using?

Question

I support a .NET site which (amongst many, MANY, other things) talks to remote APIs from supplier systems.

We want to upgrade to support TLS 1.2 We\'re hoping to do

Answer 1

The System.Net tracing does include sufficient detail to check this, although it's not very accessible.

This KB describes how to turn on System.Net tracing.

This blog post shows a full HTTPS request in System.Net tracing.

The bytes sent over the wire are logged, and in the example given on that blog post, the client stream starts:

System.Net.Sockets Verbose: 0 : [3848] Data from Socket#48285313::Send
System.Net.Sockets Verbose: 0 : [3848] 00000000 : 16 03 00 00 41 01 00 00-3D 03 00 43 26 02 90 83 : ....A...=..C&...

RFC5246 describes TLS 1.2 and explains that ClientHello is the first message expected and states its format:

  struct {
      ProtocolVersion client_version;
      Random random;
      SessionID session_id;
      CipherSuite cipher_suites<2..2^16-2>;
      CompressionMethod compression_methods<1..2^8-1>;
      select (extensions_present) {
          case false:
              struct {};
          case true:
              Extension extensions<0..2^16-1>;
      };
  } ClientHello;

This SO answer explains that the record starts with 0x16 as a type marker, then the protocol version.

The session shown above has version 3.0, which means SSL 3.0.

The RFC explains that 3.3 is TLS 1.2.

So if your client data starts "16 03 03", then your client is attempting to negotiate TLS 1.2.

You may need to examine the ServerHello to establish which version was actually used.