Comment by tialaramex
1 year ago
To be clear, that's not a TLS 1.2 encrypted session. It's a TLS 1.3 encrypted session but it's spelled in such a way that if you are looking for a TLS 1.2 encrypted session this matches your expectation.
This carries on into the actual encrypted data packets. They look like TLS 1.2 messages with application data inside, but TLS 1.3 messages are actually just all spelled in such a way that all of them (regardless of whether they're application data or not) look like TLS 1.2 application data. So idiot middleboxes think it must just be application data, can't have any other meaniing.
In similar philosophy, in a middlebox that wanted to decrypt the flows, I simply put TLS1.3 inside HTTPS CONNECT inside TLS1.2 stream.
Horrible, but it was easier than updating the middlebox...