I have a pcap containing RDP traffic that uses TLSv1.2 to encrypt the traffic. I noticed that somewhere in the middle of the RDP traffic, specially after sending many encrypted messages between the client and the server, I noticed that suddenly there was a message sent from the client to the server that wasn't encrypted, it is very similar to the first unencrypted message sent in RDP (TPTK message), also Wireshark classified this message as "Ignored unknown record". The RDP server replied to this message also with unencrypted message!! I noticed that after those two messages a new TLS handshake was performed! Any explanation what happened in this traffic? I checked Microsoft specification for RDP protocol, and I didn't find anything that validate this behavior! I read there that at some point when the two sides decided to start TLS, all the traffic will be encrypted from this point... I think that for some reason the server asked the client to re-negotiate, but I can't find anything relevant in the documentation
3
-
1could there have been a interruption in the connection– Jaromanda XJul 10 at 23:10
-
@JaromandaX do you mean the connection failed for some reason? but the situation I'm talking about happens in the same TCP connection– AHSJul 11 at 9:50
-
oh, OK, so the answer is, there was no interruption in the connection– Jaromanda XJul 11 at 10:29
Add a comment
|