I'm testing a new proxy and monitoring the connection using Wireshark, but I'm not seeing any certificate at all. my goal is to find out exactly what sensitive and identifiable data is leaving my router after using this proxy, emphasizing on the certificate used in securing the connection.
in Wireshark, I've tried these filters but no result is shown, after using each filter, I tried reconnecting to the proxies and opened a bunch of websites but still no result came up.
tls.handshake.certificate
tls.handshake.type == 11
so how is this possible? am I missing something obvious?
this is how the data stream looks like
there are only TLS 1.1 (rarely), TLS 1.2, TLS 1.3 and TCP packets.
this is what I see when I manually open up a TLS 1.3 packet.
p.s when I check for the SNI, only 1 SNI will be ever shown and it's the proxy server's address.
ssl.handshake.extension.type == "server_name"
Cipher Suits, from another TLS 1.3 packet
According to this answer Does an HTTPS proxy encrypt traffic between proxy client and server for HTTP requests?
and with the info provided above, does it mean that the proxy server I'm using is also a SSL server?
As user Steffen Ullrich mentioned, TLS v1.3 encrypts the handshake and thus the certificate isn't visible in Wireshark, but here is a TLS v1.2 and I can't see its certificate either, why?
I don't know for sure but I'm assuming every TLS encrypted packet carries handshake data like certificate it was encrypted with, along with it?
tls.handshake.type == 11
filter, that means the proxy I'm using uses only TLS v1.3. it initiates the first connection to its server using TLS v1.3 too, then encapsulates any subsequent packets inside TLS v1.3, including TLS V1.2, TLS v1.1, TCP, DNS etc. that's why no certificate is ever seen in Wireshark even after running it for like 10 hours. please correct me if I'm wrong.