Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client: add support for sending unsupported cipher suites #1190

Closed
wants to merge 1 commit into from
Closed

client: add support for sending unsupported cipher suites #1190

wants to merge 1 commit into from

Conversation

djc
Copy link
Member

@djc djc commented Feb 2, 2023

Fixes #1125. @ctz I know you said that you didn't want to support this, but I just wanted to sketch out for myself how much complexity it is to implement this given that there have been increasing requests for this (I don't like that this is necessary either, but I fear it might be a reality of competing with OpenSSL). IMO the resulting change is not too bad. If you're open to it, I'll add some tests.

@djc djc requested a review from ctz February 2, 2023 11:20
@djc djc mentioned this pull request Feb 2, 2023
Closed
9 tasks
@ctz
Copy link
Member

ctz commented Feb 2, 2023

Unfortunately #1125 is an XY issue. Actually what we need to do to get the same JA3 fingerprint as another client is:

  • have the same order of cipher_suites (adding them on the end isn't enough)
  • have the same order and presence of extensions (this might mean implementing whole new TLS features)
  • have the same order and presence of named groups (we might have enough configurability here already)
  • have the same order and presence of ec point formats (i think we're good here, uncompressed=0 on its own is ubiquitous)

@djc
Copy link
Member Author

djc commented Feb 2, 2023
edited

So if we scope this to (a) adding unsupported cipher suites, (b) sorting cipher suites, (c) sorting extensions, it feels like we'd have made some progress, and this seems somewhat straightforward? We could have a

trait ClientHelloModifier {
    fn update_cipher_suites(&self, suites: &mut Vec<CipherSuite>);
    fn update_extensions(&self, extensions: &mut [ClientExtension]);
}

and store an Arc<dyn ClientHelloModifier> in the ClientConfig.

(Link to JA3: https://github.com/salesforce/ja3.)

@ctz
Copy link
Member

ctz commented Jun 12, 2023

Since this was last discussed, Chrome shipped randomised extension ordering as a countermeasure to fingerprinting:

I think I'd prefer to expend effort doing the same (#1313) which is really the antithesis of this PR. Thoughts?

@djc djc closed this Jun 12, 2023
@djc
Copy link
Member Author

djc commented Jun 12, 2023
edited

I agree it makes sense to randomize the extension order in ClientHello (#1313). I don't think that will make the desire for fingerprintable ClientHellos go away anytime soon, since at least some of the servers employing fingerprinting methods are mainly concerned with relatively specialized clients that aren't Chrome.

@FireMasterK
Copy link

I think this pull request should be re-opened since the extensions could be sorted, thus allowing for fingerprintable ClientHellos again. Such techniques may already be implemented on some sites as https://browserleaks.com/tls, https://tlsfingerprint.io/norm_fp, etc suggest.

@djc
Copy link
Member Author

djc commented Jun 30, 2023

@FireMasterK please open a new issue with your concrete use cases.

@XOR-op XOR-op mentioned this pull request Nov 3, 2023
Closed
@hellais hellais mentioned this pull request May 1, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctz ctz Awaiting requested review from ctz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow offering ciphersuites in the Client Hello that are not yet supported.
3 participants
@djc @ctz @FireMasterK