From 14e8df3fab8818b6452f9bd4dc09791fce58c7fc Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 15 May 2026 21:30:07 +0200 Subject: [PATCH] Update readme wrt ja3/ja4 + imotr tweaks --- etc/client-simulation.wiresharked.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md index 8d8e11c..715341d 100644 --- a/etc/client-simulation.wiresharked.md +++ b/etc/client-simulation.wiresharked.md @@ -12,18 +12,19 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic. * Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client. * Edit the *names* accordingly and the *short* description. The latter must not contain blanks. -* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* --> Copy --> As a hex stream. +* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* in wireshark --> Copy --> As a hex stream. * For *ch_ciphers*: mark *Cipher Suites* --> Copy --> As a hex stream and supply it to `~/utils/hexstream2cipher.sh`. The last line contains the ciphers which you need to copy. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*. . The GREASE "ciphers" (?a?a) which you may see in the very beginning don't show up here. -* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normallky like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*. +* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normally like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*. * For *curves* mark the *Supported Groups* TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. Copy the last line into *curves*. * Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3). * Adjust *lowest_protocol* and *highest_protocol* accordingly (0301=TLS 1.0, 0302=TLS 1.1, 0303=TLS 1.2, 0304=TLS 1.3) -* Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true. +* Review TLS extension "signature_algorithm" 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true. * Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle. * Retrieve *alpn* by looking at the *application_layer_protocol_negotiation* TLS extension 16 (=0x0010). -* When using wireshark, copy also the ja3 and ja4 values accordingly (copy --> value), see e.g. like *java_80442*. This could be used in the future. -* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols. +* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols. +* For ja3 and ja4: This is to uniquely identify the client handshake. Also we can consolidate client handshake section (see e.g. Android 13 = Android 14). Retrieve *ja3* or *ja4* by using Copy --> value. * When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`. * Before submitting a PR: test it yourself! You can also watch it again via wireshark. +The license of self harvested client simulations is the same as the whole tool see ../LICENSE .