Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add hint for JA3/4

Browse Source 
+ minor corrections
This commit is contained in:
Dirk
2025-04-07 19:38:05 +02:00
parent 45be26db7c
commit 58ddfd8a24
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
etc/client-simulation.wiresharked.md
View File

@@ -1,4 +1,4 @@
The file `client-simulation.wiresharked.txt` contains client handshake data manually harvested from a network capture and displayed best with Wireshark. The file `client-simulation.wiresharked.txt` contains client handshake data manually harvested from a network capture and displayed by Wireshark.
The content needs to be added to `client-simulation.txt` which other part comes from the SSLlabs client API via `update_client_sim_data.pl` The content needs to be added to `client-simulation.txt` which other part comes from the SSLlabs client API via `update_client_sim_data.pl`
The whole process is manual but not too difficult. The whole process is manual but not too difficult.
@@ -11,16 +11,17 @@ The whole process is manual but not too difficult.
* If needed sort for ClientHello. * If needed sort for ClientHello.
* Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic. * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic.
* Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client from it. * Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client from it.
* Edit the *names* accordingly and *short*. The latter must not contain blanks. * Edit the *names* accordingly and the *short* description. The latter must not contain blanks.
* Retrieve *handshakebytes* by marking the "TLS 1.x Record Layer" --> Copy --> As a hex stream. * Retrieve *handshakebytes* by marking the "TLS 1.x Record Layer" --> Copy --> As a hex stream.
* For *ch_ciphers* mark "Cipher Suites" --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh`. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*. * For *ch_ciphers*: mark "Cipher Suites" --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh`. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*.
* *ciphersuites* are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see `~/utils/hexstream2cipher.sh`. They start with TLS\*. * *ciphersuites* are TLS 1.3 ciphersuites. You can identify them as they currently are normallky like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. They start with TLS\*.
* Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3). * Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3).
* Adjust *lowest_protocol* and *highest_protocol* accordingly. * Adjust *lowest_protocol* and *highest_protocol* accordingly.
* For *curves* mark the "supported groups" TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. * For *curves* mark the "supported groups" TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`.
* Retrieve *alpn* by looking at the "alpn" TLS extension 16 (=0x0010). * Retrieve *alpn* by looking at the "alpn" TLS extension 16 (=0x0010).
* Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true. * Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
* Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle. * Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle.
* Figure out the *services* by applying a good piece of human logic. A (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas Thunderbird supports a variety of protocols. * When using wireshark, copy also the ja3 and ja4 values accordingly, see e.g. like *java80442*. This could be used in the future.
* Figure out the *services* by applying a good piece of human logic or have a look at a different version of the client. A (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas Thunderbird supports a variety of protocols.
* When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`. * When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`.
* Before submitting a PR: test it yourself! You can also watch it again via wireshark. * Before submitting a PR: test it yourself! You can also watch it again via wireshark.