Update Thunderbird simulation to v68.3

2025-10-31 05:45:26 +01:00 · 2020-01-13 11:35:58 +01:00
parent 0911d1ae31
commit cf8cb541d5
2 changed files with 45 additions and 22 deletions
--- a/etc/client-simulation.txt
+++ b/etc/client-simulation.txt
@@ -2641,6 +2641,28 @@
     minEcdsaBits+=(-1)
     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
     requiresSha2+=(false)
+     current+=(false)
+
+     names+=("Thunderbird ("68.3")
+     short+=("thunderbird_68_3_1")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
+     requiresSha2+=(false)
     current+=(true)

     names+=("Baidu Jan 2015")
--- a/etc/client-simulation.wiresharked.txt
+++ b/etc/client-simulation.wiresharked.txt
@@ -3,28 +3,7 @@
 # comes from the SSLlabs client API via update_client_sim_data.pl
 # The whole process is done manually.
 #
-# Instructions how to add a client simulation:
-# * Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute.
-# * Make sure you create a bit of encrypted traffic to a target of your choice 1) .
-# * Make sure the client traffic is specific: For just "Android" do not use a browser!
-# * Stop the recording.
-# * If needed sort for ClientHello.
-# * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic.
-# * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
-# * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
-# * Adjust "lowest_protocol" and "highest_protocol" accordingly.
-# * Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
-# * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). 
-# * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
-# * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
-# * For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh
-# * "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh
-# * Figure out the services by applying a good piece of logic
-# * Before submitting a PR: test it yourself! You can also watch it again via wireshark
-#
-# 
-# 1) Attention, privacy: if you want to contribute it contains the target hostname (SNI)
-
+# Instructions how to add a client simulation see file "client-simulation.wiresharked.md".

     names+=("Android 8.1 (native)")
     short+=("android_81")
@@ -286,6 +265,28 @@
     minEcdsaBits+=(-1)
     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
     requiresSha2+=(false)
+     current+=(false)
+
+     names+=("Thunderbird ("68.3")
+     short+=("thunderbird_68_3_1")
+     ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
+     sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
+     lowest_protocol+=("0x0301")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP,SMTP,POP,IMAP")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
+     requiresSha2+=(false)
     current+=(true)

     names+=("Safari 12.1 (iOS 12.2)")