The python version of ja4 is incorrect due to this line.
When sorting the list of extensions, the function get_hex_sorted correctly ignores 0000 (ALPN) and 0010 (SNI).
This same function is used to sort the list of cipher suites, but 0010 is a valid cipher suite (TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA). This causes an incorrect value for the middle (JA4_b) part of the JA4 fingerprint string.
I have a capture file that demonstrates the issue, but Gitlab won't let me attach that file type. Feel free to reach out if you want me to send it some other way.
This bug only appears in the python version of ja4. Rust appears to be correct.
The python version of ja4 is incorrect due to this line.
When sorting the list of extensions, the function
get_hex_sorted
correctly ignores 0000 (ALPN) and 0010 (SNI).This same function is used to sort the list of cipher suites, but 0010 is a valid cipher suite (TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA). This causes an incorrect value for the middle (JA4_b) part of the JA4 fingerprint string.
I have a capture file that demonstrates the issue, but Gitlab won't let me attach that file type. Feel free to reach out if you want me to send it some other way.
This bug only appears in the python version of ja4. Rust appears to be correct.