Extend TLS inspector to capture JA3n and JA4

[kashyap-db]

Title: Extend TLS inspector to capture JA3n and JA4

Description: This issue 3 years ago requested the JA3 feature. JA3 is no longer effective and gets permuted after Chrome 110 making it ineffective. Also JA4 has now been released. JA4 is a much more effective way of identifying malicious activity than IP address.

See the original issue for a detailed motivation for this.

[optional Relevant Links:] https://github.com/envoyproxy/envoy/issues/16622 https://github.com/FoxIO-LLC/ja4 https://github.com/net4people/bbs/issues/220 https://security.stackexchange.com/questions/273101/why-the-ja3-hash-changed-everytime-refresh-the-webpage

[agrawroh]

cc @ggreenway

[ggreenway]

PRs welcome for adding this!

[agrawroh]

@ggreenway Should we add a new field called tls_fingerprinting alongside enable_ja3_fingerprinting here and deprecate the latter in favor of the newly added field?

JA3/JA4 could be set as an ENUM:

tls_fingerprinting: {
  enable: BOOL,
  engine: ENUM { JA3 = DEFAULT, JA3S, JA4}
}

We'll also have to change the access loggers accordingly. I see that we have TLS_JA3_FINGERPRINT to surface the captured JA3s in the access logs. We'll have to add another TLS_FINGERPRINT with both the engine and the value or two commands like TLS_FINGERPRINT_ENGINE and TLS_FINGERPRINT_VALUE.

For gRPC [See This], we can use tls_fingerprint with engine and value as well.

[ggreenway]

@envoyproxy/api-shepherds can help with how to structure the config. If you're going to use an enum, I think having a default value of none, and not having a bool to enable/disable, is simpler.

I'd also be fine with just adding more booleans for enable_ja3s_fingerprinting and enable_ja4_fingerprinting.

[kashyap-db]

Minor clarification JA3s (server fingerprinting) is different from JA3n (what we want). JA3n just sorts the Client Hello SSL Extensions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.