Viiprogrammer
commented
3 weeks ago In a bit of a hacky way, I monkey patched TLS to change the fingerprint:
const tls = require("node:tls")
const origTLSConnect = tls.connect
const ciphers = [
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'
].join(':')
tls.connect = function () {
const args = arguments
if (typeof args[0] === 'object') {
args[0].ciphers = ciphers
args[0].secureProtocol = 'TLSv1_2_method'
}
// args[1].ciphers = ciphers
return origTLSConnect(...args)
}just call this before init proxy server
Hello,
I'm trying mirror the client's given cipher suites for the proxy to provide to the server.
There's two road blocks I'm getting stuck at.
1) obtaining the client's provided cipher suites. What I can obtain is the accepted cipher thru the onRequest hook and ctx.clientToProxyRequest.client.getCipher(). 2) providing the cipher suites to the server (ctx.proxyToServerRequestOptions.agent.options.cipher) without the TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher being automatically appended to the list. I've also tried setting require('constants').SSL_OP_NO_RENEGOTIATION for secureOptions but still occurs
potentially (2) might require openssl to be patched as suggested here: https://stackoverflow.com/questions/35254883/avoid-sending-tls-empty-renegotiation-info-scsv-cipher-in-tls-client-hello
Hoping someone with a better understanding than myself can point me in the right direction 😁
Cheers!