search

lwthiker / curl-impersonate

curl-impersonate: A special build of curl that can impersonate Chrome & Firefox
MIT License
3.84k stars 256 forks source link

Use custom TLS cipher order #132

Open sumous opened 1 year ago

sumous commented 1 year ago

Hi, I type the command ./out/curl-impersonate --ciphers ECDHE-ECDSA-AES128-GCM-SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 https://tls.peet.ws/api/all get the result below, the ciphers order is not 'ECDHE-ECDSA-AES128-GCM-SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384'. How to solve the problem?

{
  "ip": "103.142.140.11:40643",
  "http_version": "h2",
  "method": "GET",
  "user_agent": "curl/7.84.0",
  "tls": {
    "ciphers": [
      "TLS_GREASE (0x7A7A)",
      "TLS_AES_128_GCM_SHA256",
      "TLS_AES_256_GCM_SHA384",
      "TLS_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
    ],
    "extensions": [
      {
        "name": "TLS_GREASE (0x6a6a)"
      },
      {
        "name": "server_name (0)",
        "server_name": "tls.peet.ws"
      },
      {
        "name": "extended_master_secret (23)",
        "master_secret_data": "",
        "extended_master_secret_data": ""
      },
      {
        "name": "extensionRenegotiationInfo (boringssl) (65281)",
        "data": "00"
      },
      {
        "name": "supported_groups (10)",
        "supported_groups": [
          "TLS_GREASE (0xfafa)",
          "X25519 (29)",
          "P-256 (23)",
          "P-384 (24)"
        ]
      },
      {
        "name": "ec_point_formats (11)",
        "elliptic_curves_point_formats": [
          "0x00"
        ]
      },
      {
        "name": "session_ticket (35)",
        "data": ""
      },
      {
        "name": "application_layer_protocol_negotiation (16)",
        "protocols": [
          "h2",
          "http/1.1"
        ]
      },
      {
        "name": "status_request (5)",
        "status_request": {
          "certificate_status_type": "OSCP (1)",
          "responder_id_list_length": 0,
          "request_extensions_length": 0
        }
      },
      {
        "name": "signature_algorithms (13)",
        "signature_algorithms": [
          "ecdsa_secp256r1_sha256",
          "rsa_pss_rsae_sha256",
          "rsa_pkcs1_sha256",
          "ecdsa_secp384r1_sha384",
          "rsa_pss_rsae_sha384",
          "rsa_pkcs1_sha384",
          "rsa_pss_rsae_sha512",
          "rsa_pkcs1_sha512"
        ]
      },
      {
        "name": "extensionNextProtoNeg (boringssl) (13172)",
        "data": ""
      },
      {
        "name": "signed_certificate_timestamp (18)"
      },
      {
        "name": "key_share (51)",
        "shared_keys": [
          {
            "TLS_GREASE (0xfafa)": "00"
          },
          {
            "X25519 (29)": "d9ae6e07929f5970c75fba3b09bfdc39f72c274efe434bf3a6879a4a957fe369"
          }
        ]
      },
      {
        "name": "psk_key_exchange_modes (45)",
        "PSK_Key_Exchange_Mode": "PSK with (EC)DHE key establishment (psk_dhe_ke) (1)"
      },
      {
        "name": "supported_versions (43)",
        "versions": [
          "TLS_GREASE (0xdada)",
          "TLS 1.3",
          "TLS 1.2",
          "TLS 1.1",
          "TLS 1.0"
        ]
      },
      {
        "name": "TLS_GREASE (0x5a5a)"
      },
      {
        "name": "padding (21)",
        "padding_data_length": 468
      }
    ],
    "tls_version_record": "771",
    "tls_version_negotiated": "772",
    "ja3": "771,4865-4866-4867-49195,0-23-65281-10-11-35-16-5-13-13172-18-51-45-43-21,29-23-24,0",
    "ja3_hash": "457c4ea120c9c2d2072fec83def354af",
    "peetprint (WIP)": "GREASE-772-771-770-769|2-1.1|GREASE-29-23-24|1027-2052-1025-1283-2053-1281-2054-1537|1||GREASE-4865-4866-4867-49195|GREASE-0-23-65281-10-11-35-16-5-13-13172-18-51-45-43-GREASE-21",
    "peetprint_hash (WIP)": "05d7c7369eecf19cf61358903d5951ba",
    "client_random": "b84da046d1efa2d5bb2a814de634c57afb2abf17e152958d9c184a671334ec8a",
    "session_id": "de9db86d705f01367a6813f37a8117201ce79880a99fe47531c45c97d6cfee08"
  },
  "http2": {
    "akamai_fingerprint": "1:65536,3:1000,4:6291456,6:262144|15663105|0|m,a,s,p",
    "akamai_fingerprint_hash": "7ad845f20fc17cc8088a0d9312b17da1",
    "sent_frames": [
      {
        "frame_type": "SETTINGS",
        "length": 24,
        "settings": [
          "HEADER_TABLE_SIZE = 65536",
          "MAX_CONCURRENT_STREAMS = 1000",
          "INITIAL_WINDOW_SIZE = 6291456",
          "MAX_HEADER_LIST_SIZE = 262144"
        ]
      },
      {
        "frame_type": "WINDOW_UPDATE",
        "length": 4,
        "increment": 15663105
      },
      {
        "frame_type": "HEADERS",
        "stream_id": 1,
        "length": 40,
        "headers": [
          ":method: GET",
          ":authority: tls.peet.ws",
          ":scheme: https",
          ":path: /api/all",
          "user-agent: curl/7.84.0",
          "accept: */*"
        ],
        "flags": [
          "EndStream (0x1)",
          "EndHeaders (0x4)",
          "Priority (0x20)"
        ],
        "priority": {
          "weight": 256,
          "depends_on": 0,
          "exclusive": 1
        }
      }
    ]
  }
}
lwthiker commented 1 year ago

It looks like you are using the Chrome version. This version is compiled with BoringSSL, which doesn't support any arbitrary order of ciphers. To my understanding, it chooses the cipher order by itself. Unfortunately, I don't see a way to change that except for heavy modifications to BoringSSL.