Closed ne4u closed 2 years ago
Emmm, this case is well tested internally. so it should be OK. Could you please give a repro of "curl" cli example?
ssl_protocols TLSv1.2;
/usr/local/opt/curl/bin/curl -v https://tls.bob.com:4443
GET / HTTP/1.1 Host: tls.bob.com:4443 User-Agent: curl/7.83.0 Accept: /
If you see this page, the web server is successfully installed and working. Further configuration is required.
ssl_protocols TLSv1.3;
/usr/local/opt/curl/bin/curl -v https://tls.bob.com:4443
GET / HTTP/1.1 Host: tls.bob.com:4443 User-Agent: curl/7.83.0 Accept: /
If you see this page, the web server is successfully installed and working. Further configuration is required.
The expected result for tls 1.3 should be:
JA3: 772,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-13172-16-22-23-49-13-43-45-51-21,29-23-30-25-24, JA3-Hash: b0aca3a3bfcbb345b7e4e397f231dee8
when formats is null truncation occurs
i'm no c programmer, so to test my theory i added this horribly wrong code which does seem to work:
/* formats */
if (c->ssl->points.len) {
pdata = c->ssl->points.data;
pend = pdata + c->ssl->points.len;
while (pdata < pend) {
pstr = append_uint8(pstr, *pdata);
*pstr++ = '-';
pdata++;
}
} else {
/* quick dirty fix for tls 1.3 */
*pstr++ = ',';
pdata++;
}
I can confirm with my hack, i'm now getting expected results when compared to: browswerleaks.com/ssl for all tested tls 1.3 clients.
fix in openssl-31 branch please take a look.
when tls 1.3 is negotiated, the JA3 value is truncated therefore the md5 hash is wrong.