phuslu
commented
1 year ago could try wireshark to capture your request and post its ja3 result here? we promise to align to wireshark as first.
Closed emdaitaj closed 1 year ago
phuslu
commented
1 year ago could try wireshark to capture your request and post its ja3 result here? we promise to align to wireshark as first.
paragor
commented
1 year ago it different by SSLExtension pre_shared_key 41 - (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml).
it is common - on first session to site you have tls without pre_shared_key, and on next sessions you will have pre_shared_key (41). see https://www.rfc-editor.org/rfc/rfc8446.html#section-2.2
emdaitaj
commented
1 year ago @phuslu i checked with wireshark the client did sent 3 CLIENT_HELLO messages one after another when i opened my test nginx site first hello with tls1.2 some times it changed to tls1.3 in the second hello , some time it did not anyway your module's md5 ALWAYS matched with wiresharks first CLIENT_HELLO so there is no problem in your work
but i wonder why my tls fingerprint is different for each website and each time (i'm using lates version of chrome on windows 11) (this was the cause of mismatch) if it's like random then we can't Reilly on ja3 fingerprints
my https://ja3.zone/#/check fingerprint : 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-45-28-41,29-23-24-25-256-257,0
my ja3 fingerprint genratored by nginx compiled using your guide and your test config : 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-51-43-13-45-28,29-23-24-25-256-257,0
the diffenece is in extensions field i thought maybe using real domain an vaild certificate may have effect, tested ,no difference