search

phuslu / nginx-ssl-fingerprint

high performance ja3 and http2 fingerprint for nginx.
BSD 2-Clause "Simplified" License
138 stars 23 forks source link

ja3 discrepancy #47

Closed 7c closed 3 months ago

7c commented 4 months ago

Hello, i have read the other issue about the discrepancy between ja3zone and this implementation. Indeed it differs in 2 locations. I am testing with ubuntu20 curl since this ja3 is "known" to many people. I also have my own IDS tool in golang which uses tlsx to calculate ja3 hashes. I have also tested the tested haproxy-ja3 implementation which is compatible with ja3zone. 

http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],%[ssl_fc_cipherlist_bin(1),be2dec(-,2)],%[ssl_fc_extlist_bin(1),be2dec(-,2)],%[ssl_fc_eclist_bin(1),be2dec(-,2)],%[ssl_fc_ecformats_bin,be2dec(-,1)]
http-request set-header X-SSL-JA3-Hash %[req.fhdr(x-ssl-ja3),digest(md5),hex]

Also mentioned in ja3zone author at https://waf.ninja/ja3-on-guard-against-bots/ the nginx implementation differs from all "others". I believe you should seek compatibility. image

phuslu commented 4 months ago

I drop the padding(21) extension omitting, so the lacks of 21 should be fixed. but for the lacks of 0 I suppose it's not a bug in nginx-ssl-fingerprint

phuslu commented 3 months ago

I belive it's fixed, please re-open this issue if it can re-pro.