Extra value of 21 in the ja3 digest related to the extensions (related to GREASE???)

[jaysonpryde]

I have the folliowing ja3/ja3 digests for a pcap I analyzed:

    "ja3": "771,4867-4865-4866-49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-51-45-43-10-21,29-23-24-25,0",
    "ja3_digest": "7a7a639628f0fe5c7e057628a5bbec5a",

Now using fingerprintls tool for the same pcap, i have this data:

'record_tls_version': '0x0301', 'tls_version': '0x0303', 'ciphersuite_length': '0x0034', 'ciphersuite': '0x1303 0x1301 0x1302 0xC02C 0xC02B 0xC024 0xC023 0xC00A 0xC009 0xCCA9 0xC030 0xC02F 0xC028 0xC027 0xC014 0xC013 0xCCA8 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0xC008 0xC012 0x000A', 'compression_length': '1', 'compression': '0x00', 'extensions': '0xFF01 0x0000 0x0017 0x000D 0x0005 0x3374 0x0012 0x0010 0x000B 0x0033 0x002D 0x002B 0x000A ', 'e_curves': '0x001D 0x0017 0x0018 0x0019 ', 'sig_alg': '0x0403 0x0804 0x0401 0x0503 0x0203 0x0805 0x0805 0x0501 0x0806 0x0601 0x0201 ', 'ec_point_fmt': '0x00',

For the extensions part of ja3:

65281-0-23-13-5-13172-18-16-11-51-45-43-10-21

I noticed that there's an additional 21 value that was added because looking at the fingerprintls output for extensions, the final element is 0x000A:

'extensions': '0xFF01 0x0000 0x0017 0x000D 0x0005 0x3374 0x0012 0x0010 0x000B 0x0033 0x002D 0x002B 0x000A ',

Now i understand that this may have something to do with GREASE. My question is should I just add 21 to the end of the extensions ALWAYS, when there is a value in the extensions (or ciphers) that is in the GREASE table? Thanks

[ne4u]

Interestingly Akamai has been adding "-g" to the end of the md5 hash when the client sends the grease ciphersuites. Akamai also doesn't document that the the "tag" field they capture is the ja3 digest. May be useful to anyone using some of Akamai's products. ;-)