Open ne4u opened 2 years ago
In my opinion it should be the version that is actually negotiated, not the locked 0x0303 value. More datapoints are always good
The JA3 string should represent only what is part of the initial client hello.
Ah, that something I havent thought of. Makes sense
Should TLSVersion for TLS1.3 be 771 or 772?
Per RFC 8446 :
I'm of the opinion that TLSVersion should be correctly set to the actual version negotiated as JA3 spec doesn't dictate where the version is sourced: the legacy version or the version from "supported_versions" extension.
I've noticed that Wireshark will report the JA3 String for TLS1.3 with 771. However, Browserleaks will report 772.