TLS1.3 TLSVersion Inconsistencies

[ne4u]

Should TLSVersion for TLS1.3 be 771 or 772?

Per RFC 8446 :

In previous versions of TLS, this field was used for version negotiation and represented the highest version number supported by the client. Experience has shown that many servers do not properly implement version negotiation, leading to "version intolerance" in which the server rejects an otherwise acceptable ClientHello with a version number higher than it supports. In TLS 1.3, the client indicates its version preferences in the "supported_versions" extension (Section 4.2.1) and the legacy_version field MUST be set to 0x0303, which is the version number for TLS 1.2. TLS 1.3 ClientHellos are identified as having a legacy_version of 0x0303 and a supported_versions extension present with 0x0304 as the highest version indicated therein.

I'm of the opinion that TLSVersion should be correctly set to the actual version negotiated as JA3 spec doesn't dictate where the version is sourced: the legacy version or the version from "supported_versions" extension.

I've noticed that Wireshark will report the JA3 String for TLS1.3 with 771. However, Browserleaks will report 772.

[wwhtrbbtt]

In my opinion it should be the version that is actually negotiated, not the locked 0x0303 value. More datapoints are always good

[wwhtrbbtt]

The JA3 string should represent only what is part of the initial client hello.

Ah, that something I havent thought of. Makes sense