JA4 specification[^1] mentions that the numbers of cipher suites and of extensions should be limited to two characters and that if the values are over 99 we should output 99.
That value should never be reached, but it may happen on the Internet. I discovered the bug while implementing stricter JA4 parsing in IVRE[^2] and parsing logs from fingerproxy. Turns out, at least one (testing) tool[^3] produces a wrong fingerprint with the current implementation: t12d1120600_e33c72313a64_a1e935682795 (112 extensions) rather than t12d990600_e33c72313a64_a1e935682795.
The JA4_a part of the wrong fingerprint is 11 characters and IVRE now fails to parse it. This simple patch fixes the issue.
wi1dcard
commented
3 months ago
JA4 specification[^1] mentions that the numbers of cipher suites and of extensions should be limited to two characters and that if the values are over 99 we should output 99.
That value should never be reached, but it may happen on the Internet. I discovered the bug while implementing stricter JA4 parsing in IVRE[^2] and parsing logs from fingerproxy. Turns out, at least one (testing) tool[^3] produces a wrong fingerprint with the current implementation:
t12d1120600_e33c72313a64_a1e935682795(112 extensions) rather thant12d990600_e33c72313a64_a1e935682795.The JA4_a part of the wrong fingerprint is 11 characters and IVRE now fails to parse it. This simple patch fixes the issue.
[^1]: See technical details. [^2]: Change: ff696af5. [^3]: Namely TLS tester.