[net/http] How to capture raw client TLS handshake data?
506 views
Skip to first unread message
Aurora
Mar 6, 2023, 5:14:41 PM3/6/23
to golang-nuts
Is it possible to capture the whole TLS handshake data coming from a HTTP client request, enough to actually build a JA3 hash out of it?
The tls.ClientHelloInfo does apparently give some but not all the parts which are needed to build a JA3 hash.
The tls.ClientHelloInfo does apparently give some but not all the parts which are needed to build a JA3 hash.
Eli Lindsey
Mar 7, 2023, 12:09:27 AM3/7/23
to Aurora, golang-nuts
It’s not currently possible. Some of us run with patches exposing the TLS extensions to support this use case. The relevant GitHub issue is https://github.com/golang/go/issues/32936
-eli
On Mar 6, 2023, at 2:14 PM, Aurora <aurora...@gmail.com> wrote:
Is it possible to capture the whole TLS handshake data coming from a HTTP client request, enough to actually build a JA3 hash out of it?
The tls.ClientHelloInfo does apparently give some but not all the parts which are needed to build a JA3 hash.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/df8327c6-cd97-498d-adf2-ab5d8eee97ebn%40googlegroups.com.
phus lu
Jul 17, 2023, 9:28:03 AM7/17/23
to golang-nuts
An update on https://github.com/golang/go/issues/32936#issuecomment-1637032504 that can extract raw clienthello bytes without stdlib patch.
Eli Lindsey
Jul 17, 2023, 7:50:39 PM7/17/23
to phus lu, golang-nuts
It can work, but ends up requiring reimplementing a chunk of the TLS protocol parser and doing the same parsing twice per connection. I’d generally favor a three line out of tree stdlib patch over that. Skimming your linked code, you’ll also want to make sure you have proper handling of the TLS record layer so as not to get truncated client hellos.
I’m glad it’s doable, but a somewhat unfortunate situation. Very few things need or want the raw hello, there’s a good existing API for most of the parsed information (ClientHelloInfo), and the client hello itself is small and rarely changes. To me the oversight is that ClientHelloInfo is missing one field (extensions) which prevents it from being useful for most fingerprinting.
-eli
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/b43fc53b-c1f4-4b96-a156-19e76badfdb4n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages