macOS adding more ciphers than requested

[fopina]

Actual behavior

JA3 fingerprint generated (as seen in Wireshark) has extra ciphers added to it:

771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-10,0-23-65281-10-11-16-5-13-18-51-45-43-27-21,29-23-24-25,0

157-156-53-47-49160-10 (at the end of cipher list) are the extra ciphers

Expected behavior

JA3 fingerprint generated is the same as the requested: 771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171,0-23-65281-10-11-16-5-13-18-51-45-43-27-21,29-23-24-25,0

To Reproduce Steps to reproduce the behavior

1. Take main.go example from README.md and add required fingerprint
2. Verify in wireshark that it is not the same as expected

Additional Information

• Operating System information (e.g. Ubuntu 18.04): macOS 12.4
• Node version:
• Golang version: 1.18.2

As an extra note, ran the same code in a docker (so, Linux VM) and it worked (even though access was still blocked for that case but fingerprint in Wireshark is the same).

[Danny-Dasilva]

Have not been able to reproduce this on my M1 mac locally, along with this every merge runs my full test suite case (on mac) which checks ja3 tokens against various websites. I did however find that we are sending extra frame headers on Mac in one particular case. So I am investigating that and will see if I can reproduce this at all.