plabayo
add support for missing extensions in rama-boring to make emulate e2e test pass
tls ja3/ja4 hash tests are for now disabled in https://github.com/plabayo/rama/blob/e4d88e1b6e455e4b982afd3f9e446a49830744c1/tests/integration/ua_emulation.rs#L269-L278 due to some extensions that weren't supported in boring. The hope is that if we add support for these that perhaps we can actually verify these fingerprints.
Problem here is not only that we have missing extensions, but also that the order of the ones we set is wrong. Something we will have to fix, and think about how we will fix this and expose this (eg is order important when we set them, order do we provide a callback to order them just before they are finalized in client_hello).
Client hello we send, vs expected
left: Ja3 {
version: TLSv1_2,
cipher_suites: [TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA],
extensions: Some([SERVER_NAME, EXTENDED_MASTER_SECRET, RENEGOTIATION_INFO, SUPPORTED_GROUPS, EC_POINT_FORMATS, SESSION_TICKET, APPLICATION_LAYER_PROTOCOL_NEGOTIATION, STATUS_REQUEST, SIGNATURE_ALGORITHMS, SIGNED_CERTIFICATE_TIMESTAMP, KEY_SHARE, PSK_KEY_EXCHANGE_MODES, SUPPORTED_VERSIONS, COMPRESS_CERTIFICATE, PADDING]),
supported_groups: Some([X25519, SECP256R1, SECP384R1]),
ec_point_formats: Some([Uncompressed]) }
right: Ja3 {
version: TLSv1_2,
cipher_suites: [TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA],
extensions: Some([SIGNED_CERTIFICATE_TIMESTAMP, SUPPORTED_VERSIONS, PSK_KEY_EXCHANGE_MODES, SUPPORTED_GROUPS, SIGNATURE_ALGORITHMS, EC_POINT_FORMATS, SESSION_TICKET, Unknown(17613), COMPRESS_CERTIFICATE, KEY_SHARE, STATUS_REQUEST, RENEGOTIATION_INFO, EXTENDED_MASTER_SECRET, SERVER_NAME, ENCRYPTED_CLIENT_HELLO, APPLICATION_LAYER_PROTOCOL_NEGOTIATION]),
supported_groups: Some([Unknown(4588), X25519, SECP256R1, SECP384R1]),
ec_point_formats: Some([Uncompressed]) }
Extensions
[SERVER_NAME, EXTENDED_MASTER_SECRET, RENEGOTIATION_INFO, SUPPORTED_GROUPS, EC_POINT_FORMATS, SESSION_TICKET, APPLICATION_LAYER_PROTOCOL_NEGOTIATION, STATUS_REQUEST, SIGNATURE_ALGORITHMS, SIGNED_CERTIFICATE_TIMESTAMP, KEY_SHARE, PSK_KEY_EXCHANGE_MODES, SUPPORTED_VERSIONS, COMPRESS_CERTIFICATE, PADDING]
[SIGNED_CERTIFICATE_TIMESTAMP, SUPPORTED_VERSIONS, PSK_KEY_EXCHANGE_MODES, SUPPORTED_GROUPS, SIGNATURE_ALGORITHMS, EC_POINT_FORMATS, SESSION_TICKET, Unknown(17613), COMPRESS_CERTIFICATE, KEY_SHARE, STATUS_REQUEST, RENEGOTIATION_INFO, EXTENDED_MASTER_SECRET, SERVER_NAME, ENCRYPTED_CLIENT_HELLO, APPLICATION_LAYER_PROTOCOL_NEGOTIATION]
I am not entirely certain if the order of extensions is static in legit user agents. Eg in ja4 the extensions are sorted I think.
If the order is fixed then yes, it would be a bug. If so you can open a new issue for it as that would be a different scope.
So far extensions found that are missing
- RECORD_SIZE_LIMIT
- APPLICATION_LAYER_PROTOCOL_SETTINGS (blocked on updating rama-boring)
- DELEGATED_CREDENTIAL
- ENCRYPTED_CLIENT_HELLO (will probably open separate issue for this one, as it might be quite a bit of work, but will come back after some more reading)