Wrong JA3 - for certain "Client Hello" Packages EC are missing #11
Description
For the "Client Hello" given below the wrong JA3 is evaluated as the EC part is missing.
The correct result should be:
ja3 : 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28,29-23-24-25-256-257,0 ja3_digest : 334da95730484a993c6063e36bc90a47
However the modul evaluates:
`2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: Version: 771
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: ciphers: length: 18
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 275
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 787
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 531
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 11200
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 12224
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 43468
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 43212
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 11456
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 12480
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 2752
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 2496
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 5056
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 5312
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 13056
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 14592
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 12032
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 13568
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | cipher: 2560
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: extensions: length: 13
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 0
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 23
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 65281
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 10
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 11
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 35
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 16
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 5
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 51
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 43
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 13
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 45
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: | extension: 28
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: curves: length: 0
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: formats: length: 0
2019/03/16 14:32:03 [debug] 63802#0: *10 ssl_ja3: fp: [771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28,,]`
The "Client Hello" package (from wireshark - of cause I have also the pcap just let me know were to send it) looks as follows:
Frame 49: 638 bytes on wire (5104 bits), 638 bytes captured (5104 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 Transmission Control Protocol, Src Port: 49116, Dst Port: 443, Seq: 1, Ack: 1, Len: 572 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 567 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 563 Version: TLS 1.2 (0x0303) Random: abc0940d052b21a5a15dda3aa4e5cd73ece87aa257db0f4f... GMT Unix Time: Apr 24, 2061 00:32:29.000000000 CET Random Bytes: 052b21a5a15dda3aa4e5cd73ece87aa257db0f4f8d2a48fc... Session ID Length: 32 Session ID: a00bd29e67ee1a486fc2636a4a37b4ae83af0c09ea8708cc... Cipher Suites Length: 36 Cipher Suites (18 suites) Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 454 Extension: server_name (len=14) Type: server_name (0) Length: 14 Server Name Indication extension Server Name list length: 12 Server Name Type: host_name (0) Server Name length: 9 Server Name: localhost Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0 Extension: renegotiation_info (len=1) Type: renegotiation_info (65281) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: supported_groups (len=14) Type: supported_groups (10) Length: 14 Supported Groups List Length: 12 Supported Groups (6 groups) Supported Group: x25519 (0x001d) Supported Group: secp256r1 (0x0017) Supported Group: secp384r1 (0x0018) Supported Group: secp521r1 (0x0019) Supported Group: ffdhe2048 (0x0100) Supported Group: ffdhe3072 (0x0101) Extension: ec_point_formats (len=2) Type: ec_point_formats (11) Length: 2 EC point formats Length: 1
Seams like the EC part got lost ...
Please advise.