Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: add Raw to ClientHelloInfo #32936

Open
phuslu opened this issue Jul 4, 2019 · 5 comments
Open

crypto/tls: add Raw to ClientHelloInfo #32936

phuslu opened this issue Jul 4, 2019 · 5 comments
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@phuslu
Copy link

phuslu commented Jul 4, 2019

Similar aws/s2n-tls#607, Having access to raw ClientHello can be useful for fingerprinting clients [1] for further analysis.
Plus, With raw ClientHello message, we could also implements SNI Proxy in tls.Config.GetConfigForClient [2] , e.g. tlsrouter [3] more easily.
In openssl this can be done by setting up callback through SSL_CTX_set_msg_callback.
Would be nice to have similar ability for golang crypto.

[1] https://github.com/salesforce/ja3
[2] https://golang.org/pkg/crypto/tls/#Config
[3] https://github.com/google/tcpproxy/tree/master/cmd/tlsrouter

@bcmills bcmills added FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jul 8, 2019
@bcmills bcmills added this to the Unplanned milestone Jul 8, 2019
@bcmills
Copy link
Member

bcmills commented Jul 8, 2019

CC @FiloSottile

@deancn

This comment was marked as duplicate.

@mysticaltech
Copy link

mysticaltech commented Jun 3, 2022

That is really needed!

@deancn
Copy link

deancn commented Aug 12, 2022

Possibly add a raw byte for TLS?

Just reference:
https://github.com/bfenetworks/bfe/blob/develop/bfe_tls/handshake_messages.go#L27

@elindsey
Copy link

elindsey commented Sep 30, 2022

JA3 fingerprinting in particular has proven to be quite useful, and we've been running a patched stdlib for a few years in order to support it.

I personally see less need to eg. more easily support SNI proxying - tlsrouter's support is already straightforward, and I'm not sure that's a common enough use case that it'd make sense to adjust the stdlib to better accommodate. Exposing the raw ClientHello would also bring up a discussion about how we want to handle the client random, if it should be included or sanitized.

For fingerprinting use cases, the only thing missing is exposing extensions. That's a small change to the API surface, in line with existing ClientHelloInfo fields, and addresses a concrete need. I'd be happy to contribute a patch if there was agreement in that direction.

cc @FiloSottile this seems to be in your wheelhouse. Do you have any thoughts on the request or how we can move this towards a decision?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

5 participants