[Ruleset Eng, Workers] Add new TLS fields (#21445)

pedrosousa · web-flow · commit 96174a85398d · 2025-04-07T12:01:43.000+01:00
diff --git a/src/content/docs/workers/runtime-apis/request.mdx b/src/content/docs/workers/runtime-apis/request.mdx
@@ -252,6 +252,18 @@ All plans have access to:
 
   * Only set when using Cloudflare Access or API Shield (mTLS). Object with the following properties: `certFingerprintSHA1`, `certFingerprintSHA256`, `certIssuerDN`, `certIssuerDNLegacy`, `certIssuerDNRFC2253`, `certIssuerSKI`, `certIssuerSerial`, `certNotAfter`, `certNotBefore`, `certPresented`, `certRevoked`, `certSKI`, `certSerial`, `certSubjectDN`, `certSubjectDNLegacy`, `certSubjectDNRFC2253`, `certVerified`.
 
+* `tlsClientCiphersSha1` string
+
+  * The SHA-1 hash (Base64-encoded) of the cipher suite sent by the client during the TLS handshake, encoded in big-endian format. For example, `"GXSPDLP4G3X+prK73a4wBuOaHRc="`.
+
+* `tlsClientExtensionsSha1` string
+
+  * The SHA-1 hash (Base64-encoded) of the TLS client extensions sent during the handshake, encoded in big-endian format. For example, `"OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="`.
+
+* `tlsClientExtensionsSha1Le` string
+
+  * The SHA-1 hash (Base64-encoded) of the TLS client extensions sent during the handshake, encoded in little-endian format. For example, `"7zIpdDU5pvFPPBI2/PCzqbaXnRA="`.
+
 * `tlsClientHelloLength` string
 
   * The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). For example, `"508"`. Specifically, the length of the bytestring of the client hello.
diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
@@ -786,10 +786,28 @@ entries:
     data_type: String
     categories: [Request, SSL/TLS]
     keywords: [request, ssl, tls, client, visitor]
-    summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
+    summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64 using big-endian format.
+    description: For the little-endian version of this field, refer to [`cf.tls_client_extensions_sha1_le`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_extensions_sha1_le/).
     example_value: |-
       "OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="
 
+  - name: cf.tls_client_extensions_sha1_le
+    data_type: String
+    categories: [Request, SSL/TLS]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64 using little-endian format.
+    description: For the big-endian version of this field, refer to [`cf.tls_client_extensions_sha1`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_extensions_sha1/).
+    example_value: |-
+      "7zIpdDU5pvFPPBI2/PCzqbaXnRA="
+
+  - name: cf.tls_ciphers_sha1
+    data_type: String
+    categories: [Request, SSL/TLS]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The SHA-1 fingerprint of the client TLS cipher list in received order, encoded in Base64 using big-endian format.
+    example_value: |-
+      "GXSPDLP4G3X+prK73a4wBuOaHRc="
+
   - name: cf.tls_client_hello_length
     data_type: Number
     categories: [Request, SSL/TLS]
