Ensure fingerprinting doesn't interfere with normal TLS

Author: pimterry

src/index.ts

@@ -55,22 +55,26 @@ export type TlsFingerprintData = [
     curveFormats: number[]
 ];
 
-export async function getTlsFingerprintData(rawStream: stream.Readable): Promise<TlsFingerprintData> {
-    // Create a separate stream, which isn't flowing, so we can read byte-by-byte regardless of how else
-    // the stream is being used.
-    const inputStream = new stream.PassThrough();
-    rawStream.pipe(inputStream);
+export async function getTlsFingerprintData(inputStream: stream.Readable): Promise<TlsFingerprintData> {
+    const wasFlowing = inputStream.readableFlowing;
+    if (wasFlowing) inputStream.pause(); // Pause other readers, so we have time to precisely get the data we need.
 
-    const [recordType] = await collectBytes(inputStream, 1);
+    const recordTypeBytes = await collectBytes(inputStream, 1);
+    const [recordType] = recordTypeBytes;
     if (recordType !== 0x16) throw new Error("Can't calculate TLS fingerprint - not a TLS stream");
 
     const tlsRecordVersion = await collectBytes(inputStream, 2);
-    const recordLength = (await collectBytes(inputStream, 2)).readUint16BE();
+    const recordLengthBytes = await collectBytes(inputStream, 2);
+    const recordLength = recordLengthBytes.readUint16BE();
 
     // Collect all the hello bytes, and then give us a stream of exactly only those bytes, so we can
     // still process them step by step in order:
-    const helloDataStream = stream.Readable.from(await collectBytes(inputStream, recordLength), { objectMode: false });
-    rawStream.unpipe(inputStream); // Don't need any more data now, thanks.
+    const recordBytes = await collectBytes(inputStream, recordLength);
+    const helloDataStream = stream.Readable.from(recordBytes, { objectMode: false });
+
+    // Put all the bytes back, so that this stream can still be used to create a real TLS session
+    inputStream.unshift(Buffer.concat([recordTypeBytes, tlsRecordVersion, recordLengthBytes, recordBytes]));
+    if (wasFlowing) inputStream.resume(); // If there were other readers, resume and let them continue
 
     const [helloType] = (await collectBytes(helloDataStream, 1));
     if (helloType !== 0x1) throw new Error("Can't calculate TLS fingerprint - not a TLS client hello");

test/fixtures/server.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUfxc7qPwEIlAJQtS+67g2MhKq9zkwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTIxMDgzMDE1MjUxNFoYDzIxMjEw
+ODA2MTUyNTE0WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC4Cf55DdM7CE40miw2k2B1m+gihcHl+GkEu5ulrX9i
+NbgqsWC3FixNMejDk0DdyEi2QGdQNFha7w/jlQ/u4HGJTQBmKsqVFaV03N/dnnCV
+3yll7tjDJoA7yxohGSs2ouOhvytM/w2JflJ/bV5OWhsTrbV8V7omPGm83F/3RXer
+r76VUvhNbtpwc/QEV+zZ9HWDA9p+bjtsusFb+HD4XIn7lYfBBXQgUfGFJR1VCftQ
+7b8VCoMZTGj6+NL1+k+EQvgdlwi2u7BfXYI1q765gUk5XS3/eennvOKi8Jn5kzuh
+gQRyhErzYHwKv+KUYvJvOctIjHL6egNUqeVXYB3Q9AphAgMBAAGjbzBtMB0GA1Ud
+DgQWBBRWMwFWKMABMs5WSuxEnFoYPwlAUjAfBgNVHSMEGDAWgBRWMwFWKMABMs5W
+SuxEnFoYPwlAUjAPBgNVHRMBAf8EBTADAQH/MBoGA1UdEQQTMBGCCWxvY2FsaG9z
+dIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAdjlHqfdKUdEdGofuL5CLMOZtMgmU
+7BYRuBVkBBRb+aysRf+vb8OvmCHK+j4HzWe5hlsrJkyDhvTWQ6IMxuufEdK9NwOX
+8zLut+k7N7LRkJvqC+RX8bbD+2a56n+TJjdvCqsyBFyuYdlxw07s7So2gW818ooK
+qTJSAjBcSkrdgZhYOEkG/AWKkelZRw2R9WLQv5wB2b+R7q0wrGtB2b9IXOs6JTaS
+HA5dFMDW8YaGiUQLm53eEZeTeZg+l5+izl4mTi4ytV4xa5KDyQTzzTttkLHK4cb3
+kVgGmAHsFu5/W1u/1u/WG/JnUW1XeEml7HVRuyA2E+GWCJc2fvTd4A0DaQ==
+-----END CERTIFICATE-----

test/fixtures/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4Cf55DdM7CE40
+miw2k2B1m+gihcHl+GkEu5ulrX9iNbgqsWC3FixNMejDk0DdyEi2QGdQNFha7w/j
+lQ/u4HGJTQBmKsqVFaV03N/dnnCV3yll7tjDJoA7yxohGSs2ouOhvytM/w2JflJ/
+bV5OWhsTrbV8V7omPGm83F/3RXerr76VUvhNbtpwc/QEV+zZ9HWDA9p+bjtsusFb
++HD4XIn7lYfBBXQgUfGFJR1VCftQ7b8VCoMZTGj6+NL1+k+EQvgdlwi2u7BfXYI1
+q765gUk5XS3/eennvOKi8Jn5kzuhgQRyhErzYHwKv+KUYvJvOctIjHL6egNUqeVX
+YB3Q9AphAgMBAAECggEAYCeQlizb/Q7U1XTrvsP3dNs1SLw712yXagqfQsvIL0bD
+50JvtpjWIqr94xkPnhCjtN0nXWdL9o7K7WwXPAZ2K3dYywh2ebgqj0lLiZ3bUuKa
+3ZASHrwB6buu9jYRNuWaKwsXk436w6iFb+BzklpPpVNv6/xl3M5ZrHwzg5z+7mrs
+LQ83IgjFe6kVnkLYFPWLrFEsoiS3jOoILiDCUO5k4j0ZNYjRlmPpG7Iq+oPv+0rf
+JHiOV1Q9L1SMeubYSZ7NSiKPAqbi93BjJOpbNS2BrSL5YPt5pp8tKhwLj0gB8hux
++XBwpn8GwwUypNy0YdbtYbLs/CbPcg1t5NEvhkrysQKBgQDfnBiQck9Xd8nqvwkb
+N0nw5UBXiPoKqHOxfQC5fsYjNdwKEvUj4OiGwAFtUwTSMqyqdmrj1Sy9SUuYfm3w
+ehOdQnabVyxYZj5Z1nLrP+wtXdCWv66ezq2S4dRsygs2fuy3uiL+ryVMojlBYj6M
+s53ipMN3qjDKt2NmwGWt33DJrQKBgQDSsokjbg7OMDebiWoimViE+eWRJ3YEXAtk
+WnDttCcG0qEGVi2gqZh6NjnCpiK3+dC07Sh24wfW6TS9Z9SZeNPrQ3BTnY4e0EDC
+hLo4MXeSEeXa+ndlTzpNcw/q63RNlKg7L+FJOV7Q3HaHKZvmC+kw2Y2dI9zYlK+X
+RH9ymffCBQKBgHdJHS2JXVwK0hNBX8k+AFra4S0RLFodLMKlLYrG30oPRFe3b0B5
+jXG84cYBQJQlZkj1LOZnZRuBCyvJXjqn1OjSeNU7drOdr2tbZCitC//TiR+yF6Qu
+Gxg9EoYKblre8Ma+LEbzBhHQhHylvTpv4yzxujiO+MJbfFJnFpbfmJptAoGARxx4
+yptvpcmCSx1y0+Cbjq3k/DusSkZileksah2+ekAGluPpHGuBCeZZUkfOOfe3qAjO
++mkfkTo+UZrEl1O/eozVUXNAr0esQ7qWOzb+2y7tPB4CxA+cZt1pxujW5QRCT0+W
+oqcZSDbQTkgN1PO6LYGPmTSsafCs3soAlcY/Z50CgYBRhbOo9mq+hNXrKYifJwWZ
+dVzvlV1hJZ8ViXCzJIFwkcq9yokUwsppF/K+5c/fKN+6IWAwep7I7035GEAwtLTc
+J4oxpxDBYgHAON7OqHuns/xQ1Lvvg6fzAIQzR3NTXoPBSOyT2TbZJLDUf9jQ/TN/
+ts7xHGcDnvSUE/8RItnM5w==
+-----END PRIVATE KEY-----

test/test-util.ts

@@ -1,4 +1,8 @@
 import * as stream from 'stream';
+import * as fs from 'fs';
+
+export const testKey = fs.readFileSync(__dirname + '/fixtures/server.key');
+export const testCert = fs.readFileSync(__dirname + '/fixtures/server.crt');
 
 export type Deferred<T> = Promise<T> & {
     resolve(value: T): void,

test/test.spec.ts

@@ -6,7 +6,12 @@ import * as https from 'https';
 import { makeDestroyable, DestroyableServer } from 'destroyable-server';
 
 import { expect } from 'chai';
-import { getDeferred, streamToBuffer } from './test-util';
+import {
+    getDeferred,
+    streamToBuffer,
+    testKey,
+    testCert
+} from './test-util';
 
 import {
     getTlsFingerprintData,
@@ -145,7 +150,6 @@ describe("Read-TLS-Fingerprint", () => {
         expect(tlsVersion).to.equal(771); // TLS 1.2 - now set even for TLS 1.3 for backward compat
         expect(ciphers.slice(0, 3)).to.deep.equal([4865, 4866, 4867]);
         expect(ciphers.length).to.equal(15);
-        console.log(extension);
         expect(extension).to.deep.equal([
             0,
             23,
@@ -171,4 +175,38 @@ describe("Read-TLS-Fingerprint", () => {
         expect(fingerprint).to.equal('cd08e31494f9531f560d64c695473da9');
     });
 
+    it("can be calculated manually alongside a real TLS session", async () => {
+        const tlsServer = tls.createServer({ key: testKey, cert: testCert })
+        server = makeDestroyable(new net.Server());
+
+        server.on('connection', async (socket: any) => {
+            socket.tlsFingerprint = await getTlsFingerprintAsJa3(socket);
+            tlsServer.emit('connection', socket);
+        });
+
+        const tlsSocketPromise = new Promise<tls.TLSSocket>((resolve) =>
+            tlsServer.on('secureConnection', (tlsSocket: any) => {
+                tlsSocket.tlsFingerprint = tlsSocket._parent.tlsFingerprint;
+                resolve(tlsSocket);
+            })
+        );
+
+        server.listen();
+        await new Promise((resolve) => server.on('listening', resolve));
+
+        const port = (server.address() as net.AddressInfo).port;
+        tls.connect({
+            host: 'localhost',
+            ca: [testCert],
+            port
+        });
+
+        const tlsSocket = await tlsSocketPromise;
+        const fingerprint = (tlsSocket as any).tlsFingerprint;
+        expect(fingerprint).to.be.oneOf([
+            '76cd17e0dc73c98badbb6ee3752dcf4c', // Node 12 - 16
+            '6521bd74aad3476cdb3daa827288ec35' // Node 17+
+        ]);
+    });
+
 });