Read ALPN protocols from the client hello

Author: pimterry

README.md

@@ -23,6 +23,7 @@ If parsing fails, this method will throw an error, but will still ensure all dat
 The returned promise resolves to an object, containing:
 
 * `serverName` - The server name requested in the client hello (or undefined if SNI was not used)
+* `alpnProtocols` - A list of ALPN protcol names requested in the client hello (or undefined if ALPN was not used)
 * `fingerprintData` - The raw components used for JA3 TLS fingerprinting (see the next section)
 
 ### TLS fingerprinting

src/index.ts

@@ -56,6 +56,7 @@ const isGREASE = (value: number) => (value & 0x0f0f) == 0x0a0a;
 
 export type TlsHelloData = {
     serverName: string | undefined;
+    alpnProtocols: string[] | undefined;
     fingerprintData: TlsFingerprintData;
 };
 
@@ -138,6 +139,26 @@ function parseSniData(data: Buffer) {
     return undefined;
 }
 
+function parseAlpnData(data: Buffer) {
+    const protocols: string[] = [];
+
+    const listLength = data.readUInt16BE();
+    if (listLength !== data.byteLength - 2) {
+        throw new Error('Invalid length for ALPN list');
+    }
+
+    let offset = 2;
+    while (offset < data.byteLength) {
+        const nameLength = data[offset];
+        offset += 1;
+        const name = data.slice(offset, offset + nameLength).toString('ascii');
+        offset += nameLength;
+        protocols.push(name);
+    }
+
+    return protocols;
+}
+
 export async function readTlsClientHello(inputStream: stream.Readable): Promise<TlsHelloData> {
     const wasFlowing = inputStream.readableFlowing;
     if (wasFlowing) inputStream.pause(); // Pause other readers, so we have time to precisely get the data we need.
@@ -237,13 +258,18 @@ export async function readTlsClientHello(inputStream: stream.Readable): Promise<
 
     // And capture other client hello data that might be interesting:
     const sniExtensionData = extensions.find(({ id }) => id.equals(Buffer.from([0x0, 0x0])))?.data;
-
     const serverName = sniExtensionData
         ? parseSniData(sniExtensionData)
         : undefined;
 
+    const alpnExtensionData = extensions.find(({ id }) => id.equals(Buffer.from([0x0, 0x10])))?.data;
+    const alpnProtocols = alpnExtensionData
+        ? parseAlpnData(alpnExtensionData)
+        : undefined;
+
     return {
         serverName,
+        alpnProtocols,
         fingerprintData
     };
 }

test/test.spec.ts

@@ -76,6 +76,28 @@ describe("Read-TLS-Client-Hello", () => {
         expect(curveFormats).to.deep.equal([0, 1, 2]);
     });
 
+    it("can read Node's client hello data", async () => {
+        server = makeDestroyable(new net.Server());
+
+        server.listen();
+        await new Promise((resolve) => server.on('listening', resolve));
+
+        let incomingSocketPromise = getDeferred<net.Socket>();
+        server.on('connection', (socket) => incomingSocketPromise.resolve(socket));
+
+        const port = (server.address() as net.AddressInfo).port;
+        tls.connect({
+            host: 'localhost',
+            port
+        }).on('error', () => {}); // Socket will fail, since server never responds, that's OK
+
+        const incomingSocket = await incomingSocketPromise;
+        const { serverName, alpnProtocols } = await readTlsClientHello(incomingSocket);
+
+        expect(serverName).to.equal(undefined); // No SNI set for pure TLS like this
+        expect(alpnProtocols).to.equal(undefined); // No SNI set for pure TLS like this
+    });
+
     it("can read Node's JA3 fingerprint", async () => {
         server = makeDestroyable(new net.Server());
 
@@ -144,6 +166,16 @@ describe("Read-TLS-Client-Hello", () => {
         expect(serverName).to.equal('localhost');
     });
 
+    it("can capture ALPN protocols from a Chrome request", async () => {
+        const incomingData = fs.createReadStream(path.join(__dirname, 'fixtures', 'chrome-tls-connect.bin'));
+
+        const { alpnProtocols } = await readTlsClientHello(incomingData);
+        expect(alpnProtocols).to.deep.equal([
+            'h2',
+            'http/1.1'
+        ]);
+    });
+
     it("can calculate the correct TLS fingerprint from a Chrome request", async () => {
         const incomingData = fs.createReadStream(path.join(__dirname, 'fixtures', 'chrome-tls-connect.bin'));