Filter GREASE, and add a test against a real Chrome hello

Author: pimterry

src/index.ts

@@ -43,7 +43,19 @@ const collectBytes = (stream: stream.Readable, byteLength: number) => {
 const getUint16BE = (buffer: Buffer, offset: number) =>
     (buffer[offset] << 8) + buffer[offset+1];
 
-export async function getTlsFingerprintData(rawStream: stream.Readable) {
+// https://datatracker.ietf.org/doc/html/draft-davidben-tls-grease-01 defines GREASE values for various
+// TLS fields, reserving 0a0a, 1a1a, 2a2a, etc for ciphers, extension ids & supported groups.
+const isGREASE = (value: number) => (value & 0x0f0f) == 0x0a0a;
+
+export type TlsFingerprintData = [
+    tlsVersion: number,
+    ciphers: number[],
+    extensions: number[],
+    groups: number[],
+    curveFormats: number[]
+];
+
+export async function getTlsFingerprintData(rawStream: stream.Readable): Promise<TlsFingerprintData> {
     // Create a separate stream, which isn't flowing, so we can read byte-by-byte regardless of how else
     // the stream is being used.
     const inputStream = new stream.PassThrough();
@@ -100,10 +112,14 @@ export async function getTlsFingerprintData(rawStream: stream.Readable) {
 
     const cipherFingerprint: number[] = [];
     for (let i = 0; i < cipherSuites.length; i += 2) {
-        cipherFingerprint.push(getUint16BE(cipherSuites, i));
+        const cipherId = getUint16BE(cipherSuites, i);
+        if (isGREASE(cipherId)) continue;
+        cipherFingerprint.push(cipherId);
     }
 
-    const extensionsFingerprint: number[] = extensions.map(({ id }) => getUint16BE(id, 0));
+    const extensionsFingerprint: number[] = extensions
+        .map(({ id }) => getUint16BE(id, 0))
+        .filter(id => !isGREASE(id));
 
     const supportedGroupsData = (
         extensions.find(({ id }) => id.equals(Buffer.from([0x0, 0x0a])))?.data
@@ -112,7 +128,9 @@ export async function getTlsFingerprintData(rawStream: stream.Readable) {
 
     const groupsFingerprint: number[] = [];
     for (let i = 0; i < supportedGroupsData.length; i += 2) {
-        groupsFingerprint.push(getUint16BE(supportedGroupsData, i));
+        const groupId = getUint16BE(supportedGroupsData, i)
+        if (isGREASE(groupId)) continue;
+        groupsFingerprint.push(groupId);
     }
 
     const curveFormatsData = extensions.find(({ id }) => id.equals(Buffer.from([0x0, 0x0b])))?.data
@@ -125,12 +143,10 @@ export async function getTlsFingerprintData(rawStream: stream.Readable) {
         extensionsFingerprint,
         groupsFingerprint,
         curveFormatsFingerprint
-    ] as const;
+    ];
 }
 
-export async function getTlsFingerprintAsJa3(rawStream: stream.Readable) {
-    const fingerprintData = await getTlsFingerprintData(rawStream);
-
+export function calculateJa3FromFingerprintData(fingerprintData: TlsFingerprintData) {
     const fingerprintString = [
         fingerprintData[0],
         fingerprintData[1].join('-'),
@@ -140,4 +156,8 @@ export async function getTlsFingerprintAsJa3(rawStream: stream.Readable) {
     ].join(',');
 
     return crypto.createHash('md5').update(fingerprintString).digest('hex');
+}
+
+export async function getTlsFingerprintAsJa3(rawStream: stream.Readable) {
+    return calculateJa3FromFingerprintData(await getTlsFingerprintData(rawStream));
 }

test/fixtures/chrome-tls-connect.bin

@@ -1,3 +1,5 @@
+import * as path from 'path';
+import * as fs from 'fs';
 import * as net from 'net';
 import * as tls from 'tls';
 import * as https from 'https';
@@ -8,7 +10,8 @@ import { getDeferred, streamToBuffer } from './test-util';
 
 import {
     getTlsFingerprintData,
-    getTlsFingerprintAsJa3
+    getTlsFingerprintAsJa3,
+    calculateJa3FromFingerprintData
 } from '../src/index';
 
 const nodeMajorVersion = parseInt(process.version.slice(1).split('.')[0], 10);
@@ -17,7 +20,7 @@ describe("Read-TLS-Fingerprint", () => {
 
     let server: DestroyableServer<net.Server>;
 
-    afterEach(() => server?.destroy());
+    afterEach(() => server?.destroy().catch(() => {}));
 
     it("can read Node's fingerprint data", async () => {
         server = makeDestroyable(new net.Server());
@@ -126,4 +129,46 @@ describe("Read-TLS-Fingerprint", () => {
         expect(ourFingerprint).to.equal(remoteFingerprint);
     });
 
+    it("can calculate the correct TLS fingerprint from a Chrome request", async () => {
+        const incomingData = fs.createReadStream(path.join(__dirname, 'fixtures', 'chrome-tls-connect.bin'));
+
+        const fingerprintData = await getTlsFingerprintData(incomingData);
+
+        const [
+            tlsVersion,
+            ciphers,
+            extension,
+            groups,
+            curveFormats
+        ] = fingerprintData;
+
+        expect(tlsVersion).to.equal(771); // TLS 1.2 - now set even for TLS 1.3 for backward compat
+        expect(ciphers.slice(0, 3)).to.deep.equal([4865, 4866, 4867]);
+        expect(ciphers.length).to.equal(15);
+        console.log(extension);
+        expect(extension).to.deep.equal([
+            0,
+            23,
+            65281,
+            10,
+            11,
+            35,
+            16,
+            5,
+            13,
+            18,
+            51,
+            45,
+            43,
+            27,
+            17513,
+            21
+        ]);
+        expect(groups).to.deep.equal([29, 23, 24]);
+        expect(curveFormats).to.deep.equal([0]);
+
+        const fingerprint = calculateJa3FromFingerprintData(fingerprintData);
+        expect(fingerprint).to.equal('cd08e31494f9531f560d64c695473da9');
+    });
+
 });