tlsfuzzer
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/conf.py‎
Lines changed: 1 addition & 1 deletion b/‎docs/conf.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎setup.py‎
Lines changed: 3 additions & 2 deletions b/‎setup.py‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎tlslite/api.py‎
Lines changed: 1 addition & 1 deletion b/‎tlslite/api.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tlslite/handshakesettings.py‎
Lines changed: 11 additions & 1 deletion b/‎tlslite/handshakesettings.py‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎tlslite/tlsconnection.py‎
Lines changed: 20 additions & 14 deletions b/‎tlslite/tlsconnection.py‎
Lines changed: 20 additions & 14 deletions
diff --git a/‎tlslite_ng.egg-info/PKG-INFO‎
Lines changed: 95 additions & 0 deletions b/‎tlslite_ng.egg-info/PKG-INFO‎
Lines changed: 95 additions & 0 deletions
@@ -1,4 +1,4 @@
-tlslite-ng version 0.9.0b1 (2025-09-25)
+tlslite-ng version 0.9.0b2 (2025-09-26)
 
 [![GitHub CI](https://github.com/tlsfuzzer/tlslite-ng/actions/workflows/ci.yml/badge.svg)](https://github.com/tlsfuzzer/tlslite-ng/actions/workflows/ci.yml)
 [![Read the Docs](https://img.shields.io/readthedocs/tlslite-ng)](https://tlslite-ng.readthedocs.io/en/latest/)
@@ -622,7 +622,7 @@ Similarly, while delegated credentials have a valid time option, it is not enfor
 12 History
 ===========
 
-0.9.0b1 - 2025-09-25
+0.9.0b2 - 2025-09-26
 * support for Delegated Credentials (Ganna Starovoytova)
 * (Experimental) support for ML-DSA certificates in TLS
 
 
@@ -34,7 +34,7 @@
 # The short X.Y version.
 version = u'0.9'
 # The full version, including alpha/beta/rc tags.
-release = u'0.9.0b1'
+release = u'0.9.0b2'
 
 
 # -- General configuration ---------------------------------------------------
 
@@ -11,7 +11,7 @@
     README = f.read()
 
 setup(name="tlslite-ng",
-      version="0.9.0b1",
+      version="0.9.0b2",
       author="Alicja Kario",
       author_email="[email protected]",
       url="https://github.com/tlsfuzzer/tlslite-ng",
@@ -24,7 +24,7 @@
                     'package1': ['LICENSE', 'README.md']},
       install_requires=['ecdsa>=0.18.0b1'],
       obsoletes=["tlslite"],
-      python_requires=">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*, !=3.6.*",
+      python_requires=">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*",
       classifiers=[
             'Development Status :: 5 - Production/Stable',
             'Intended Audience :: Developers',
@@ -35,6 +35,7 @@
             'Programming Language :: Python :: 2.6',
             'Programming Language :: Python :: 2.7',
             'Programming Language :: Python :: 3',
+            'Programming Language :: Python :: 3.6',
             'Programming Language :: Python :: 3.7',
             'Programming Language :: Python :: 3.8',
             'Programming Language :: Python :: 3.9',
 
@@ -4,7 +4,7 @@
 #
 # See the LICENSE file for legal information regarding use of this file.
 
-__version__ = "0.9.0b1"
+__version__ = "0.9.0b2"
 # the whole module is about importing most commonly used methods, for use
 # by other applications
 # pylint: disable=unused-import
 
@@ -478,7 +478,7 @@ def _init_misc_extensions(self):
         self.dc_sig_algs = []
         self.dc_valid_time = DC_VALID_TIME
 
-    def __init__(self):
+    def __init__(self, **kwargs):
         """Initialise default values for settings."""
         self._init_key_settings()
         self._init_misc_extensions()
@@ -490,6 +490,11 @@ def __init__(self):
         self.keyExchangeNames = list(KEY_EXCHANGE_NAMES)
         self.cipherImplementations = list(CIPHER_IMPLEMENTATIONS)
 
+        # Custom attributes for exact JA3 control (added for httpx-tls compatibility)
+        self.cipher_order = kwargs.get("cipher_order", None)
+        self.extension_order = kwargs.get("extension_order", None)
+        self.groups_order = kwargs.get("groups_order", None)
+
     @staticmethod
     def _sanityCheckKeySizes(other):
         """Check if key size limits are sane"""
@@ -869,6 +874,11 @@ def validate(self):
         other.pskConfigs = self.pskConfigs
         other.psk_modes = self.psk_modes
 
+        # Copy custom JA3 control attributes (added for httpx-tls compatibility)
+        other.cipher_order = getattr(self, 'cipher_order', None)
+        other.extension_order = getattr(self, 'extension_order', None)
+        other.groups_order = getattr(self, 'groups_order', None)
+
         if not other.certificateTypes:
             raise ValueError("No supported certificate types")
 
 
@@ -712,21 +712,27 @@ def _clientSendClientHello(self, settings, session, srpUsername,
                                 srpParams, certParams, anonParams,
                                 serverName, nextProtos, reqTack, alpn):
         # Initialize acceptable ciphersuites
-        cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
-        if srpParams:
-            cipherSuites += CipherSuite.getSrpAllSuites(settings)
-        elif certParams:
-            cipherSuites += CipherSuite.getTLS13Suites(settings)
-            cipherSuites += CipherSuite.getEcdsaSuites(settings)
-            cipherSuites += CipherSuite.getEcdheCertSuites(settings)
-            cipherSuites += CipherSuite.getDheCertSuites(settings)
-            cipherSuites += CipherSuite.getCertSuites(settings)
-            cipherSuites += CipherSuite.getDheDsaSuites(settings)
-        elif anonParams:
-            cipherSuites += CipherSuite.getEcdhAnonSuites(settings)
-            cipherSuites += CipherSuite.getAnonSuites(settings)
+        # Check if exact cipher order is specified (for JA3 fingerprint control)
+        if hasattr(settings, 'cipher_order') and settings.cipher_order is not None:
+            # Use exact cipher order specified by httpx-tls for precise JA3 control
+            cipherSuites = list(settings.cipher_order)
         else:
-            assert False
+            # Default behavior: add renegotiation info and standard cipher suites
+            cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
+            if srpParams:
+                cipherSuites += CipherSuite.getSrpAllSuites(settings)
+            elif certParams:
+                cipherSuites += CipherSuite.getTLS13Suites(settings)
+                cipherSuites += CipherSuite.getEcdsaSuites(settings)
+                cipherSuites += CipherSuite.getEcdheCertSuites(settings)
+                cipherSuites += CipherSuite.getDheCertSuites(settings)
+                cipherSuites += CipherSuite.getCertSuites(settings)
+                cipherSuites += CipherSuite.getDheDsaSuites(settings)
+            elif anonParams:
+                cipherSuites += CipherSuite.getEcdhAnonSuites(settings)
+                cipherSuites += CipherSuite.getAnonSuites(settings)
+            else:
+                assert False
 
         # Add any SCSVs. These are not real cipher suites, but signaling
         # values which reuse the cipher suite field in the ClientHello.
 
@@ -0,0 +1,95 @@
+Metadata-Version: 2.4
+Name: tlslite-ng
+Version: 0.9.0b1
+Summary: Pure python implementation of SSL and TLS.
+Home-page: https://github.com/tlsfuzzer/tlslite-ng
+Author: Alicja Kario
+Author-email: [email protected]
+License: LGPLv2
+Keywords: ssl,tls,pure-python
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2)
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 2
+Classifier: Programming Language :: Python :: 2.6
+Classifier: Programming Language :: Python :: 2.7
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Topic :: System :: Networking
+Obsoletes: tlslite
+Requires-Python: >=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*, !=3.6.*
+License-File: LICENSE
+Requires-Dist: ecdsa>=0.18.0b1
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: home-page
+Dynamic: keywords
+Dynamic: license
+Dynamic: license-file
+Dynamic: obsoletes
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+tlslite-ng is a pure python implementation of SSLv3.0, TLS 1.0, TLS 1.1,
+TLS 1.2 and TLS 1.3 protocols.
+
+It can use pycrypto, m2crypto and gmp for acceleration of cryptographic
+operations but is not dependant upon them.
+
+Functionality implemented include:
+ - all above mentioned protocols, including support for client certificates
+   (RFC 6101, RFC 2246, RFC 4346, RFC 5246, RFC 8446 - not complete)
+ - RSA, RSA-PSS, DSA, and ECDSA certificates
+ - RC4, 3DES-CBC, AES-CBC, AES-GCM, AES-CCM, AES-CCM_8 and ChaCha20 ciphers
+   (RFC 5246, RFC 6347, RFC 4492, RFC 5288, RFC 5289, RFC 7539, RFC 7905,
+   RFC 6655, RFC 7251)
+ - MD5, SHA1, SHA256 and SHA384 HMACs as well as AEAD mode of operation with
+   GCM or Poly1305 authenticator
+ - RSA, DHE_RSA, DHE_DSS, ECDHE_RSA, ECDHE_ECDSA key exchange
+ - full set of signature hashes (md5, sha1, sha224, sha256, sha384, sha512,
+   rsa_pss_rsae_sha256, rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512) for
+   ServerKeyExchange and CertfificateVerify
+ - secp256r1, secp384r1, secp521r1, secp256k1, secp224r1 and secp192r1 curves
+   for ECDHE key exchange (support for last two depends on the version of ecdsa
+   library used)
+ - x25519 and x448 curves for ECDHE key exchage (RFC 7748. RFC 4492bis)
+ - anonymous DHE key exchange
+ - anonymous ECDH key exchange
+ - PSK and PSK-DH key exchange in TLS 1.3
+ - session ticket based resumption (RFC 5077) and in TLS 1.3
+ - post-handshake client authentication in TLS 1.3
+ - NULL encryption ciphersuites
+ - FALLBACK_SCSV (RFC 7507)
+ - encrypt-then-MAC mode of operation for CBC ciphersuites (RFC 7366)
+ - TACK certificate pinning
+ - SRP_SHA_RSA and SRP_SHA ciphersuites (RFC 5054)
+ - Extended Master Secret calculation for TLS connections (RFC 7627)
+ - padding extension (RFC 7685)
+ - Keying material exporter (RFC 5705)
+ - Next Protocol Negotiation
+ - Application-Layer Protocol Negotiation Extension (RFC 7301)
+ - FFDHE prime/group negotiation (RFC 7919)
+ - Heartbeat Extension (RFC 6520)
+ - Record Size Limit (RFC 8449)
+ - TLS Certificate Compression (RFC 8879)
+ - Hybrid ML-KEM key exchage groups (draft-kwiatkowski-tls-ecdhe-mlkem-02)
+ - support for Brainpool curves in TLS 1.2 and TLS 1.3
+ - Delegated Credentials (RFC 9345)
+ - ML-DSA certificates suppport (draft-ietf-tls-mldsa-00)
+
+
+tlslite-ng aims to be a drop-in replacement for tlslite while providing more
+comprehensive set of features and more secure defaults.
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`#`
`5`	`5`	`# See the LICENSE file for legal information regarding use of this file.`
`6`	`6`
`7`		`-__version__ = "0.9.0b1"`
	`7`	`+__version__ = "0.9.0b2"`
`8`	`8`	`# the whole module is about importing most commonly used methods, for use`
`9`	`9`	`# by other applications`
`10`	`10`	`# pylint: disable=unused-import`