JA4 with QUIC seems broken on 3.3.1

[WRMSRwasTaken]

Hi!

Thanks for the project, I am currently running it in production for quite a while now for bot fingerprinting, but I am seeing wrong fingerprint for HTTP/3 / QUIC clients.

On Windows 10 with LibreWolf 146.0.1-1, https://browserleaks.com/quic is giving me the following hashes:

JA4: q13d0314h3_55b375c5d22e_1ecea7cb6ec1
JA4_r: q13d0314h3_1301,1302,1303_0005,000a,000d,0017,001b,001c,0022,002b,0033,0039,fe0d,ff01_0403,0503,0603,0203,0804,0805,0806,0401,0501,0601,0201

but HAProxy is giving me:

JA4: d00d0000h3_74c887e210ea_8e2f6cc4d42a
JA4R: d_00_d_00_00_h3_0000,0000,0000,0000_0000,0000,0000_0000,0000,0000,0000

Looking at the raw string, it seems to be way too short. The fingerprints for TCP seem to be correct.

It was working in the past because I have the JA4 q13d0311h3_55b375c5d22e_df5b9e597968 for quic-go listed in my database, which came from the script, but I am unsure when it stopped working (which is unrelated to any updates to the Lua script), but I did update HAProxy and also OpenSSL and switched for a while to aws-lc (and then back).

Output of haproxy -vv:

HAProxy version 3.3.1-9c24c11 2025/12/19 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-3.3.1.html
Running on: Linux 6.17.11-hardened1-1-hardened #1 SMP PREEMPT_DYNAMIC Thu, 11 Dec 2025 22:55:23 +0000 x86_64
Build options : 
  TARGET  = linux-glibc
  CC      = cc
  CFLAGS  = -O2 -g -fwrapv -fvect-cost-model=very-cheap -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -flto=auto -fwrapv
  OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1
  DEBUG   = 

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ECH -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE +KTLS -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=64).
Built with SSL library version : OpenSSL 3.6.0 1 Oct 2025
Running on SSL library version : OpenSSL 3.6.0 1 Oct 2025
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
QUIC: connection sock-per-conn mode support : yes
QUIC: GSO emission support : yes
Built with Lua version : Lua 5.4.8
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with zlib version : 1.3.1
Running on zlib version : 1.3.1
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.47 2025-10-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 15.2.1 20251112

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE|BE  mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
       spop : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
  <default> : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : prometheus-exporter
Available filters :
	[BWLIM] bwlim-in
	[BWLIM] bwlim-out
	[CACHE] cache
	[COMP] compression
	[FCGI] fcgi-app
	[SPOE] spoe
	[TRACE] trace

The related config bits are:

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-curves X448:X25519:P-256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    ssl-mode-async
    tune.ssl.capture-buffer-size 192
    tune.lua.bool-sample-conversion normal
    lua-load /etc/haproxy/lua/ja4.lua

At first glance, this looks like an internal change in haproxy (to the fetches?) leading to a wrong output because the code takes a wrong path? I'll take a closer look at the fetches once I find time. It's not the tune.lua.bool-sample-conversion switch, I already tried this set to pre-3.1-bug.

[WRMSRwasTaken]

Oh, txn.f:ssl_fc_protocol_hello_id() is returning nil instead of an integer for QUIC connections. So this might be a HAProxy bug?

I've posted it in haproxy/haproxy#2495 and will see what the Response from the HAProxy devs is, so this might actually not be an issue here in the Lua code.

[superstes]

Thank you for reporting this.

I have also seen QUIC working previously.
If I find time the next days I will test it with multiple versions and AWS-LC/OpenSSL 👍

[WRMSRwasTaken]

It might have broke with the new ncbmbuf implementation introduced in 3.3-dev11. I'll see the next days if running 3.3-dev10 makes it work again.

[Fijxu]

Hi, it actually broke in v3.3-dev14. v3.3-dev13 v3.3-dev12 v3.3-dev11 v3.3-dev10 and so on do not have this problem ^^

I bisected between v3.3-dev14 (bad) and v3.3-dev13 (good) and I have found that commit haproxy/haproxy@fab7da0 introduces this bug, ssl_fc_protocol_hello_id returns nil in HTTP/3 connections

I doubt the SSL library used has anything to do with this

[WRMSRwasTaken]

Oh thanks for the bisect, I have to admit that I lost track of this one due to private reasons...

Mind posting this result in haproxy/haproxy#2495 ?

[Fijxu]

I made a probably not recommended to apply patch that "fixes" this issue for HAProxy 3.3.1:

From f6e1d8ab9c7c4313ba29dc52654469367edbdeab Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Sat, 17 Jan 2026 17:41:51 -0300
Subject: [PATCH] comment undesired return for QUIC connections or something

---
 src/ssl_sock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6f3c88d1d..90d8329bf 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2161,8 +2161,8 @@ static __maybe_unused void ssl_sock_msgcbk(int write_p, int version, int content
 	/* The connection be NULL only for QUIC which does not free its SSL object
 	 * as this done for TCP.
 	 */
-	if (!conn)
-		return;
+	// if (!conn)
+	// 	return;
 
 	/* Try to call all callback functions that were registered by using
 	 * ssl_sock_register_msg_callback().
-- 
2.52.0

Now the JA4 calculation works fine for QUIC connections

0001-comment-undesired-return-for-QUIC-connections-or-som.patch

---

Oh thanks for the bisect, I have to admit that I lost track of this one due to private reasons...

Mind posting this result in haproxy/haproxy#2495 ?

Done ^^