You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The program needs to ignore GREASE values anywhere it sees them: (https://datatracker.ietf.org/doc/html/draft-davidben-tls-grease-01#page-5)
24
24
25
-
### QUIC:
25
+
### QUIC and DTLS:
26
+
“q”, "d" or “t”, denotes whether the hello packet is for QUIC, DTLS, or normal TLS.
27
+
26
28
https://en.wikipedia.org/wiki/QUIC
27
-
“q” or “t”, which denotes whether the hello packet is for QUIC or TCP. QUIC is the protocol which the new HTTP/3 standard utilizes, encapsulating TLS 1.3 into UDP packets. As QUIC was developed by Google, if an organization heavily utilizes Google products, QUIC could make up half of their network traffic, so this is important to capture.
29
+
QUIC is the protocol which the new HTTP/3 standard utilizes, encapsulating TLS 1.3 into UDP packets. As QUIC was developed by Google, if an organization heavily utilizes Google products, QUIC could make up half of their network traffic, so this is important to capture.
DTLS is a version of TLS that can operate over UDP or SCTP.
28
33
29
-
If the protocol is QUIC then the first character of the fingerprint is “q” if not, it’s “t”.
34
+
If the protocol is QUIC then the first character of the fingerprint is “q”, if DTLS it is "d", else it is “t”.
30
35
31
-
### TLS Version:
32
-
TLS version is shown in 3 different places. If extension 0x002b exists (supported_versions), then the version is the highest value in the extension. Remember to ignore GREASE values. If the extension doesn’t exist, then the TLS version is the value of the Protocol Version. Handshake version (located at the top of the packet) should be ignored.
36
+
### TLS and DTLS Version:
37
+
The TLS version is shown in 3 different places. If extension 0x002b exists (supported_versions), then the version is the highest value in the extension. Remember to ignore GREASE values. If the extension doesn’t exist, then the TLS version is the value of the Protocol Version. Handshake version (located at the top of the packet) should be ignored.
33
38
34
39
0x0304 = TLS 1.3 = “13”
35
40
0x0303 = TLS 1.2 = “12”
36
41
0x0302 = TLS 1.1 = “11”
37
42
0x0301 = TLS 1.0 = “10”
38
43
0x0300 = SSL 3.0 = “s3”
39
-
0x0200 = SSL 2.0 = “s2”
40
-
0x0100 = SSL 1.0 = “s1”
44
+
0x0002 = SSL 2.0 = “s2”
45
+
0xfeff = DTLS 1.0 = "d1"
46
+
0xfefd = DTLS 1.2 = "d2"
47
+
0xfefc = DTLS 1.3 = "d3"
41
48
42
49
Unknown = “00”
43
50
@@ -51,16 +58,21 @@ If the SNI extension (0x0000) exists, then the destination of the connection is
51
58
Same as counting ciphers. Ignore GREASE. Include SNI and ALPN.
52
59
53
60
### ALPN Extension Value:
54
-
The first and last characters of the ALPN (Application-Layer Protocol Negotiation) first value.
61
+
The first and last alphanumeric characters of the ALPN (Application-Layer Protocol Negotiation) first value.
55
62
List of possible ALPN Values (scroll down): https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
56
63
57
-
58
-
59
-
In the above example, the first ALPN value is h2 so the first and last characters to use in the fingerprint are “h2”. IF the first ALPN listed was http/1.1 then the first and last characters to use in the fingerprint would be “h1”.
64
+
In the above example, the first ALPN value is h2 so the first and last characters to use in the fingerprint are “h2”. If the first ALPN listed was http/1.1 then the first and last characters to use in the fingerprint would be “h1”.
60
65
61
66
In Wireshark this field is located under tls.handshake.extensions_alpn_str
62
67
63
-
If there are no ALPN values or no ALPN extension then we print “00” as the value in the fingerprint.
68
+
If there is no ALPN extension, no ALPN values, or the first ALPN value is empty, then we print "00" as the value in the fingerprint. If the first ALPN value is only a single character, then that character is treated as both the first and last character.
69
+
70
+
If the first or last byte of the first ALPN is non-alphanumeric (meaning not `0x30-0x39`, `0x41-0x5A`, or `0x61-0x7A`), then we print the first and last characters of the hex representation of the first ALPN instead. For example:
71
+
* `0xAB` would be printed as "ab"
72
+
* `0xAB 0xCD` would be printed as "ad"
73
+
* `0x30 0xAB` would be printed as "3b"
74
+
* `0x30 0x31 0xAB 0xCD` would be printed as "3d"
75
+
* `0x30 0xAB 0xCD 0x31` would be printed as "01"
64
76
65
77
### Cipher hash:
66
78
A 12 character truncated sha256 hash of the list of ciphers sorted in hex order, first 12 characters. The list is created using the 4 character hex values of the ciphers, lower case, comma delimited, ignoring GREASE.
If there are no ciphers in the sorted cipher list, then the value of JA4_b is set to `000000000000`
89
+
We do this rather than running a sha256 hash of nothing as this makes it clear to the user when a field has no values.
90
+
76
91
### Extension hash:
77
92
A 12 character truncated sha256 hash of the list of extensions, sorted by hex value, followed by the list of signature algorithms, in the order that they appear (not sorted).
78
93
79
-
The extension list is created using the 4 character hex values of the extensions, lower case, comma delimited, sorted (not in the order they appear). Ignore the SNI extension (0000) and the ALPN extension (0010) as we’ve already captured them in the _a_ section of the fingerprint. These values are omitted so that the same application would have the same _b_ section of the fingerprint regardless of if it were going to a domain, IP, or changing ALPNs.
94
+
The extension list is created using the 4 character hex values of the extensions, lower case, comma delimited, sorted (not in the order they appear). Ignore the SNI extension (0000) and the ALPN extension (0010) as we’ve already captured them in the _a_ section of the fingerprint. These values are omitted so that the same application would have the same _c_ section of the fingerprint regardless of if it were going to a domain, IP, or changing ALPNs.
# The first and last alphanumeric characters of the ALPN (Application-Layer Protocol Negotiation) first value.
6
+
# List of possible ALPN Values (scroll down): https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
7
+
#
8
+
# In the above example, the first ALPN value is h2 so the first and last characters to use in the fingerprint are “h2”. If the first ALPN listed was http/1.1 then the first and last characters to use in the fingerprint would be “h1”.
9
+
#
10
+
# In Wireshark this field is located under tls.handshake.extensions_alpn_str
11
+
#
12
+
# If there is no ALPN extension, no ALPN values, or the first ALPN value is empty, then we print "00" as the value in the fingerprint. If the first ALPN value is only a single character, then that character is treated as both the first and last character.
13
+
#
14
+
# If the first or last byte of the first ALPN is non-alphanumeric (meaning not `0x30-0x39`, `0x41-0x5A`, or `0x61-0x7A`), then we print the first and last characters of the hex representation of the first ALPN instead. For example:
15
+
# * `0xAB` would be printed as "ab"
16
+
# * `0xAB 0xCD` would be printed as "ad"
17
+
# * `0x30 0xAB` would be printed as "3b"
18
+
# * `0x30 0x31 0xAB 0xCD` would be printed as "3d"
19
+
# * `0x30 0xAB 0xCD 0x31` would be printed as "01"
20
+
#
21
+
22
+
[[spec]]
23
+
level = "MUST"
24
+
quote = '''
25
+
The first and last alphanumeric characters of the ALPN (Application-Layer Protocol Negotiation) first value.
26
+
'''
27
+
28
+
[[spec]]
29
+
level = "MUST"
30
+
quote = '''
31
+
If there is no ALPN extension, no ALPN values, or the first ALPN value is empty, then we print "00" as the value in the fingerprint.
32
+
'''
33
+
34
+
[[spec]]
35
+
level = "MUST"
36
+
quote = '''
37
+
If the first ALPN value is only a single character, then that character is treated as both the first and last character.
38
+
'''
39
+
40
+
[[spec]]
41
+
level = "MUST"
42
+
quote = '''
43
+
If the first or last byte of the first ALPN is non-alphanumeric (meaning not `0x30-0x39`, `0x41-0x5A`, or `0x61-0x7A`), then we print the first and last characters of the hex representation of the first ALPN instead.
# A 12 character truncated sha256 hash of the list of ciphers sorted in hex order, first 12 characters. The list is created using the 4 character hex values of the ciphers, lower case, comma delimited, ignoring GREASE.
Copy file name to clipboardExpand all lines: compliance/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/extension-hash.toml
# A 12 character truncated sha256 hash of the list of extensions, sorted by hex value, followed by the list of signature algorithms, in the order that they appear (not sorted).
6
6
#
7
-
# The extension list is created using the 4 character hex values of the extensions, lower case, comma delimited, sorted (not in the order they appear). Ignore the SNI extension (0000) and the ALPN extension (0010) as we’ve already captured them in the _a_ section of the fingerprint. These values are omitted so that the same application would have the same _b_ section of the fingerprint regardless of if it were going to a domain, IP, or changing ALPNs.
7
+
# The extension list is created using the 4 character hex values of the extensions, lower case, comma delimited, sorted (not in the order they appear). Ignore the SNI extension (0000) and the ALPN extension (0010) as we’ve already captured them in the _a_ section of the fingerprint. These values are omitted so that the same application would have the same _c_ section of the fingerprint regardless of if it were going to a domain, IP, or changing ALPNs.
Copy file name to clipboardExpand all lines: compliance/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/ja4-tls-client-fingerprinting.toml
Copy file name to clipboardExpand all lines: compliance/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/number-of-ciphers.toml
Copy file name to clipboardExpand all lines: compliance/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/number-of-extensions.toml
# “q”, "d" or “t”, denotes whether the hello packet is for QUIC, DTLS, or normal TLS.
5
+
#
6
+
# https://en.wikipedia.org/wiki/QUIC
7
+
# QUIC is the protocol which the new HTTP/3 standard utilizes, encapsulating TLS 1.3 into UDP packets. As QUIC was developed by Google, if an organization heavily utilizes Google products, QUIC could make up half of their network traffic, so this is important to capture.
Copy file name to clipboardExpand all lines: compliance/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/df3c067/technical_details/JA4/tls-and-dtls-version.toml
# TLS version is shown in 3 different places. If extension 0x002b exists (supported_versions), then the version is the highest value in the extension. Remember to ignore GREASE values. If the extension doesn’t exist, then the TLS version is the value of the Protocol Version. Handshake version (located at the top of the packet) should be ignored.
3
+
# ### TLS and DTLS Version:
4
+
# The TLS version is shown in 3 different places. If extension 0x002b exists (supported_versions), then the version is the highest value in the extension. Remember to ignore GREASE values. If the extension doesn’t exist, then the TLS version is the value of the Protocol Version. Handshake version (located at the top of the packet) should be ignored.
Copy file name to clipboardExpand all lines: compliance/specs/raw.githubusercontent.com/FoxIO-LLC/ja4/v0.18.2/technical_details/JA4/alpn-extension-value.toml
0 commit comments