fingerprint - JA3\4

[amitnos123]

• I have looked for existing issues (including closed) about this

Feature Request

Motivation

This is a fingerprint algorithm.
While partly used for targeted ads,
It also used for security reasons.
Cloudflare blog on the subject.

Proposal

JA3 - HTTP
JA4 - HTTPS

JA4 was implemented by FoxIO.

I saw in the example low level rustls has low level access to TLS to implement JA4.
To implement it, do need to use set_client_hello_callback, which uses unsafe code.

The idea is to also push JA4 into the request.
Later in the Axum application could use it.

Sorry, if it's too much or unfit.
I requesting because I learned Rust only a few months ago.
Hence, I fear my rust level isn't good enough

[mladedav]

From what I've gathered, both JA3 and JA4 are TLS fignerprinting mechanisms with the former being pretty much deprecated by changes in clients, so only JA4 makes sense to talk about.

I don't think we want to add more support for low level usage. Specifically, if you need to call an unsafe function for your use case here, I don't think we should wrap it in any way.

As for supporting this in the higher level APIs, I wonder if we can implement a Listener and Connected such that it would be possible to get the info you're after. If it's possible, I think that could become a nice example and possibly become a preferred way to use rustls over the example you linked, but this might take some time so I'd suggest for your usecase to try and use the older example.

[amitnos123]

Thx

For my case, I think I can manage.

I do like the idea of Listener and Connected.

My idea wasn't to implement more code into Axum,
but create an example of implementing JA4 or set_client_hello_callback.
I do understand the part of unsafe.

In order to implement JA4, from what I understood, just need the package data before it's consumed.
Then, if there is a way to clone that data, and via API interact with it. I think it would be a good way to implement it.

In the end, I don't need it. I would be nice, with it I don't need it.
Hence, I don't care about priority or time on it.

[amitnos123]

@mladedav
I did some digging in
Rustls
I think I may found a way to bypass the unsafe part elegantly

rustls::server::Acceptor::client_hello()

Using this function.
We can get access to client_hello data without the need to interact with unsafe code.

Acceptor struct
ClientHello struct

[amitnos123]

From doing some more digging

OpenSSL may be a better way.
While OpenSSL is less safe, it does give access to whole information to generate JA4.

[amitnos123]

Rustls can't generate JA4
as ClientHello doesn't expose enough data.

This is the discussion I had in Rustls Github.