ja4one, ignore padding extension

FoxIO-LLC · Jul 17, 2024 · 694467e · 694467e
1 parent 986ee92
commit 694467e
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/nginx_utils/nginx.conf b/nginx_utils/nginx.conf
@@ -39,6 +39,7 @@ http {
             return 200 "
             JA4: $http_ssl_ja4\n
             JA4 String: $http_ssl_ja4_string\n
+            JA4one: $http_ssl_ja4one\n
             JA4S: $http_ssl_ja4s\n
             JA4S String: $http_ssl_ja4s_string\n
             JA4H: $http_ssl_ja4h\n
@@ -48,7 +49,9 @@ http {
             JA4TS: $http_ssl_ja4ts\n
             JA4TS String: $http_ssl_ja4ts_string\n
             JA4X: $http_ssl_ja4x\n
-            JA4L: $http_ssl_ja4l\n";
+            JA4L: $http_ssl_ja4l\n
+            ";
+
         }
 
     }

diff --git a/src/ngx_http_ssl_ja4_module.c b/src/ngx_http_ssl_ja4_module.c
@@ -276,7 +276,7 @@ int ngx_ssl_ja4(ngx_connection_t *c, ngx_pool_t *pool, ngx_ssl_ja4_t *ja4)
                     continue;
                 }
                 // check if the extension is not a PSK extension
-                if (!ngx_ssl_ja4_is_ext_psk(c->ssl->extensions[i]))
+                if (!ngx_ssl_ja4_is_ext_dynamic(c->ssl->extensions[i]))
                 {
                     // Allocate memory for the extension string and copy it
                     ja4->extensions_no_psk[ja4->extensions_no_psk_count] = ngx_pnalloc(pool, ext_len);
@@ -811,7 +811,7 @@ void ngx_ssl_ja4one_fp(ngx_pool_t *pool, ngx_ssl_ja4_t *ja4, ngx_str_t *out)
 // assigns fp to variable
 static ngx_int_t
 ngx_http_ssl_ja4one(ngx_http_request_t *r,
-                     ngx_http_variable_value_t *v, uintptr_t data)
+                    ngx_http_variable_value_t *v, uintptr_t data)
 {
     ngx_ssl_ja4_t ja4;
     ngx_str_t fp = ngx_null_string;

diff --git a/src/ngx_http_ssl_ja4_module.h b/src/ngx_http_ssl_ja4_module.h
@@ -162,8 +162,11 @@ static const char *GREASE[] = {
     "fafa",
 };
 
-// TLS extension 41 "pre_shared_key", ignore, we care about software proxy of client not things it has done before
-static const char *EXT_IGNORE_PSK = "0029";
+// TLS extensions that clients might change from request to request
+static const char *EXT_IGNORE_DYNAMIC[] = {
+    "0029", // PRE_SHARED_KEY, session resumption
+    "0015", // PADDING, padding extension not always included
+};
 
 static const char *EXT_IGNORE[] = {
     "0010", // ALPN IGNORE
@@ -172,9 +175,17 @@ static const char *EXT_IGNORE[] = {
 
 // HELPERS
 
-static int ngx_ssl_ja4_is_ext_psk(const char *ext)
+static int ngx_ssl_ja4_is_ext_dynamic(const char *ext)
 {
-    return strcmp(ext, EXT_IGNORE_PSK) == 0;
+    size_t i;
+    for (i = 0; i < (sizeof(EXT_IGNORE_DYNAMIC) / sizeof(EXT_IGNORE_DYNAMIC[0])); ++i)
+    {
+        if (strcmp(ext, EXT_IGNORE_DYNAMIC[i]) == 0)
+        {
+            return 1;
+        }
+    }
+    return 0;
 }
 
 static int ngx_ssl_ja4_is_ext_ignored(const char *ext)