TLS dissector incorrectly reports JA3 values
Summary
The Ja3 string produced by wireshark incorrectly includes the GREASE values. As per the original ja3 authors, GREASE values should be excluded.
Steps to reproduce
View reported Ja3 value in any TLS ClientHello initiated from Google Chrome.
What is the current bug behavior?
Ja3 reported is incorrect.
What is the expected correct behavior?
Ja3 is correct.
Relevant logs and/or screenshots
Attached is a TLS ClientHello frame. I also have an external ja3 plugin installed, which reports under the heading ja3/ja3s TLS/SSL fingerprint
. Comparing the Ja3 full string reported by Wireshark and by the plugin, it can be seen that the values are different, and the main distinction is that the wireshark ja3 incorrectly includes GREASE fields.
Frame 752: 574 bytes on wire (4592 bits), 574 bytes captured (4592 bits) on interface \Device\NPF_{529F3D92-C22B-4F2E-84F9-D02B9D5BD770}, id 0
Ethernet II, Src: Giga-Byt_e3:1f:a0 (40:8d:5c:e3:1f:a0), Dst: 02:00:00:00:00:04 (02:00:00:00:00:04)
Internet Protocol Version 4, Src: 192.168.0.26, Dst: 160.85.255.180
Transmission Control Protocol, Src Port: 63891, Dst Port: 443, Seq: 1, Ack: 1, Len: 520
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 515
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 511
Version: TLS 1.2 (0x0303)
Random: c012b160c4ab45bebb113323207e489c18a066158df1ec4a4f25177b240b21bc
Session ID Length: 32
Session ID: cdfea557788dabf63cca7b9ecfc5286b11e00b50d85015550bfbc21042cb9fd3
Cipher Suites Length: 32
Cipher Suites (16 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 406
Extension: Reserved (GREASE) (len=0)
Extension: server_name (len=14)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Extension: supported_groups (len=10)
Extension: ec_point_formats (len=2)
Extension: session_ticket (len=208)
Extension: application_layer_protocol_negotiation (len=14)
Extension: status_request (len=5)
Extension: signature_algorithms (len=18)
Extension: signed_certificate_timestamp (len=0)
Extension: key_share (len=43)
Extension: psk_key_exchange_modes (len=2)
Extension: supported_versions (len=7)
Extension: compress_certificate (len=3)
Extension: application_settings (len=5)
Extension: Reserved (GREASE) (len=1)
Extension: padding (len=1)
[JA3 Fullstring: 771,19018-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,23130-0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-10794-21,64250-29-23-24,0]
[JA3: a6b22827ed4d3f68f19bca25645a53e9]
ja3/ja3s TLS/SSL fingerprint
ja3 full: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-21,29-23-24,0
ja3 hash: cd08e31494f9531f560d64c695473da9
ja3 hash_ignored_padding: e1d8b04eeb8ef3954ec4f49267a783ef
ja3 full_ignored_padding: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0
Build information
3.6.2 (v3.6.2-0-g626020d9b3c3)
Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.29, build 30139),
with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua
5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip.
Running on 64-bit Windows 10 (21H1), build 19043, with Intel(R) Core(TM) i3-6100
CPU @ 3.70GHz (with SSE4.2), with 32724 MB of physical memory, with GLib 2.66.4,
with Qt 5.15.2, with Npcap version 1.55, based on libpcap version
1.10.2-PRE-GIT, with c-ares 1.17.0, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with
nghttp2 1.44.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.4.0, without
AirPcap, with light display mode, without HiDPI, with
LC_TYPE=English_Canada.utf8, binary plugins supported (21 loaded).
Edited by Gerald Combs