Project

General

Profile

Actions

Bug #6634

open

Invalid ja3 due to double client hello

Added by Eric Leblond 4 months ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

Stamus Networks team has discovered some weird TLS connections happening in real networks. These connections are not respecting the TLS RFCs as the client sends 2 hello messages (one in TLS 1.2 and the other one in TLS v1.3) but the server does not care and answer any way.

The result is surprising as the ja_string ends up to compose of 9 commas separated elements and as a result the ja3 hash is not computed on one or the other of the hello message.

Actions #1

Updated by Eric Leblond 4 months ago

  • Affected Versions 7.0.1 added
  • Affected Versions deleted (7.0.0)
Actions #3

Updated by Victor Julien 4 months ago

Can you share a pcap / SV test for this?

Actions #4

Updated by Gianni Tedesco about 1 month ago

Can confirm we are seeing exactly this problem on approx 0.005% of TLS sessions

Actions #5

Updated by Gianni Tedesco about 1 month ago

I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"

Actions #6

Updated by Gianni Tedesco about 1 month ago

And another discrepancy, which I am not sure about and investigating a bit more is that, sometimes the EVE JSON reports "TLS 1.3", but both ja3-strings are saying 771 (TLS 1.2). Not sure why this is.

Actions

Also available in: Atom PDF