Use client cipher suites for server

[chribro88]

Hello,

I'm trying mirror the client's given cipher suites for the proxy to provide to the server.

There's two road blocks I'm getting stuck at.

1. obtaining the client's provided cipher suites. What I can obtain is the accepted cipher thru the onRequest hook and ctx.clientToProxyRequest.client.getCipher().
2. providing the cipher suites to the server (ctx.proxyToServerRequestOptions.agent.options.cipher) without the TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher being automatically appended to the list. I've also tried setting require('constants').SSL_OP_NO_RENEGOTIATION for secureOptions but still occurs

potentially (2) might require openssl to be patched as suggested here: https://stackoverflow.com/questions/35254883/avoid-sending-tls-empty-renegotiation-info-scsv-cipher-in-tls-client-hello

Hoping someone with a better understanding than myself can point me in the right direction 😁

Cheers!

[Viiprogrammer]

In a bit of a hacky way, I monkey patched TLS to change the fingerprint:

const tls = require("node:tls")

const origTLSConnect = tls.connect
const ciphers = [
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'
].join(':')

tls.connect = function () {
    const args = arguments

    if (typeof args[0] === 'object') {
        args[0].ciphers = ciphers
        args[0].secureProtocol = 'TLSv1_2_method'
    }

    // args[1].ciphers = ciphers
    return origTLSConnect(...args)
}

just call this before init proxy server