Egor
Egor
In logs on server i have this: 771,49172-53-49171-47-49196-49195-49200-157-49199-156,10-11-13-23-0-65281 771,49172-53-49171-47-49196-49195-49200-157-49199-156,10-11-13-23-0-65281,23-24-25-9-10-11-12-13-14-22,0 when http_ssl_ja3 == 0
I tried caching ja3 at the connection level in nginx module, but it does not work: ja3 changed only after reconnect tcp session. and when I tried to cache it,...
@phuslu i test localy - groups and formats present after reconnect - so origin bug is fixed. But - there are some difference from https://github.com/open-ch/ja3: ``` 772,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,65281-0-11-10-35-5-16-18-23-13-43-45-51-27-17513,29-23-24,0 #phuslu/nginx-ssl-fingerprint 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0 #open-ch/ja3...
attach pcap file [pcap.pcap.zip](https://github.com/phuslu/nginx-ssl-fingerprint/files/9215097/the.pcap.pcap.zip)
@phuslu on production catch segfault :( nginx[184475]: segfault at 78 ip 000055b0f3d54ea4 sp 00007ffc732f71c8 error 4 in nginx[55b0f3c85000+2aa000]
``` 2022/07/29 12:54:19 [debug] 237797#237797: *1558 SSL ALPN supported by client: h2 2022/07/29 12:54:19 [debug] 237797#237797: *1558 SSL ALPN supported by client: http/1.1 2022/07/29 12:54:19 [debug] 237797#237797: *1558 SSL ALPN...
Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000558e679ddf54 in ngx_http_ssl_fingerprint_hash (r=0x558e6bba1050, v=0x558e6f947220, data=0) at /usr/src/ja3-phuslu-r2/nginx-ssl-fingerprint/src/ngx_http_ssl_fingerprint_module.c:86 warning: Source file is more recent than executable. 86 v->data = r->connection->ssl->fp_ja3_md5.data;
local test: [pcap.pcap.zip](https://github.com/phuslu/nginx-ssl-fingerprint/files/9224143/pcap.pcap.zip) #### first request in pcap is curl ``` 771,49200-49196-49192-49188-49172-49162-159-107-57-52393-52392-52394-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49169-49159-5-4-49170-49160-22-10-255,0-11-10-13-16,29-23-24,0 # phuslu/nginx-ssl-fingerprint 771,49200-49196-49192-49188-49172-49162-159-107-57-52393-52392-52394-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49169-49159-5-4-49170-49160-22-10-255,0-11-10-13-16,29-23-24,0 # open-ch/ja3 771,49200-49196-49192-49188-49172-49162-159-107-57-52393-52392-52394-65413-196-136-129-157-61-53-192-132-49199-49195-49191-49187-49171-49161-158-103-51-190-69-156-60-47-186-65-49169-49159-5-4-49170-49160-22-10-255,0-11-10-13-16,29-23-24,0 # wireshark ``` result: all ok #### next requests are chrome macos...
now localy - ja3 provided by nginx-ssl-fingerprint mathes ja3 provided by open-ch/ja3 and wireshark so, i suggest waiting for production tests on Monday
and i wanna play with https://github.com/tlsfuzzer/tlsfuzzer to to make sure there is no SIGSEGV