diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt
index 7b603a01f..6d7213893 100644
--- a/etc/client-simulation.txt
+++ b/etc/client-simulation.txt
@@ -2537,10 +2537,10 @@ names+=("Opera 66 (Win 10)")
      minRsaBits+=(-1)
      maxRsaBits+=(-1)
      minEcdsaBits+=(-1)
-     requiresSha2+=(false)
+     requiresSha2+=(true)
      ja3+=("773906b0efdefa24a7f2b8eb6985bf37")
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
-     current+=(true)
+     current+=(false)
 
      names+=("Safari 10 OS X 10.12")
      short+=("safari_10_osx1012")
@@ -2584,6 +2584,29 @@ names+=("Opera 66 (Win 10)")
      requiresSha2+=(false)
      current+=(false)
 
+     names+=("Safari 26.4 (iOS+iPadOS 26.4)")
+     short+=("safari_iOS_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("ecdf4f49dd59effc439639da29186671")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+
      names+=("Safari 12.1 (macOS 10.13.6)")
      short+=("safari_121_osx_10136")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
@@ -2648,9 +2671,9 @@ names+=("Opera 66 (Win 10)")
      maxRsaBits+=(-1)
      minEcdsaBits+=(-1)
      requiresSha2+=(false)
-     current+=(true)
+     current+=(false)
 
-     names+=("Safari 18.4 (macOS 15.4)")
+     names+=("Safari 18.4 (macOS 15.4/iOS 18.4)")
      short+=("safari_184_osx_154")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
      ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
@@ -2674,6 +2697,31 @@ names+=("Opera 66 (Win 10)")
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
      current+=(true)
 
+     names+=("Safari 26.4 (macOS 26.4)")
+     short+=("safari_264_osx_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(1024)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("000a000e000c5a5a11ec001d001700180019")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+
+
      names+=("Apple ATS 9 iOS 9")
      short+=("apple_ats_9_ios9")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA")
diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md
index 8d8e11cca..715341dd0 100644
--- a/etc/client-simulation.wiresharked.md
+++ b/etc/client-simulation.wiresharked.md
@@ -12,18 +12,19 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl
 * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic.
 * Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client.
 * Edit the *names* accordingly and the *short* description. The latter must not contain blanks.
-* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* --> Copy --> As a hex stream.
+* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* in wireshark --> Copy --> As a hex stream.
 * For *ch_ciphers*: mark *Cipher Suites* --> Copy --> As a hex stream and supply it to `~/utils/hexstream2cipher.sh`. The last line contains the ciphers which you need to copy. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*. . The GREASE "ciphers" (?a?a) which you may see in the very beginning don't show up here.
-* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normallky like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*.
+* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normally like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*.
 * For *curves* mark the *Supported Groups* TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. Copy the last line into *curves*.
 * Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3).
 * Adjust *lowest_protocol* and *highest_protocol* accordingly (0301=TLS 1.0, 0302=TLS 1.1, 0303=TLS 1.2, 0304=TLS 1.3)
-* Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
+* Review TLS extension "signature_algorithm" 13 (=0x000d)  whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
 * Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle.
 * Retrieve *alpn* by looking at the *application_layer_protocol_negotiation* TLS extension 16 (=0x0010).
-* When using wireshark, copy also the ja3 and ja4 values accordingly (copy --> value), see e.g. like *java_80442*.  This could be used in the future.
-* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY"  whereas mail clients as Thunderbird support a variety of protocols.
+* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols.
+* For ja3 and ja4: This is to uniquely identify the client handshake. Also we can consolidate client handshake section (see e.g. Android 13 = Android 14).  Retrieve *ja3* or *ja4* by using Copy --> value.
 * When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`.
 * Before submitting a PR: test it yourself! You can also watch it again via wireshark.
 
 
+The license of self harvested client simulations is the same as the whole tool see ../LICENSE .
diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt
index aa3fde6b8..d0669ecde 100644
--- a/etc/client-simulation.wiresharked.txt
+++ b/etc/client-simulation.wiresharked.txt
@@ -1042,6 +1042,29 @@
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
      current+=(true)
 
+     names+=("Safari 26.4 (iOS+iPadOS 26.4)")
+     short+=("safari_iOS_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("ecdf4f49dd59effc439639da29186671")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+
      names+=("Safari 12.1 (macOS 10.13.6)")
      short+=("safari_121_osx_10136")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
@@ -1132,4 +1155,28 @@
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
      current+=(true)
 
+     names+=("Safari 26.4 (macOS 26.4)")
+     short+=("safari_264_osx_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(1024)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("000a000e000c5a5a11ec001d001700180019")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+
 
diff --git a/testssl.sh b/testssl.sh
index 00325f5ca..9c6ef52a0 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -5272,23 +5272,23 @@ run_client_simulation() {
           pr_headlineln "via sockets "
      else
           pr_headline "via openssl "
-          prln_warning " -- pls note \"--ssl-native\" will return some false results"
-          fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results"
+          prln_warning " -- pls note \"--ssl-native\" will likely return false results"
+          fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will likely get false results"
           ret=1
      fi
      outln
      debugme echo
 
      if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
-          out " Browser                      Protocol  Cipher Suite Name (OpenSSL)       "
+          out " Browser/Client                     Protocol  Cipher Suite Name (OpenSSL)       "
           { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy"
           outln
-          out "--------------------------------------------------------------------------"
+          out "--------------------------------------------------------------------------------"
      else
-          out " Browser                      Protocol  Cipher Suite Name (IANA/RFC)                      "
+          out " Browser/Client                     Protocol  Cipher Suite Name (IANA/RFC)                      "
           { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy"
           outln
-          out "------------------------------------------------------------------------------------------"
+          out "------------------------------------------------------------------------------------------------"
      fi
      { "$using_sockets" || "$HAS_DH_BITS"; } && out "----------------------"
      outln
@@ -5302,7 +5302,7 @@ run_client_simulation() {
           if "${current[i]}" || "$ALL_CLIENTS" ; then
                # for ANY we test this service or if the service we determined from STARTTLS matches
                if [[ "${service[i]}" == ANY ]] || [[ "${service[i]}" =~ $client_service ]]; then
-                    out " $(printf -- "%-29s" "${names[i]}")"
+                    out " $(printf -- "%-35s" "${names[i]}")"
                     if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then
                          client_simulation_sockets "${handshakebytes[i]}"
                          sclient_success=$?