Skip to content

Apple handshakes updates #3036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
drwetter wants to merge 5 commits into
base: 3.3dev
Choose a base branch
from
+112 −16
Draft

Apple handshakes updates #3036

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
60131b4
- Update Apple Client Simulations
drwetter May 15, 2026
14e8df3
Update readme wrt ja3/ja4 + imotr tweaks
drwetter May 15, 2026
7be3897
Update MacOS/Safari 26.4
drwetter May 15, 2026
dd4c0b3
Handshakes for iOS + iPadOS 26.4. added
drwetter May 16, 2026
a35e9f8
Broaden table for client simulation
drwetter May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 52 additions & 4 deletions etc/client-simulation.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2537,10 +2537,10 @@ names+=("Opera 66 (Win 10)")
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
requiresSha2+=(false)
requiresSha2+=(true)
ja3+=("773906b0efdefa24a7f2b8eb6985bf37")
ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
current+=(true)
current+=(false)

names+=("Safari 10 OS X 10.12")
short+=("safari_10_osx1012")
Expand Down Expand Up @@ -2584,6 +2584,29 @@ names+=("Opera 66 (Win 10)")
requiresSha2+=(false)
current+=(false)

names+=("Safari 26.4 (iOS+iPadOS 26.4)")
short+=("safari_iOS_264")
ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
ch_sni+=("$SNI")
handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2")
lowest_protocol+=("0x0303")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
requiresSha2+=(false)
ja3+=("ecdf4f49dd59effc439639da29186671")
ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
current+=(true)

names+=("Safari 12.1 (macOS 10.13.6)")
short+=("safari_121_osx_10136")
ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
Expand Down Expand Up @@ -2648,9 +2671,9 @@ names+=("Opera 66 (Win 10)")
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
requiresSha2+=(false)
current+=(true)
current+=(false)

names+=("Safari 18.4 (macOS 15.4)")
names+=("Safari 18.4 (macOS 15.4/iOS 18.4)")
short+=("safari_184_osx_154")
ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
Expand All @@ -2674,6 +2697,31 @@ names+=("Opera 66 (Win 10)")
ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
current+=(true)

names+=("Safari 26.4 (macOS 26.4)")
short+=("safari_264_osx_264")
ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
ch_sni+=("$SNI")
warning+=("")
handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2")
lowest_protocol+=("0x0303")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
minDhBits+=(1024)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
requiresSha2+=(false)
ja3+=("000a000e000c5a5a11ec001d001700180019")
ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
current+=(true)


names+=("Apple ATS 9 iOS 9")
short+=("apple_ats_9_ios9")
ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA")
Expand Down
11 changes: 6 additions & 5 deletions etc/client-simulation.wiresharked.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,19 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl
* Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic.
* Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client.
* Edit the *names* accordingly and the *short* description. The latter must not contain blanks.
* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* --> Copy --> As a hex stream.
* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* in wireshark --> Copy --> As a hex stream.
* For *ch_ciphers*: mark *Cipher Suites* --> Copy --> As a hex stream and supply it to `~/utils/hexstream2cipher.sh`. The last line contains the ciphers which you need to copy. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*. . The GREASE "ciphers" (?a?a) which you may see in the very beginning don't show up here.
* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normallky like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*.
* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normally like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*.
* For *curves* mark the *Supported Groups* TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. Copy the last line into *curves*.
* Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3).
* Adjust *lowest_protocol* and *highest_protocol* accordingly (0301=TLS 1.0, 0302=TLS 1.1, 0303=TLS 1.2, 0304=TLS 1.3)
* Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
* Review TLS extension "signature_algorithm" 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
* Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle.
* Retrieve *alpn* by looking at the *application_layer_protocol_negotiation* TLS extension 16 (=0x0010).
* When using wireshark, copy also the ja3 and ja4 values accordingly (copy --> value), see e.g. like *java_80442*. This could be used in the future.
* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols.
* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols.
* For ja3 and ja4: This is to uniquely identify the client handshake. Also we can consolidate client handshake section (see e.g. Android 13 = Android 14). Retrieve *ja3* or *ja4* by using Copy --> value.
* When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`.
* Before submitting a PR: test it yourself! You can also watch it again via wireshark.


The license of self harvested client simulations is the same as the whole tool see ../LICENSE .
Loading
Loading