diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt
index 7b603a01f..e7af0bd27 100644
--- a/etc/client-simulation.txt
+++ b/etc/client-simulation.txt
@@ -310,8 +310,8 @@
      ja4+=("t13d1713h1_5b57614c22b0_352634941f3a")
      current+=(true)
 
-     names+=("Android 15 (native)")
-     short+=("android_15")
+     names+=("Android 15/16 (native)")
+     short+=("android_15_16")
      ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
      ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
      ch_sni+=("$SNI")
@@ -330,10 +330,37 @@
      minEcdsaBits+=(-1)
      curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
      requiresSha2+=(true)
-     ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5")
-     ja4+=("t13d1517h2_8daaf6152771_b6f405a00624")
+     ja3+=("a04f2226447ea413dd5bf057ca4a4bdf")
+     ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd")
+     # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here.
      current+=(true)
 
+     names+=("Android 16 (native)")
+     short+=("android_16")
+     ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030107130100070f0303a80e8116ef08e859a5660ef369403922257044938f3dc4801497a4ff86ae1e6520b7d9e84e0116f07f3ea7b9b31be7d49578864802be4199920af028a7bf1df50800205a5a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010006a67a7a0000000b00020100002b000706baba0304030300170000ff01000100003304ef04ed8a8a00010011ec04c0b031ba06c780befc685949cef93243d2b29da8426e9d1b0287195958276c7358653051008cb48d93598782f9a8be73663eabce21412cf3ca249f6a61da34a6f728756c5aa5c6b6866910bfc47a20310362b5b49d60b855f46b34f9ebbd6beb3b1f972af1c646f0ba746a51ad89b96e72cc7fae9943da40692c746883a094ac0564cc180a481b34ab84b08bd08984c72aa18214d098981dfcca67b872ed7c147c8526c128a50f0562c93b090b1b83cbd53ea94b69c03c9380c81b31a6b234c476e2988db137757047c7a9712d006871a192a4f31334dc3069e850a5208585fee65d6cfb63b5db3641f3b5b35c462a813cb645cca78271c411628b51450583712f987c5f8222ada32afaea7e43a519eb3c32ea464b6d8173774220418390af28c4b79787b1344be9f02483e185693831c2ab4693e3bca8f176da7317c2a497cce1bcae86266fe67311f738a5375ff53c33ddb7baad362db6581d21b1bb8e2c9526744066b203fe670efcc810425c89fc6b3e3cfc6b37a08c14ecaa6a7063219261d23c6fa952558839a27d80b2c750ac77a8756af3523eebc3d1ea8eba1c4d367ac9a2e6406e35a9a7e97320dc3505c88e5cc123c83a7fb18b1e1e33241d825d97905e7b8991cfc4b4b846a985f8cc9e8b5bae2a20af801349162e5ea1b5b7b0c951f65914d8af968b852ed399eb650c1ef7954b982abd5cc46edc3bc6c7b3f2b569553690e8588cc1fb7230024f6e83050200747839a54d89caaf25933b3aabde28c094350c03d75a87a4aa3e1b47a2f978cf4463c1cbb8eb6aac2e4b7c0c8a4803c506dc9990beac54b2376f351caa513c6fcd3a18db55763f02865435a8533659cef00a57cb2b0e7790a90a6e64e8181067372d377be831b1d113b2799b64007c215dfaad52453183d09b6711761c94225ab27ffd30aa6356208d036e002a6b61ab8b559b1408cab808393b31b60a54a102b0b6167ce222f4210bcc049bb765b866a73227104aeaab8014261a5a89bc4adc0e30c6212e693f1fa6146b7abf57464c2f68a513f408058b1253046167bca6089345144261c974c403101471e002404b1d98b47de7d8660e0016e72aa6678944b2d65e50dccfd5412db7dc87a150ba8a4977228455df35256cf296cb34204c2c3fd2c27efe882087c04466e39e0168549560cd126666a05b09afb810544b7594db725da09c26a2a69127a6b12786af712404f7a163c4a110ba05e6d8b17869be7faca2b1086210fba9dcb958a13502277131c3340242b70591dc051e895716103eb2a63b92e198cef5c3a213c88eb49bd3f0b393ba576ac14218975b1a36a0e7c3217f32437ef603f053a14be25fe3ccc7f6f977ea3401c50c5a8d5b101a451db9f40776f6cc01395886293c7b18880223c5656ab23f5c625bd25b81216123563aad3a739a96529ea35ad95c876fda01a91a5111e0bb6ffc0eec24cecf15b3b28715df0b7f9b393c84f5a2e7b80910744a7341970c7c4425f98e3e718839743d11c997e434c1c2027a11769fd011b76e2495d1f83e31d0ae58b24eccb17f8539150f869ab1b8ce87b625cc52993e05a92f030fe6a790f3f62443f05c482c42e65280106c43d3f35ca273070a440dc490b77502103925599d7d3ba576db2d6257ec2945b3f16c6609a575fe556303aa0e4427f2234fe0e18e84f0cceb8baf5abb10982fe4c27fdb2aeda7aba94277001d0020613f7c9b4efa181e720de9c1e406b7a6ef17c94ff97053fac456c36faf200e0afe0d011a0000010001710020008eb36ce91deadb92ff7983761ac68ce58cec044231899f73c5b5eb4464c64800f02925bb0094febfd8fc3960f861148f71ac4e4134ef5861e84d04ff3d79e7e773748e5fe6d947c768c22f42a0dfaa53575a0f13526d74d232605bbc1ab682aa61841396cd3191cfb76d82f3053549333d8325488e7a3b61707d567753ac98cd6b44ce26ba353bcd1853036f0f8db85b8b920afa6235e1403feb2ce44af2151e6c48d535102225a074626a7157096b3def88655d79fa1bc21fe7954d661995b8ac8f7cba70c2fff5fa8cf2e3b1ed83be5884e0c4b4576ab0cc589daf4494e0e911858cc6030f78e7f1c4765ebd356585f75ad9204505e4b2916126a51cdbeacfe3eff962d78f48795d966d3d32b7f6ce85002d00020101001b0003020002000d001200100403080404010503080505010806060144cd000500030268320005000501000000000010000e000c02683208687474702f312e3100230000000a000c000a8a8a11ec001d001700180000000f000d00000a7465737473736c2e7368001200006a6a000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
+     requiresSha2+=(true)
+     ja3+=("1039cdb7642a736c706f52a335544033")
+     ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd")
+     # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here.
+     current+=(false)
+     # same as above, deducted from ja4 fingerprint
+
 names+=("Chrome 27 Win 7")
      short+=("chrome_27_win7")
      ch_ciphers+=("ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-RC4-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-RC4-SHA:ECDH-ECDSA-AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA")
@@ -967,7 +994,9 @@ names+=("Chrome 27 Win 7")
      minEcdsaBits+=(-1)
      curves+=("X25519:secp256r1:secp384r1")
      requiresSha2+=(true)
-     current+=(true)
+     ja3+=("cd08e31494f9531f560d64c695473da9")
+     ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1")
+     current+=(false)
 
      names+=("Chromium 137 (Win 11)")
      short+=("chromium_137_win11")
@@ -2071,7 +2100,7 @@ names+=("Firefox 137 (Win 11)")
      requiresSha2+=(false)
      current+=(false)
 
-     names+=("Edge 101 Win 10 21H2")
+     names+=("Edge 101/Chrome 101 Win 10 21H2")
      short+=("edge_101_win10_21h2")
      ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
      ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
@@ -2091,6 +2120,8 @@ names+=("Firefox 137 (Win 11)")
      minEcdsaBits+=(-1)
      curves+=("X25519:secp256r1:secp384r1")
      requiresSha2+=(true)
+     ja3+=("cd08e31494f9531f560d64c695473da9")
+     ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1")
      current+=(true)
 
      names+=("Edge 133 Win 11 23H2")
@@ -2537,10 +2568,10 @@ names+=("Opera 66 (Win 10)")
      minRsaBits+=(-1)
      maxRsaBits+=(-1)
      minEcdsaBits+=(-1)
-     requiresSha2+=(false)
+     requiresSha2+=(true)
      ja3+=("773906b0efdefa24a7f2b8eb6985bf37")
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
-     current+=(true)
+     current+=(false)
 
      names+=("Safari 10 OS X 10.12")
      short+=("safari_10_osx1012")
@@ -2584,6 +2615,30 @@ names+=("Opera 66 (Win 10)")
      requiresSha2+=(false)
      current+=(false)
 
+     names+=("Safari 26.4 (iOS+iPadOS 26.4)")
+     short+=("safari_iOS_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("ecdf4f49dd59effc439639da29186671")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(false)
+     # identical to MaCOS Safari 26.4, see ja4
+
      names+=("Safari 12.1 (macOS 10.13.6)")
      short+=("safari_121_osx_10136")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
@@ -2648,9 +2703,9 @@ names+=("Opera 66 (Win 10)")
      maxRsaBits+=(-1)
      minEcdsaBits+=(-1)
      requiresSha2+=(false)
-     current+=(true)
+     current+=(false)
 
-     names+=("Safari 18.4 (macOS 15.4)")
+     names+=("Safari 18.4 (macOS 15.4/iOS 18.4)")
      short+=("safari_184_osx_154")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
      ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
@@ -2674,6 +2729,31 @@ names+=("Opera 66 (Win 10)")
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
      current+=(true)
 
+     names+=("Safari 26.4 (macOS/iOS/iPadOS 26.4)")
+     short+=("safari_264_all")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(1024)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("000a000e000c5a5a11ec001d001700180019")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+
+
      names+=("Apple ATS 9 iOS 9")
      short+=("apple_ats_9_ios9")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA")
@@ -2928,8 +3008,8 @@ names+=("Opera 66 (Win 10)")
      requiresSha2+=(false)
      current+=(false)
 
-     names+=("Java 17.0.3 (OpenJDK)")
-     short+=("java_1703")
+     names+=("Java 17.0.3/21.0.6 (OpenJDK)")
+     short+=("java_1703_2106")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
      ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256")
      ch_sni+=("$SNI")
@@ -2947,6 +3027,8 @@ names+=("Opera 66 (Win 10)")
      minEcdsaBits+=(224)
      curves+=("x25519:secp256r1:secp384r1:secp521r1:x448:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192")
      requireseha2+=(true)
+     ja3+=("60f3e2285bc991c380f822c6ac51f947")
+     ja4+=("t13d311200_e8f1e7e78f70_6077d120928a")
      current+=(true)
 
      names+=("Java 21.0.6 (OpenJDK)")
@@ -2970,7 +3052,8 @@ names+=("Opera 66 (Win 10)")
      requiresSha2+=(true)
      ja3+=("60f3e2285bc991c380f822c6ac51f947")
      ja4+=("t13d311200_e8f1e7e78f70_6077d120928a")
-     current+=(true)
+     current+=(false)
+     # same as above
 
      names+=("go 1.17.8")
      short+=("go_1178")
@@ -3282,6 +3365,30 @@ names+=("Opera 66 (Win 10)")
      ja4+=("t13d301100_1d37bd780c83_8e6e362c5eac")
      current+=(true)
 
+     names+=("OpenSSL 4.0.0 (git)")
+     short+=("openssl_400")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("160301060f0100060b030372c25784c36596289766688a697c0e9cf42227867ca997d6c032f06aee51495620858b64eeb9d87bc2f9abb060999c9ded0ef8fc3aa8f483f7a8f289827095b7cf003c130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f01000586ff01000100000b00020100000a0018001611ec11eb11ee001d0017001e00180019002901000101002300000016000000170000000d0038003609050906090404030503060308070808081a081b081c0809080a080b0804080508060401050106010303030103020402050206020708002b00050403040303002d00020101003304ea04e811ec04c0608abaa87c03d79b928e5b2c7afc0082c1910d0b043a743df2198d40170b4376183b28302ca08162367ec465acd42049e675cdd7f2053b55ae4bc9b8882224d12c471220a10e7bb2317646de27a3679616df2a1145334368562ad0ab9fe2a942e42c3d1111ab07c198f5d393ab584c22e4cf9a430460c3133da80bd22a9eb3e238ea4579ba1ca9e2618699468f43c16d0cba18cd4ccb6916545b20506154380b5305206159cac627f842c218e74b5a6355594418eb526cc5588bc6e05611e7134d20c29477ac91006c28d8bf8fd4791cf21e863617396648f8dc1653a34d1dcc66cc36949c458b57b6369701500700152ea416cd9c6561785efcea6ebb2309549901f1f48180a47e8ed6b1f22943d4aa797579bb1dac83a8fa111eb383b6a3c88647cc1a170d042479d6447f485634ccf51d0ec49c63296e9052b5fdf55a091c4ae4c1c83132b1be94af4a040f9bca45743b7b1c91bbb2ecb0005a72ee2808f11b9994541c0d4857d98247536ab9fbe039ba845b2915a3e5579577ec5735e293cb1c48ee075591a3bacfd498f474777aa75f90d67e562763eae03aa9d834dc579f03aa546797c6a7914da791580071ac72fc86bee5ab3c205808cc5690e1b4fde01e3dec0d2a96840fa97b8603bdbd80b7dba65c2aeca00ca4502042cb69104e0471c5e6243d68681a4c2087f337aba6d27bf788b2a010b201a10aa5c04de488a12b4c4f3c0aae29988b92e8a5320c5a31d88d09885310100972e41f0d48756f0477547126b33072b271bef3f94bcf72784cc4bc29708ed0b5956d995bcef24989899cb9f64b8149b58e2b1146f3cea5024497584ef31b842ae72bdb65be732b9c76400e26312c2ec1af3e734fa8b3ada3e1b69be696ab33844605be78ba6e06b6552fe18199015ce0ac3b0b0bb150f6a37150bbba039f481cb9172ac40fe65b2e2b0be7d6a40112be8779b6116c417f59b8b34371d348bed4f8479c169a03c3c9859b4a9dc5619889c51a287cadb8be6f3a611cd823c2f1232ebaceff1438e602091b4a1da53a934651924b3384b6fc565d085272e57fa157a528c3788b5c92830355cefa67eb677cea385772b54925b0927313c0d0166c6246cb58a9808836a82b001dcf1a6c88698056c2156273434fa8b180dc8a0706b1680440891c7120c3a2e335c3093b3d42e497dcc764a825c5a8b920b1a52d83a7c72cbc84af5aa42eb813703907c68cc856b2995896747ea2653e639e404943c5831dc243176e634d625a77b317bd9778920ff34f4234a01c2552c0b215dc38cf7c737d26ca4fd20816e3b823fc476b03472d760114f203be3297c137450b16aba4d4b909aa351c95a993ba78177ae8056f3b7643a179e32b1d510a3807934536723dc6a7cf84f9ab53f76f919861eb431e096aa09183055d607e17f76f5082c838ea9d5c289f9449514b822e336a0c257287952322e0337720935bf295600d00554bf8a8ccb155698075e7a2506eab03600b77c4940d126501f184a8cc209a92215828d159c9056ffa55531484517105ce921b31bca57c7d82a622db2e8d997443d32594628253f04bd394b809495af5e7a66047603aea0a1234082cb58611b8af73db38f9f56e2795881ddb36a82772eac8deafae49270650ed20950d2eaaa6c5807aaead43ed2affd8c15b08744bc2e8f232b2c31e5528600b9d1946e3f79d5b7c301ef7564f001d00204e01b68506a1eabc9f25990c72848a0bd241e5e6e8007630f44ac42c59def143001b00030200010000000f000d00000a7465737473736c2e7368")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(2048)
+     maxDhBits+=(-1)
+     minRsaBits+=(2048)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(224)
+     curves+=("X25519MLKEM768:SecP256r1MLKEM768:curveSM2MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:curveSM2:ffdhe2048:ffdhe3072")
+     requiresSha2+=(true)
+     ja3+=("9d83c03b4e0bb6583e210243d9299756")
+     ja4+=("t13d301200_1d37bd780c83_e65f5f3178d9")
+     current+=(true)
+
      names+=("Apple Mail (16.0)")
      short+=("apple_mail_16_0")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA")
@@ -3302,6 +3409,8 @@ names+=("Opera 66 (Win 10)")
      minEcdsaBits+=(-1)
      curves+=("secp256r1:secp384r1:secp521r1")
      requiresSha2+=(false)
+     ja3+=("e4d448cdfe06dc1243c1eb026c74ac9a")
+     ja4+=("t12d220700_0d4ca5d4ec72_3304d8368043")
      current+=(true)
 
      names+=("Thunderbird (60.6)")
@@ -3368,6 +3477,8 @@ names+=("Opera 66 (Win 10)")
      minEcdsaBits+=(-1)
      curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
      requiresSha2+=(false)
+     ja3+=("490dba4384bdcf3fb9f1682374dd4afc")
+     ja4+=("t13d181400_e8a523a41297_3d5424432f57")
      current+=(true)
 
      names+=("Baidu Jan 2015")
diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md
index 8d8e11cca..715341dd0 100644
--- a/etc/client-simulation.wiresharked.md
+++ b/etc/client-simulation.wiresharked.md
@@ -12,18 +12,19 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl
 * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic.
 * Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client.
 * Edit the *names* accordingly and the *short* description. The latter must not contain blanks.
-* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* --> Copy --> As a hex stream.
+* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* in wireshark --> Copy --> As a hex stream.
 * For *ch_ciphers*: mark *Cipher Suites* --> Copy --> As a hex stream and supply it to `~/utils/hexstream2cipher.sh`. The last line contains the ciphers which you need to copy. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*. . The GREASE "ciphers" (?a?a) which you may see in the very beginning don't show up here.
-* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normallky like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*.
+* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normally like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*.
 * For *curves* mark the *Supported Groups* TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. Copy the last line into *curves*.
 * Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3).
 * Adjust *lowest_protocol* and *highest_protocol* accordingly (0301=TLS 1.0, 0302=TLS 1.1, 0303=TLS 1.2, 0304=TLS 1.3)
-* Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
+* Review TLS extension "signature_algorithm" 13 (=0x000d)  whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true.
 * Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle.
 * Retrieve *alpn* by looking at the *application_layer_protocol_negotiation* TLS extension 16 (=0x0010).
-* When using wireshark, copy also the ja3 and ja4 values accordingly (copy --> value), see e.g. like *java_80442*.  This could be used in the future.
-* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY"  whereas mail clients as Thunderbird support a variety of protocols.
+* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols.
+* For ja3 and ja4: This is to uniquely identify the client handshake. Also we can consolidate client handshake section (see e.g. Android 13 = Android 14).  Retrieve *ja3* or *ja4* by using Copy --> value.
 * When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`.
 * Before submitting a PR: test it yourself! You can also watch it again via wireshark.
 
 
+The license of self harvested client simulations is the same as the whole tool see ../LICENSE .
diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt
index aa3fde6b8..e73c58423 100644
--- a/etc/client-simulation.wiresharked.txt
+++ b/etc/client-simulation.wiresharked.txt
@@ -213,9 +213,35 @@
      minEcdsaBits+=(-1)
      curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
      requiresSha2+=(true)
-     ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5")
-     ja4+=("t13d1517h2_8daaf6152771_b6f405a00624")
+     ja3+=("a04f2226447ea413dd5bf057ca4a4bdf")
+     ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd")
+     current+=(true)
+
+     names+=("Android 16 (native)")
+     short+=("android_16")
+     ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA")
+     ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030107130100070f0303a80e8116ef08e859a5660ef369403922257044938f3dc4801497a4ff86ae1e6520b7d9e84e0116f07f3ea7b9b31be7d49578864802be4199920af028a7bf1df50800205a5a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010006a67a7a0000000b00020100002b000706baba0304030300170000ff01000100003304ef04ed8a8a00010011ec04c0b031ba06c780befc685949cef93243d2b29da8426e9d1b0287195958276c7358653051008cb48d93598782f9a8be73663eabce21412cf3ca249f6a61da34a6f728756c5aa5c6b6866910bfc47a20310362b5b49d60b855f46b34f9ebbd6beb3b1f972af1c646f0ba746a51ad89b96e72cc7fae9943da40692c746883a094ac0564cc180a481b34ab84b08bd08984c72aa18214d098981dfcca67b872ed7c147c8526c128a50f0562c93b090b1b83cbd53ea94b69c03c9380c81b31a6b234c476e2988db137757047c7a9712d006871a192a4f31334dc3069e850a5208585fee65d6cfb63b5db3641f3b5b35c462a813cb645cca78271c411628b51450583712f987c5f8222ada32afaea7e43a519eb3c32ea464b6d8173774220418390af28c4b79787b1344be9f02483e185693831c2ab4693e3bca8f176da7317c2a497cce1bcae86266fe67311f738a5375ff53c33ddb7baad362db6581d21b1bb8e2c9526744066b203fe670efcc810425c89fc6b3e3cfc6b37a08c14ecaa6a7063219261d23c6fa952558839a27d80b2c750ac77a8756af3523eebc3d1ea8eba1c4d367ac9a2e6406e35a9a7e97320dc3505c88e5cc123c83a7fb18b1e1e33241d825d97905e7b8991cfc4b4b846a985f8cc9e8b5bae2a20af801349162e5ea1b5b7b0c951f65914d8af968b852ed399eb650c1ef7954b982abd5cc46edc3bc6c7b3f2b569553690e8588cc1fb7230024f6e83050200747839a54d89caaf25933b3aabde28c094350c03d75a87a4aa3e1b47a2f978cf4463c1cbb8eb6aac2e4b7c0c8a4803c506dc9990beac54b2376f351caa513c6fcd3a18db55763f02865435a8533659cef00a57cb2b0e7790a90a6e64e8181067372d377be831b1d113b2799b64007c215dfaad52453183d09b6711761c94225ab27ffd30aa6356208d036e002a6b61ab8b559b1408cab808393b31b60a54a102b0b6167ce222f4210bcc049bb765b866a73227104aeaab8014261a5a89bc4adc0e30c6212e693f1fa6146b7abf57464c2f68a513f408058b1253046167bca6089345144261c974c403101471e002404b1d98b47de7d8660e0016e72aa6678944b2d65e50dccfd5412db7dc87a150ba8a4977228455df35256cf296cb34204c2c3fd2c27efe882087c04466e39e0168549560cd126666a05b09afb810544b7594db725da09c26a2a69127a6b12786af712404f7a163c4a110ba05e6d8b17869be7faca2b1086210fba9dcb958a13502277131c3340242b70591dc051e895716103eb2a63b92e198cef5c3a213c88eb49bd3f0b393ba576ac14218975b1a36a0e7c3217f32437ef603f053a14be25fe3ccc7f6f977ea3401c50c5a8d5b101a451db9f40776f6cc01395886293c7b18880223c5656ab23f5c625bd25b81216123563aad3a739a96529ea35ad95c876fda01a91a5111e0bb6ffc0eec24cecf15b3b28715df0b7f9b393c84f5a2e7b80910744a7341970c7c4425f98e3e718839743d11c997e434c1c2027a11769fd011b76e2495d1f83e31d0ae58b24eccb17f8539150f869ab1b8ce87b625cc52993e05a92f030fe6a790f3f62443f05c482c42e65280106c43d3f35ca273070a440dc490b77502103925599d7d3ba576db2d6257ec2945b3f16c6609a575fe556303aa0e4427f2234fe0e18e84f0cceb8baf5abb10982fe4c27fdb2aeda7aba94277001d0020613f7c9b4efa181e720de9c1e406b7a6ef17c94ff97053fac456c36faf200e0afe0d011a0000010001710020008eb36ce91deadb92ff7983761ac68ce58cec044231899f73c5b5eb4464c64800f02925bb0094febfd8fc3960f861148f71ac4e4134ef5861e84d04ff3d79e7e773748e5fe6d947c768c22f42a0dfaa53575a0f13526d74d232605bbc1ab682aa61841396cd3191cfb76d82f3053549333d8325488e7a3b61707d567753ac98cd6b44ce26ba353bcd1853036f0f8db85b8b920afa6235e1403feb2ce44af2151e6c48d535102225a074626a7157096b3def88655d79fa1bc21fe7954d661995b8ac8f7cba70c2fff5fa8cf2e3b1ed83be5884e0c4b4576ab0cc589daf4494e0e911858cc6030f78e7f1c4765ebd356585f75ad9204505e4b2916126a51cdbeacfe3eff962d78f48795d966d3d32b7f6ce85002d00020101001b0003020002000d001200100403080404010503080505010806060144cd000500030268320005000501000000000010000e000c02683208687474702f312e3100230000000a000c000a8a8a11ec001d001700180000000f000d00000a7465737473736c2e7368001200006a6a000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1")
+     requiresSha2+=(true)
+     ja3+=("1039cdb7642a736c706f52a335544033")
+     ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd")
+     # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here.
      current+=(true)
+     # Same as above
 
      names+=("Edge 17 Win 10")
      short+=("edge_17_win10")
@@ -259,6 +285,8 @@
      minEcdsaBits+=(-1)
      curves+=("X25519:secp256r1:secp384r1")
      requiresSha2+=(true)
+     ja3+=("cd08e31494f9531f560d64c695473da9")
+     ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1")
      current+=(true)
 
      names+=("Edge 133 Win 11 23H2")
@@ -393,6 +421,8 @@
      minEcdsaBits+=(-1)
      curves+=("X25519:secp256r1:secp384r1")
      requiresSha2+=(true)
+     ja3+=("cd08e31494f9531f560d64c695473da9")
+     ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1")
      current+=(true)
 
      names+=("Chromium 137 (Win 11)")
@@ -593,6 +623,8 @@
      minEcdsaBits+=(224)
      curves+=("x25519:secp256r1:secp384r1:secp521r1:x448:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192")
      requiresSha2+=(true)
+     ja3+=("60f3e2285bc991c380f822c6ac51f947")
+     ja4+=("t13d311200_e8f1e7e78f70_6077d120928a")
      current+=(true)
 
      names+=("Java 21.0.6 (OpenJDK)")
@@ -910,7 +942,31 @@
      ja4+=("t13d301100_1d37bd780c83_8e6e362c5eac")
      current+=(true)
 
-    names+=("Apple Mail (16.0)")
+     names+=("OpenSSL 4.0.0 (git)")
+     short+=("openssl_400")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("160301060f0100060b030372c25784c36596289766688a697c0e9cf42227867ca997d6c032f06aee51495620858b64eeb9d87bc2f9abb060999c9ded0ef8fc3aa8f483f7a8f289827095b7cf003c130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f01000586ff01000100000b00020100000a0018001611ec11eb11ee001d0017001e00180019002901000101002300000016000000170000000d0038003609050906090404030503060308070808081a081b081c0809080a080b0804080508060401050106010303030103020402050206020708002b00050403040303002d00020101003304ea04e811ec04c0608abaa87c03d79b928e5b2c7afc0082c1910d0b043a743df2198d40170b4376183b28302ca08162367ec465acd42049e675cdd7f2053b55ae4bc9b8882224d12c471220a10e7bb2317646de27a3679616df2a1145334368562ad0ab9fe2a942e42c3d1111ab07c198f5d393ab584c22e4cf9a430460c3133da80bd22a9eb3e238ea4579ba1ca9e2618699468f43c16d0cba18cd4ccb6916545b20506154380b5305206159cac627f842c218e74b5a6355594418eb526cc5588bc6e05611e7134d20c29477ac91006c28d8bf8fd4791cf21e863617396648f8dc1653a34d1dcc66cc36949c458b57b6369701500700152ea416cd9c6561785efcea6ebb2309549901f1f48180a47e8ed6b1f22943d4aa797579bb1dac83a8fa111eb383b6a3c88647cc1a170d042479d6447f485634ccf51d0ec49c63296e9052b5fdf55a091c4ae4c1c83132b1be94af4a040f9bca45743b7b1c91bbb2ecb0005a72ee2808f11b9994541c0d4857d98247536ab9fbe039ba845b2915a3e5579577ec5735e293cb1c48ee075591a3bacfd498f474777aa75f90d67e562763eae03aa9d834dc579f03aa546797c6a7914da791580071ac72fc86bee5ab3c205808cc5690e1b4fde01e3dec0d2a96840fa97b8603bdbd80b7dba65c2aeca00ca4502042cb69104e0471c5e6243d68681a4c2087f337aba6d27bf788b2a010b201a10aa5c04de488a12b4c4f3c0aae29988b92e8a5320c5a31d88d09885310100972e41f0d48756f0477547126b33072b271bef3f94bcf72784cc4bc29708ed0b5956d995bcef24989899cb9f64b8149b58e2b1146f3cea5024497584ef31b842ae72bdb65be732b9c76400e26312c2ec1af3e734fa8b3ada3e1b69be696ab33844605be78ba6e06b6552fe18199015ce0ac3b0b0bb150f6a37150bbba039f481cb9172ac40fe65b2e2b0be7d6a40112be8779b6116c417f59b8b34371d348bed4f8479c169a03c3c9859b4a9dc5619889c51a287cadb8be6f3a611cd823c2f1232ebaceff1438e602091b4a1da53a934651924b3384b6fc565d085272e57fa157a528c3788b5c92830355cefa67eb677cea385772b54925b0927313c0d0166c6246cb58a9808836a82b001dcf1a6c88698056c2156273434fa8b180dc8a0706b1680440891c7120c3a2e335c3093b3d42e497dcc764a825c5a8b920b1a52d83a7c72cbc84af5aa42eb813703907c68cc856b2995896747ea2653e639e404943c5831dc243176e634d625a77b317bd9778920ff34f4234a01c2552c0b215dc38cf7c737d26ca4fd20816e3b823fc476b03472d760114f203be3297c137450b16aba4d4b909aa351c95a993ba78177ae8056f3b7643a179e32b1d510a3807934536723dc6a7cf84f9ab53f76f919861eb431e096aa09183055d607e17f76f5082c838ea9d5c289f9449514b822e336a0c257287952322e0337720935bf295600d00554bf8a8ccb155698075e7a2506eab03600b77c4940d126501f184a8cc209a92215828d159c9056ffa55531484517105ce921b31bca57c7d82a622db2e8d997443d32594628253f04bd394b809495af5e7a66047603aea0a1234082cb58611b8af73db38f9f56e2795881ddb36a82772eac8deafae49270650ed20950d2eaaa6c5807aaead43ed2affd8c15b08744bc2e8f232b2c31e5528600b9d1946e3f79d5b7c301ef7564f001d00204e01b68506a1eabc9f25990c72848a0bd241e5e6e8007630f44ac42c59def143001b00030200010000000f000d00000a7465737473736c2e7368")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("ANY")
+     minDhBits+=(2048)
+     maxDhBits+=(-1)
+     minRsaBits+=(2048)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(224)
+     curves+=("X25519MLKEM768:SecP256r1MLKEM768:curveSM2MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:curveSM2:ffdhe2048:ffdhe3072")
+     requiresSha2+=(true)
+     ja3+=("9d83c03b4e0bb6583e210243d9299756")
+     ja4+=("t13d301200_1d37bd780c83_e65f5f3178d9")
+     current+=(true)
+
+     names+=("Apple Mail (16.0)")
      short+=("apple_mail_16_0")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA")
      ciphersuites+=("")
@@ -930,6 +986,8 @@
      minEcdsaBits+=(-1)
      curves+=("secp256r1:secp384r1:secp521r1")
      requiresSha2+=(false)
+     ja3+=("e4d448cdfe06dc1243c1eb026c74ac9a")
+     ja4+=("t12d220700_0d4ca5d4ec72_3304d8368043")
      current+=(true)
 
      names+=("Thunderbird (60.6)")
@@ -996,6 +1054,8 @@
      minEcdsaBits+=(-1)
      curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
      requiresSha2+=(false)
+     ja3+=("490dba4384bdcf3fb9f1682374dd4afc")
+     ja4+=("t13d181400_e8a523a41297_3d5424432f57")
      current+=(true)
 
      names+=("Safari 12.1 (iOS 12.2)")
@@ -1042,6 +1102,30 @@
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
      current+=(true)
 
+     names+=("Safari 26.4 (iOS+iPadOS 26.4)")
+     short+=("safari_iOS_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(-1)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("ecdf4f49dd59effc439639da29186671")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+     # iOS/iPadOS is the same, see ja4
+
      names+=("Safari 12.1 (macOS 10.13.6)")
      short+=("safari_121_osx_10136")
      ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
@@ -1132,4 +1216,28 @@
      ja4+=("t13d2014h2_a09f3c656075_e42f34c56612")
      current+=(true)
 
+     names+=("Safari 26.4 (macOS 26.4)")
+     short+=("safari_264_osx_264")
+     ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA")
+     ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
+     ch_sni+=("$SNI")
+     warning+=("")
+     handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100")
+     protos+=("-no_ssl3 -no_ssl2")
+     tlsvers+=("-tls1_3 -tls1_2")
+     lowest_protocol+=("0x0303")
+     highest_protocol+=("0x0304")
+     alpn+=("h2,http/1.1")
+     service+=("HTTP")
+     curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1")
+     minDhBits+=(1024)
+     maxDhBits+=(-1)
+     minRsaBits+=(-1)
+     maxRsaBits+=(-1)
+     minEcdsaBits+=(-1)
+     requiresSha2+=(false)
+     ja3+=("000a000e000c5a5a11ec001d001700180019")
+     ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d")
+     current+=(true)
+
 
diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
index d19a8c362..3b5064982 100644
--- a/t/baseline_data/default_testssl.csvfile
+++ b/t/baseline_data/default_testssl.csvfile
@@ -106,8 +106,7 @@
 "clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-android_15","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-chrome_101_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
@@ -119,19 +118,18 @@
 "clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
 "clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-safari_184_ios_184","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-safari_154_osx_1231","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-java_7u25","testssl.sh/81.169.235.32","443","INFO","No connection","",""
 "clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-java_1703","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
-"clientsimulation-java_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
 "clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
 "clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","",""
 "clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
diff --git a/testssl.sh b/testssl.sh
index 00325f5ca..7fddfd10b 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -5272,25 +5272,25 @@ run_client_simulation() {
           pr_headlineln "via sockets "
      else
           pr_headline "via openssl "
-          prln_warning " -- pls note \"--ssl-native\" will return some false results"
-          fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results"
+          prln_warning " -- pls note \"--ssl-native\" will likely return false results"
+          fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will likely get false results"
           ret=1
      fi
      outln
      debugme echo
 
      if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then
-          out " Browser                      Protocol  Cipher Suite Name (OpenSSL)       "
+          out " Browser/Client                      Protocol  Cipher Suite Name (OpenSSL)       "
           { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy"
           outln
-          out "--------------------------------------------------------------------------"
+          out "---------------------------------------------------------------------------------"
      else
-          out " Browser                      Protocol  Cipher Suite Name (IANA/RFC)                      "
+          out " Browser/Client                      Protocol  Cipher Suite Name (IANA/RFC)                      "
           { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy"
           outln
-          out "------------------------------------------------------------------------------------------"
+          out "-------------------------------------------------------------------------------------------------"
      fi
-     { "$using_sockets" || "$HAS_DH_BITS"; } && out "----------------------"
+     { "$using_sockets" || "$HAS_DH_BITS"; } && out "-----------------------"
      outln
      if ! "$using_sockets"; then
           # We can't use the connectivity checker here as of now the openssl reply is always empty (reason??)
@@ -5302,7 +5302,7 @@ run_client_simulation() {
           if "${current[i]}" || "$ALL_CLIENTS" ; then
                # for ANY we test this service or if the service we determined from STARTTLS matches
                if [[ "${service[i]}" == ANY ]] || [[ "${service[i]}" =~ $client_service ]]; then
-                    out " $(printf -- "%-29s" "${names[i]}")"
+                    out " $(printf -- "%-36s" "${names[i]}")"
                     if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then
                          client_simulation_sockets "${handshakebytes[i]}"
                          sclient_success=$?