From 60131b4b5d216f07a8549f6482f3d0eb1b035b17 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 15 May 2026 21:28:54 +0200 Subject: [PATCH 01/11] - Update Apple Client Simulations --- etc/client-simulation.txt | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 7b603a01f..1a7238efd 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2537,7 +2537,7 @@ names+=("Opera 66 (Win 10)") minRsaBits+=(-1) maxRsaBits+=(-1) minEcdsaBits+=(-1) - requiresSha2+=(false) + requiresSha2+=(true) ja3+=("773906b0efdefa24a7f2b8eb6985bf37") ja4+=("t13d2014h2_a09f3c656075_e42f34c56612") current+=(true) @@ -2648,9 +2648,9 @@ names+=("Opera 66 (Win 10)") maxRsaBits+=(-1) minEcdsaBits+=(-1) requiresSha2+=(false) - current+=(true) + current+=(false) - names+=("Safari 18.4 (macOS 15.4)") + names+=("Safari 18.4 (macOS 15.4/iOS 18.4)") short+=("safari_184_osx_154") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") @@ -2674,6 +2674,31 @@ names+=("Opera 66 (Win 10)") ja4+=("t13d2014h2_a09f3c656075_e42f34c56612") current+=(true) + names+=("Safari 26.4 (macOS 26.4)") + short+=("safari_264_osx_264") + ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + ch_sni+=("$SNI") + warning+=("") + handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100") + protos+=("-no_ssl3 -no_ssl2 -tls1_1 -tls1") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) + ja3+=("000a000e000c5a5a11ec001d001700180019 + ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") + current+=(true) + + names+=("Apple ATS 9 iOS 9") short+=("apple_ats_9_ios9") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA") From 14e8df3fab8818b6452f9bd4dc09791fce58c7fc Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 15 May 2026 21:30:07 +0200 Subject: [PATCH 02/11] Update readme wrt ja3/ja4 + imotr tweaks --- etc/client-simulation.wiresharked.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md index 8d8e11cca..715341dd0 100644 --- a/etc/client-simulation.wiresharked.md +++ b/etc/client-simulation.wiresharked.md @@ -12,18 +12,19 @@ testssl.sh uses the file `client-simulation.txt`. Previously we queried the SSLl * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure it's the right traffic. * Edit `client-simulation.wiresharked.txt` and insert a new section, preferably by copying a previous version of the client. * Edit the *names* accordingly and the *short* description. The latter must not contain blanks. -* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* --> Copy --> As a hex stream. +* Retrieve *handshakebytes* by marking the *TLS 1.x Record Layer* in wireshark --> Copy --> As a hex stream. * For *ch_ciphers*: mark *Cipher Suites* --> Copy --> As a hex stream and supply it to `~/utils/hexstream2cipher.sh`. The last line contains the ciphers which you need to copy. For consistency reasons it is preferred you remove the TLS 1.3 ciphers before which start with TLS\*. . The GREASE "ciphers" (?a?a) which you may see in the very beginning don't show up here. -* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normallky like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*. +* *ciphersuites* are TLS 1.3 ciphersuites which you omitted previously. You can identify them as they currently are normally like 0x13\*\*. Retrieve them from above see `~/utils/hexstream2cipher.sh`. As said, they start with TLS\*. * For *curves* mark the *Supported Groups* TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`. Copy the last line into *curves*. * Figure out *protos* and *tlsvers* by looking at the *supported_versions* TLS extension (43=0x002b). May work only with recent clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 listed only TLS 1.2/1.3). * Adjust *lowest_protocol* and *highest_protocol* accordingly (0301=TLS 1.0, 0302=TLS 1.1, 0303=TLS 1.2, 0304=TLS 1.3) -* Review TLS extension 13 (=0x000d) "signature_algorithm" whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true. +* Review TLS extension "signature_algorithm" 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not *requiresSha2* is true. * Leave *maxDhBits*/*minDhBits* and *minRsaBits*/*maxRsaBit* at -1, unless you know for sure what the client can handle. * Retrieve *alpn* by looking at the *application_layer_protocol_negotiation* TLS extension 16 (=0x0010). -* When using wireshark, copy also the ja3 and ja4 values accordingly (copy --> value), see e.g. like *java_80442*. This could be used in the future. -* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols. +* Figure out the *services* by applying a good piece of human logic. Or have a look at a different version of the client. Any (modern) browser is probably "HTTP", OpenSSL or Java "ANY" whereas mail clients as Thunderbird support a variety of protocols. +* For ja3 and ja4: This is to uniquely identify the client handshake. Also we can consolidate client handshake section (see e.g. Android 13 = Android 14). Retrieve *ja3* or *ja4* by using Copy --> value. * When you're done copy your inserted section from `client-simulation.wiresharked.txt` into `client-simulation.txt`. * Before submitting a PR: test it yourself! You can also watch it again via wireshark. +The license of self harvested client simulations is the same as the whole tool see ../LICENSE . From 7be3897437bf84d48df5364ff13b3cffa613b0c9 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 15 May 2026 21:31:06 +0200 Subject: [PATCH 03/11] Update MacOS/Safari 26.4 it has PQC kx finally, whohoo --- etc/client-simulation.wiresharked.txt | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index aa3fde6b8..ca487f37d 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -1132,4 +1132,28 @@ ja4+=("t13d2014h2_a09f3c656075_e42f34c56612") current+=(true) + names+=("Safari 26.4 (macOS 26.4)") + short+=("safari_264_osx_264") + ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + ch_sni+=("$SNI") + warning+=("") + handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100") + protos+=("-no_ssl3 -no_ssl2 -tls1_1 -tls1") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + curves+=("sect283r1:sect571r1:sect409r1::X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1") + minDhBits+=(1024) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) + ja3+=("000a000e000c5a5a11ec001d001700180019 + ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") + current+=(true) + From dd4c0b371d638b9f1fe03ba6af1cb0841743a600 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 16 May 2026 16:04:13 +0200 Subject: [PATCH 04/11] Handshakes for iOS + iPadOS 26.4. added --- etc/client-simulation.txt | 29 ++++++++++++++++++++++++--- etc/client-simulation.wiresharked.txt | 27 +++++++++++++++++++++++-- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 1a7238efd..6d7213893 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2540,7 +2540,7 @@ names+=("Opera 66 (Win 10)") requiresSha2+=(true) ja3+=("773906b0efdefa24a7f2b8eb6985bf37") ja4+=("t13d2014h2_a09f3c656075_e42f34c56612") - current+=(true) + current+=(false) names+=("Safari 10 OS X 10.12") short+=("safari_10_osx1012") @@ -2584,6 +2584,29 @@ names+=("Opera 66 (Win 10)") requiresSha2+=(false) current+=(false) + names+=("Safari 26.4 (iOS+iPadOS 26.4)") + short+=("safari_iOS_264") + ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + ch_sni+=("$SNI") + handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) + ja3+=("ecdf4f49dd59effc439639da29186671") + ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") + current+=(true) + names+=("Safari 12.1 (macOS 10.13.6)") short+=("safari_121_osx_10136") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") @@ -2681,7 +2704,7 @@ names+=("Opera 66 (Win 10)") ch_sni+=("$SNI") warning+=("") handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100") - protos+=("-no_ssl3 -no_ssl2 -tls1_1 -tls1") + protos+=("-no_ssl3 -no_ssl2") tlsvers+=("-tls1_3 -tls1_2") lowest_protocol+=("0x0303") highest_protocol+=("0x0304") @@ -2694,7 +2717,7 @@ names+=("Opera 66 (Win 10)") maxRsaBits+=(-1) minEcdsaBits+=(-1) requiresSha2+=(false) - ja3+=("000a000e000c5a5a11ec001d001700180019 + ja3+=("000a000e000c5a5a11ec001d001700180019") ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") current+=(true) diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index ca487f37d..d0669ecde 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -1042,6 +1042,29 @@ ja4+=("t13d2014h2_a09f3c656075_e42f34c56612") current+=(true) + names+=("Safari 26.4 (iOS+iPadOS 26.4)") + short+=("safari_iOS_264") + ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + ch_sni+=("$SNI") + handshakebytes+=("16030105f8010005f40303ccd490ea737df0f6c3c37b7a4406fde51a9bbb3935adfb769d0a268f9ccf045d209e6a6487b908ed904f2469f72576327e6761f01be3b4b63ff91b97599638d4b7002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a010005818a8a00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c9a9a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed9a9a00010011ec04c0a8b2940f2396593a5a41ea200da120435a82a6d60315b2c5b8a42c9c6a4067e75558556f70b9449d80c9ce301aa583bc6cec861bfa5b1f71830db8bade05cc507bbe434a055a97a984e4ccf90082a60a5ed0594a1cf770b98367d04960ecd7092659157ac48f6f030fc7f477e70a8f6ab9ccad1778f3821e0bc5401ce7973c9169bfe8548a6c4ef0900c8722cb41c257b5e04cd69887ca87af8cccc06b20c5fb909777f61c4219480c8c2df36ba90348c6bc86821076a264404933443c1fd7c2f37c7b0bd4308d3a34b216cf72a48b22643b6b743b5241cb81f53f1df542117538cc360d7a85027ec620a69839492693860b3fc3085addda3b41dbbdf1a4ab42635d41b92913456fb65756e2d98451384f12485ee4259565016554b0c27e0845b1f21cf2fa3496ac95cf018fc22614d63391a4baa88dcc685ff54869135b0d0a1d0ed11faa61a9b8d4bd20d1166e117f129c32c62c9233eaa8e4695a5282c9635b4c9a70b37f351490c4377b83baae012d9016160f611e99832dafbaa80e500f41236797fa1faa3b0066c2030a60b44c809299d371ec11554be8226d846af9bc173d6800390b1b2353467572c9957c71987cc8e71525bba6c0f53269f443c50ab3a56feac803455f7c5024fd694c5df40b95929585fb348192890a3c1bf4381b48dc446857a986b953ce58af49c489c6c5703b39076b5333a662a8ecc13d26d1b546e97c94075ec369a9d133347439c74fdc5b3eb60db0215a2e4c6d751728eb8c9475c773f9b2cf34585e09cb343e8439fd545ccd77985f3a682427351c83842091a50526442e95cea30c589300491b984addfb00069c7d8568b2286a118a28472764835301bb2dd7a6eb69b5c2f4ad5ebc36432643329639c6e788cb071dd1a60cc0862da1751421b4bf43418e49b17f4d90911ba06bbd0a0eb5ea7e82b19f4a0982472c1433118d6de10ba0f4b150637bdf40c8fc6b2a28a73000cd53e70c6021452984b1a449554e8bb99cae522abc901e10188ae8146cef7a005b9a2699a9bf697c11a2f6c31788bb05b30d5d680f8a062fea91b74b66c569e247c1bcbe9ecc8e959cb6256420e705520ba44fc08c47ef47a2c79496dc948f1fd20fa0381a609408e9ab641b91b76c532e386021f0ca525516095981c4f3702c5deb659c32b11c4946963c6730b6a7ab27c13da54b0db049892247ea533663f910d9f23a79871bfef4077229af08f135825529c0361f8d95b64de58250b8c9e8cb6a81b73dd88075fe165b9d5409accc3c244173399b8cddc596d7211b8c053ae3b73f3f5b12a3e88e78544b2a24c5b84427bed31f3d5c6cbe642fced4552ff66a21e0affd33cd35ea0b36b2b88bb3a90c06694703b0efd134ee2c18b40c6684ec91aeeb688f038168722288a04f2ea08c824951b70a71567062ebbb89dd47526bcc41e5c7a1902322f2b89f19a2746fda046496029af13d03961dc721ac193053cb327af3817ac8367f645a0dff96299d05be978520a6f46895340d89a370fc429dde652495dba1b349a7a26ccf45bc9b2e97865d59414512812b967982ea6f052acd8b7403cdb784ac7c874eb98ee507b817889e5cc108d7fa2043f582f2aa09e34ac4bbc956ae70870eac58ebdb67640f0ebad2a249552ac1d24a56d9295dd7b63c43e37306bfcdaae4121d8db56bc745107bc6341157ac20c516e9fedd8fef9b380f001d00208b3bb0ab2bfee9de7b103e56e5a73607370655a92194a0fe13743790d944a92b002d00020101002b000706aaaa03040303001b0003020001fafa000100") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("HTTP") + curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1:secp521r1") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + requiresSha2+=(false) + ja3+=("ecdf4f49dd59effc439639da29186671") + ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") + current+=(true) + names+=("Safari 12.1 (macOS 10.13.6)") short+=("safari_121_osx_10136") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") @@ -1139,7 +1162,7 @@ ch_sni+=("$SNI") warning+=("") handshakebytes+=("16030105f8010005f40303b4dbdb8ec1f12ac0b2b051de0e9c438c931404cb3e7c5036762eb9d1e0c74a1c205090ccbe3532e27baae772f349e729984f386238d267294709b1cf8899be70e9002a3a3a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581dada00000000000f000d00000a7465737473736c2e736800170000ff01000100000a000e000c5a5a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed5a5a00010011ec04c064588689449470a03892dac2b22650fcf58f31e3304ed0140a942580782f6b74011d255f5b1384a62274938b2ece41a4480074ced5b45e52045d554c4d72546c959a579b28c272476ae585a4086012d698aa8c08a7721800d8cbe9c5376a4bc382a20c6039b9b2f0308763ce2cf87cd4a5c9ee0891e1cc1ecde47c2b291db08a24dbbb342431c22dab288d1722ef84051584bbddbb8d26c3321c12bd814819f9903949961356213b8dac9a106663ca8005035232bd9b467a864827d1849454a60050448d3b967ce3260ff2035a41bb6a0cbc62c913e6f67cdce39228a25bd60b3c10f93c6b6099e957176d65798de671c270b6bb689d410b376916658b455996e34ebf354028633aa3d86b3309441cd75e89c323a5cba761271c91602616f8045e7161e092784174c507f08eba478d3145a70162691bf254bd62735dca985ed50046a06f674b4d9cc8640da4abb30bc090c11755e37ccbd156e1a2c110b89a41a8073457581f7b3542908847b14d857b3f900c5dacaa0604e12d599315550b1601240f88d8984f99844ba405b14872ff55b6eea99693cccf5721241b99af2886436b584f73c789dfa7600386ca065505bffb4589a61244435985308c802543df72c6963100453572521518e4f6bf4293502540ae6a62940f4454a442b682e734e9b4bd9237b84fb9ae0818775e34cc2b146c96dc6c21012912d418f5c7005135cbbd199c0811c6a6d0be62a50dcb52186b93770fc5679ef93bbe7277a6b3470a7b5e064c8e05fc8ea9c7b70fd9396952442f8195d7361c1534bc3b96addc7ccff980702c239591eb8d27c71ce796c2f8c88075000f86e1c568fb6fd636b1e0218f1e93942bda476f751fb4268d01ca0826d94f887866298cce23b40ec8194b856944c17591da1977ee8c3806142f595b6a24bab8fd3b356c96c0a9d7340be89cf9782d285a01aed87039055ffc4a29edf0a83c4a343efc1170855bd7bba12429253ccb46aea81ee9d19d6de735e5f07bc2b522279bb59a62c230139ce6a99d435c7b01e204d96134362c96775bbdb1e63526656676f10931e47628412e42c15f3208bb8fb37abf282cedb5140cf086e7a5b0b870cc57d2a02c569885b7775806176927b1ed0bbaecf1114d352b0233bfc62c651d683ad76c36c6664f4ca355746b3ff48a77be49ac18e452cec34b894350a4815d3dd6b93f173a52c391eaa2586d2c7f1c9721dce63c8f6cbdfce840b5578ef53584044ccd4139504254a6524c5a0ada102c87af47f82eec48405b967333b4b0c3b10a2dda7877e9319ae07a10720c08f7b5ccc49a33623def69816499a4ce14a0f54702ef4c8998f1b3fa199d7cc95d34011967f93d14833903074f5d65caf065b7a59b02f4161251f5bbd65b4286476f1e848f0bf24f3002c2f84164507073d7a59ad9636006a73f11f4153c9b5f23028db8b822ba408f5a122ac3948345d0804b8678aa17a3b19461a4452a61f10ed449a5d787bcd5c3451e4594df6a218e013d594201ea70bd8e25aad056818b41896d44bc71671e8e16bfbff186c1696c4dd98a7ae1a0189c16d0480320d853d3293108e73778988bf8809594966b8da2a3c6a1523fb47655da7e071c108ff639db75aeb68f1eea74ce1a3029857bad2bcc88463a53e48ec64d33ba737ddac87efa7ad1e6a5df39884d03b8f40cd40c12f7cc72c2fa0f370861d1895834001d0020c7036f6f20750cd9c8a5b627ea74ba5dedc98e8be653d3ebd76d4ad3631f783e002d00020101002b0007066a6a03040303001b0003020001fafa000100") - protos+=("-no_ssl3 -no_ssl2 -tls1_1 -tls1") + protos+=("-no_ssl3 -no_ssl2") tlsvers+=("-tls1_3 -tls1_2") lowest_protocol+=("0x0303") highest_protocol+=("0x0304") @@ -1152,7 +1175,7 @@ maxRsaBits+=(-1) minEcdsaBits+=(-1) requiresSha2+=(false) - ja3+=("000a000e000c5a5a11ec001d001700180019 + ja3+=("000a000e000c5a5a11ec001d001700180019") ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") current+=(true) From a35e9f816d3926a1a55dfc8c546ffebbb2e16804 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 16 May 2026 16:14:24 +0200 Subject: [PATCH 05/11] Broaden table for client simulation ... as some clients are the same and space wasn't enough. --- testssl.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 00325f5ca..9c6ef52a0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5272,23 +5272,23 @@ run_client_simulation() { pr_headlineln "via sockets " else pr_headline "via openssl " - prln_warning " -- pls note \"--ssl-native\" will return some false results" - fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results" + prln_warning " -- pls note \"--ssl-native\" will likely return false results" + fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will likely get false results" ret=1 fi outln debugme echo if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then - out " Browser Protocol Cipher Suite Name (OpenSSL) " + out " Browser/Client Protocol Cipher Suite Name (OpenSSL) " { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy" outln - out "--------------------------------------------------------------------------" + out "--------------------------------------------------------------------------------" else - out " Browser Protocol Cipher Suite Name (IANA/RFC) " + out " Browser/Client Protocol Cipher Suite Name (IANA/RFC) " { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy" outln - out "------------------------------------------------------------------------------------------" + out "------------------------------------------------------------------------------------------------" fi { "$using_sockets" || "$HAS_DH_BITS"; } && out "----------------------" outln @@ -5302,7 +5302,7 @@ run_client_simulation() { if "${current[i]}" || "$ALL_CLIENTS" ; then # for ANY we test this service or if the service we determined from STARTTLS matches if [[ "${service[i]}" == ANY ]] || [[ "${service[i]}" =~ $client_service ]]; then - out " $(printf -- "%-29s" "${names[i]}")" + out " $(printf -- "%-35s" "${names[i]}")" if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then client_simulation_sockets "${handshakebytes[i]}" sclient_success=$? From 56e4a74485a5952904b28839db6b94c62a5acec5 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 17 May 2026 15:23:42 +0200 Subject: [PATCH 06/11] Add OpenSSL 4.0 --- etc/client-simulation.txt | 24 ++++++++++++++++++++++++ etc/client-simulation.wiresharked.txt | 26 +++++++++++++++++++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 6d7213893..84146d0f7 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -3330,6 +3330,30 @@ names+=("Opera 66 (Win 10)") ja4+=("t13d301100_1d37bd780c83_8e6e362c5eac") current+=(true) + names+=("OpenSSL 4.0.0 (git)") + short+=("openssl_400") + ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + ch_sni+=("$SNI") + warning+=("") + handshakebytes+=("160301060f0100060b030372c25784c36596289766688a697c0e9cf42227867ca997d6c032f06aee51495620858b64eeb9d87bc2f9abb060999c9ded0ef8fc3aa8f483f7a8f289827095b7cf003c130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f01000586ff01000100000b00020100000a0018001611ec11eb11ee001d0017001e00180019002901000101002300000016000000170000000d0038003609050906090404030503060308070808081a081b081c0809080a080b0804080508060401050106010303030103020402050206020708002b00050403040303002d00020101003304ea04e811ec04c0608abaa87c03d79b928e5b2c7afc0082c1910d0b043a743df2198d40170b4376183b28302ca08162367ec465acd42049e675cdd7f2053b55ae4bc9b8882224d12c471220a10e7bb2317646de27a3679616df2a1145334368562ad0ab9fe2a942e42c3d1111ab07c198f5d393ab584c22e4cf9a430460c3133da80bd22a9eb3e238ea4579ba1ca9e2618699468f43c16d0cba18cd4ccb6916545b20506154380b5305206159cac627f842c218e74b5a6355594418eb526cc5588bc6e05611e7134d20c29477ac91006c28d8bf8fd4791cf21e863617396648f8dc1653a34d1dcc66cc36949c458b57b6369701500700152ea416cd9c6561785efcea6ebb2309549901f1f48180a47e8ed6b1f22943d4aa797579bb1dac83a8fa111eb383b6a3c88647cc1a170d042479d6447f485634ccf51d0ec49c63296e9052b5fdf55a091c4ae4c1c83132b1be94af4a040f9bca45743b7b1c91bbb2ecb0005a72ee2808f11b9994541c0d4857d98247536ab9fbe039ba845b2915a3e5579577ec5735e293cb1c48ee075591a3bacfd498f474777aa75f90d67e562763eae03aa9d834dc579f03aa546797c6a7914da791580071ac72fc86bee5ab3c205808cc5690e1b4fde01e3dec0d2a96840fa97b8603bdbd80b7dba65c2aeca00ca4502042cb69104e0471c5e6243d68681a4c2087f337aba6d27bf788b2a010b201a10aa5c04de488a12b4c4f3c0aae29988b92e8a5320c5a31d88d09885310100972e41f0d48756f0477547126b33072b271bef3f94bcf72784cc4bc29708ed0b5956d995bcef24989899cb9f64b8149b58e2b1146f3cea5024497584ef31b842ae72bdb65be732b9c76400e26312c2ec1af3e734fa8b3ada3e1b69be696ab33844605be78ba6e06b6552fe18199015ce0ac3b0b0bb150f6a37150bbba039f481cb9172ac40fe65b2e2b0be7d6a40112be8779b6116c417f59b8b34371d348bed4f8479c169a03c3c9859b4a9dc5619889c51a287cadb8be6f3a611cd823c2f1232ebaceff1438e602091b4a1da53a934651924b3384b6fc565d085272e57fa157a528c3788b5c92830355cefa67eb677cea385772b54925b0927313c0d0166c6246cb58a9808836a82b001dcf1a6c88698056c2156273434fa8b180dc8a0706b1680440891c7120c3a2e335c3093b3d42e497dcc764a825c5a8b920b1a52d83a7c72cbc84af5aa42eb813703907c68cc856b2995896747ea2653e639e404943c5831dc243176e634d625a77b317bd9778920ff34f4234a01c2552c0b215dc38cf7c737d26ca4fd20816e3b823fc476b03472d760114f203be3297c137450b16aba4d4b909aa351c95a993ba78177ae8056f3b7643a179e32b1d510a3807934536723dc6a7cf84f9ab53f76f919861eb431e096aa09183055d607e17f76f5082c838ea9d5c289f9449514b822e336a0c257287952322e0337720935bf295600d00554bf8a8ccb155698075e7a2506eab03600b77c4940d126501f184a8cc209a92215828d159c9056ffa55531484517105ce921b31bca57c7d82a622db2e8d997443d32594628253f04bd394b809495af5e7a66047603aea0a1234082cb58611b8af73db38f9f56e2795881ddb36a82772eac8deafae49270650ed20950d2eaaa6c5807aaead43ed2affd8c15b08744bc2e8f232b2c31e5528600b9d1946e3f79d5b7c301ef7564f001d00204e01b68506a1eabc9f25990c72848a0bd241e5e6e8007630f44ac42c59def143001b00030200010000000f000d00000a7465737473736c2e7368") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(2048) + maxDhBits+=(-1) + minRsaBits+=(2048) + maxRsaBits+=(-1) + minEcdsaBits+=(224) + curves+=("X25519MLKEM768:SecP256r1MLKEM768:curveSM2MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:curveSM2:ffdhe2048:ffdhe3072") + requiresSha2+=(true) + ja3+=("9d83c03b4e0bb6583e210243d9299756") + ja4+=("t13d301200_1d37bd780c83_e65f5f3178d9") + current+=(true) + names+=("Apple Mail (16.0)") short+=("apple_mail_16_0") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index d0669ecde..90cc251ac 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -910,7 +910,31 @@ ja4+=("t13d301100_1d37bd780c83_8e6e362c5eac") current+=(true) - names+=("Apple Mail (16.0)") + names+=("OpenSSL 4.0.0 (git)") + short+=("openssl_400") + ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") + ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") + ch_sni+=("$SNI") + warning+=("") + handshakebytes+=("160301060f0100060b030372c25784c36596289766688a697c0e9cf42227867ca997d6c032f06aee51495620858b64eeb9d87bc2f9abb060999c9ded0ef8fc3aa8f483f7a8f289827095b7cf003c130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f01000586ff01000100000b00020100000a0018001611ec11eb11ee001d0017001e00180019002901000101002300000016000000170000000d0038003609050906090404030503060308070808081a081b081c0809080a080b0804080508060401050106010303030103020402050206020708002b00050403040303002d00020101003304ea04e811ec04c0608abaa87c03d79b928e5b2c7afc0082c1910d0b043a743df2198d40170b4376183b28302ca08162367ec465acd42049e675cdd7f2053b55ae4bc9b8882224d12c471220a10e7bb2317646de27a3679616df2a1145334368562ad0ab9fe2a942e42c3d1111ab07c198f5d393ab584c22e4cf9a430460c3133da80bd22a9eb3e238ea4579ba1ca9e2618699468f43c16d0cba18cd4ccb6916545b20506154380b5305206159cac627f842c218e74b5a6355594418eb526cc5588bc6e05611e7134d20c29477ac91006c28d8bf8fd4791cf21e863617396648f8dc1653a34d1dcc66cc36949c458b57b6369701500700152ea416cd9c6561785efcea6ebb2309549901f1f48180a47e8ed6b1f22943d4aa797579bb1dac83a8fa111eb383b6a3c88647cc1a170d042479d6447f485634ccf51d0ec49c63296e9052b5fdf55a091c4ae4c1c83132b1be94af4a040f9bca45743b7b1c91bbb2ecb0005a72ee2808f11b9994541c0d4857d98247536ab9fbe039ba845b2915a3e5579577ec5735e293cb1c48ee075591a3bacfd498f474777aa75f90d67e562763eae03aa9d834dc579f03aa546797c6a7914da791580071ac72fc86bee5ab3c205808cc5690e1b4fde01e3dec0d2a96840fa97b8603bdbd80b7dba65c2aeca00ca4502042cb69104e0471c5e6243d68681a4c2087f337aba6d27bf788b2a010b201a10aa5c04de488a12b4c4f3c0aae29988b92e8a5320c5a31d88d09885310100972e41f0d48756f0477547126b33072b271bef3f94bcf72784cc4bc29708ed0b5956d995bcef24989899cb9f64b8149b58e2b1146f3cea5024497584ef31b842ae72bdb65be732b9c76400e26312c2ec1af3e734fa8b3ada3e1b69be696ab33844605be78ba6e06b6552fe18199015ce0ac3b0b0bb150f6a37150bbba039f481cb9172ac40fe65b2e2b0be7d6a40112be8779b6116c417f59b8b34371d348bed4f8479c169a03c3c9859b4a9dc5619889c51a287cadb8be6f3a611cd823c2f1232ebaceff1438e602091b4a1da53a934651924b3384b6fc565d085272e57fa157a528c3788b5c92830355cefa67eb677cea385772b54925b0927313c0d0166c6246cb58a9808836a82b001dcf1a6c88698056c2156273434fa8b180dc8a0706b1680440891c7120c3a2e335c3093b3d42e497dcc764a825c5a8b920b1a52d83a7c72cbc84af5aa42eb813703907c68cc856b2995896747ea2653e639e404943c5831dc243176e634d625a77b317bd9778920ff34f4234a01c2552c0b215dc38cf7c737d26ca4fd20816e3b823fc476b03472d760114f203be3297c137450b16aba4d4b909aa351c95a993ba78177ae8056f3b7643a179e32b1d510a3807934536723dc6a7cf84f9ab53f76f919861eb431e096aa09183055d607e17f76f5082c838ea9d5c289f9449514b822e336a0c257287952322e0337720935bf295600d00554bf8a8ccb155698075e7a2506eab03600b77c4940d126501f184a8cc209a92215828d159c9056ffa55531484517105ce921b31bca57c7d82a622db2e8d997443d32594628253f04bd394b809495af5e7a66047603aea0a1234082cb58611b8af73db38f9f56e2795881ddb36a82772eac8deafae49270650ed20950d2eaaa6c5807aaead43ed2affd8c15b08744bc2e8f232b2c31e5528600b9d1946e3f79d5b7c301ef7564f001d00204e01b68506a1eabc9f25990c72848a0bd241e5e6e8007630f44ac42c59def143001b00030200010000000f000d00000a7465737473736c2e7368") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(2048) + maxDhBits+=(-1) + minRsaBits+=(2048) + maxRsaBits+=(-1) + minEcdsaBits+=(224) + curves+=("X25519MLKEM768:SecP256r1MLKEM768:curveSM2MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:curveSM2:ffdhe2048:ffdhe3072") + requiresSha2+=(true) + ja3+=("9d83c03b4e0bb6583e210243d9299756") + ja4+=("t13d301200_1d37bd780c83_e65f5f3178d9") + current+=(true) + + names+=("Apple Mail (16.0)") short+=("apple_mail_16_0") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") ciphersuites+=("") From 7897cdcd84ac82f71e70b7384977d3bc4734062c Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 18 May 2026 16:50:06 +0200 Subject: [PATCH 07/11] Android 16 As mentioned in the comment: For Androids ja3 is is not unique, probably because of GREASE. One can add two handshakes after another and they are different. ja4 seems more consistent here. This should be kept in mind for all clients "supplying some grease" --- etc/client-simulation.txt | 26 ++++++++++++++++++++++++++ etc/client-simulation.wiresharked.txt | 25 +++++++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 84146d0f7..9a6eab127 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -332,6 +332,32 @@ requiresSha2+=(true) ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5") ja4+=("t13d1517h2_8daaf6152771_b6f405a00624") + # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here. + current+=(true) + + names+=("Android 16 (native)") + short+=("android_16") + ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + ch_sni+=("$SNI") + warning+=("") + handshakebytes+=("16030107130100070f0303a80e8116ef08e859a5660ef369403922257044938f3dc4801497a4ff86ae1e6520b7d9e84e0116f07f3ea7b9b31be7d49578864802be4199920af028a7bf1df50800205a5a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010006a67a7a0000000b00020100002b000706baba0304030300170000ff01000100003304ef04ed8a8a00010011ec04c0b031ba06c780befc685949cef93243d2b29da8426e9d1b0287195958276c7358653051008cb48d93598782f9a8be73663eabce21412cf3ca249f6a61da34a6f728756c5aa5c6b6866910bfc47a20310362b5b49d60b855f46b34f9ebbd6beb3b1f972af1c646f0ba746a51ad89b96e72cc7fae9943da40692c746883a094ac0564cc180a481b34ab84b08bd08984c72aa18214d098981dfcca67b872ed7c147c8526c128a50f0562c93b090b1b83cbd53ea94b69c03c9380c81b31a6b234c476e2988db137757047c7a9712d006871a192a4f31334dc3069e850a5208585fee65d6cfb63b5db3641f3b5b35c462a813cb645cca78271c411628b51450583712f987c5f8222ada32afaea7e43a519eb3c32ea464b6d8173774220418390af28c4b79787b1344be9f02483e185693831c2ab4693e3bca8f176da7317c2a497cce1bcae86266fe67311f738a5375ff53c33ddb7baad362db6581d21b1bb8e2c9526744066b203fe670efcc810425c89fc6b3e3cfc6b37a08c14ecaa6a7063219261d23c6fa952558839a27d80b2c750ac77a8756af3523eebc3d1ea8eba1c4d367ac9a2e6406e35a9a7e97320dc3505c88e5cc123c83a7fb18b1e1e33241d825d97905e7b8991cfc4b4b846a985f8cc9e8b5bae2a20af801349162e5ea1b5b7b0c951f65914d8af968b852ed399eb650c1ef7954b982abd5cc46edc3bc6c7b3f2b569553690e8588cc1fb7230024f6e83050200747839a54d89caaf25933b3aabde28c094350c03d75a87a4aa3e1b47a2f978cf4463c1cbb8eb6aac2e4b7c0c8a4803c506dc9990beac54b2376f351caa513c6fcd3a18db55763f02865435a8533659cef00a57cb2b0e7790a90a6e64e8181067372d377be831b1d113b2799b64007c215dfaad52453183d09b6711761c94225ab27ffd30aa6356208d036e002a6b61ab8b559b1408cab808393b31b60a54a102b0b6167ce222f4210bcc049bb765b866a73227104aeaab8014261a5a89bc4adc0e30c6212e693f1fa6146b7abf57464c2f68a513f408058b1253046167bca6089345144261c974c403101471e002404b1d98b47de7d8660e0016e72aa6678944b2d65e50dccfd5412db7dc87a150ba8a4977228455df35256cf296cb34204c2c3fd2c27efe882087c04466e39e0168549560cd126666a05b09afb810544b7594db725da09c26a2a69127a6b12786af712404f7a163c4a110ba05e6d8b17869be7faca2b1086210fba9dcb958a13502277131c3340242b70591dc051e895716103eb2a63b92e198cef5c3a213c88eb49bd3f0b393ba576ac14218975b1a36a0e7c3217f32437ef603f053a14be25fe3ccc7f6f977ea3401c50c5a8d5b101a451db9f40776f6cc01395886293c7b18880223c5656ab23f5c625bd25b81216123563aad3a739a96529ea35ad95c876fda01a91a5111e0bb6ffc0eec24cecf15b3b28715df0b7f9b393c84f5a2e7b80910744a7341970c7c4425f98e3e718839743d11c997e434c1c2027a11769fd011b76e2495d1f83e31d0ae58b24eccb17f8539150f869ab1b8ce87b625cc52993e05a92f030fe6a790f3f62443f05c482c42e65280106c43d3f35ca273070a440dc490b77502103925599d7d3ba576db2d6257ec2945b3f16c6609a575fe556303aa0e4427f2234fe0e18e84f0cceb8baf5abb10982fe4c27fdb2aeda7aba94277001d0020613f7c9b4efa181e720de9c1e406b7a6ef17c94ff97053fac456c36faf200e0afe0d011a0000010001710020008eb36ce91deadb92ff7983761ac68ce58cec044231899f73c5b5eb4464c64800f02925bb0094febfd8fc3960f861148f71ac4e4134ef5861e84d04ff3d79e7e773748e5fe6d947c768c22f42a0dfaa53575a0f13526d74d232605bbc1ab682aa61841396cd3191cfb76d82f3053549333d8325488e7a3b61707d567753ac98cd6b44ce26ba353bcd1853036f0f8db85b8b920afa6235e1403feb2ce44af2151e6c48d535102225a074626a7157096b3def88655d79fa1bc21fe7954d661995b8ac8f7cba70c2fff5fa8cf2e3b1ed83be5884e0c4b4576ab0cc589daf4494e0e911858cc6030f78e7f1c4765ebd356585f75ad9204505e4b2916126a51cdbeacfe3eff962d78f48795d966d3d32b7f6ce85002d00020101001b0003020002000d001200100403080404010503080505010806060144cd000500030268320005000501000000000010000e000c02683208687474702f312e3100230000000a000c000a8a8a11ec001d001700180000000f000d00000a7465737473736c2e7368001200006a6a000100") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1") + requiresSha2+=(true) + ja3+=("1039cdb7642a736c706f52a335544033") + ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd") + # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here. current+=(true) names+=("Chrome 27 Win 7") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 90cc251ac..4261a5dd6 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -217,6 +217,31 @@ ja4+=("t13d1517h2_8daaf6152771_b6f405a00624") current+=(true) + names+=("Android 16 (native)") + short+=("android_16") + ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA") + ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") + ch_sni+=("$SNI") + warning+=("") + handshakebytes+=("16030107130100070f0303a80e8116ef08e859a5660ef369403922257044938f3dc4801497a4ff86ae1e6520b7d9e84e0116f07f3ea7b9b31be7d49578864802be4199920af028a7bf1df50800205a5a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035010006a67a7a0000000b00020100002b000706baba0304030300170000ff01000100003304ef04ed8a8a00010011ec04c0b031ba06c780befc685949cef93243d2b29da8426e9d1b0287195958276c7358653051008cb48d93598782f9a8be73663eabce21412cf3ca249f6a61da34a6f728756c5aa5c6b6866910bfc47a20310362b5b49d60b855f46b34f9ebbd6beb3b1f972af1c646f0ba746a51ad89b96e72cc7fae9943da40692c746883a094ac0564cc180a481b34ab84b08bd08984c72aa18214d098981dfcca67b872ed7c147c8526c128a50f0562c93b090b1b83cbd53ea94b69c03c9380c81b31a6b234c476e2988db137757047c7a9712d006871a192a4f31334dc3069e850a5208585fee65d6cfb63b5db3641f3b5b35c462a813cb645cca78271c411628b51450583712f987c5f8222ada32afaea7e43a519eb3c32ea464b6d8173774220418390af28c4b79787b1344be9f02483e185693831c2ab4693e3bca8f176da7317c2a497cce1bcae86266fe67311f738a5375ff53c33ddb7baad362db6581d21b1bb8e2c9526744066b203fe670efcc810425c89fc6b3e3cfc6b37a08c14ecaa6a7063219261d23c6fa952558839a27d80b2c750ac77a8756af3523eebc3d1ea8eba1c4d367ac9a2e6406e35a9a7e97320dc3505c88e5cc123c83a7fb18b1e1e33241d825d97905e7b8991cfc4b4b846a985f8cc9e8b5bae2a20af801349162e5ea1b5b7b0c951f65914d8af968b852ed399eb650c1ef7954b982abd5cc46edc3bc6c7b3f2b569553690e8588cc1fb7230024f6e83050200747839a54d89caaf25933b3aabde28c094350c03d75a87a4aa3e1b47a2f978cf4463c1cbb8eb6aac2e4b7c0c8a4803c506dc9990beac54b2376f351caa513c6fcd3a18db55763f02865435a8533659cef00a57cb2b0e7790a90a6e64e8181067372d377be831b1d113b2799b64007c215dfaad52453183d09b6711761c94225ab27ffd30aa6356208d036e002a6b61ab8b559b1408cab808393b31b60a54a102b0b6167ce222f4210bcc049bb765b866a73227104aeaab8014261a5a89bc4adc0e30c6212e693f1fa6146b7abf57464c2f68a513f408058b1253046167bca6089345144261c974c403101471e002404b1d98b47de7d8660e0016e72aa6678944b2d65e50dccfd5412db7dc87a150ba8a4977228455df35256cf296cb34204c2c3fd2c27efe882087c04466e39e0168549560cd126666a05b09afb810544b7594db725da09c26a2a69127a6b12786af712404f7a163c4a110ba05e6d8b17869be7faca2b1086210fba9dcb958a13502277131c3340242b70591dc051e895716103eb2a63b92e198cef5c3a213c88eb49bd3f0b393ba576ac14218975b1a36a0e7c3217f32437ef603f053a14be25fe3ccc7f6f977ea3401c50c5a8d5b101a451db9f40776f6cc01395886293c7b18880223c5656ab23f5c625bd25b81216123563aad3a739a96529ea35ad95c876fda01a91a5111e0bb6ffc0eec24cecf15b3b28715df0b7f9b393c84f5a2e7b80910744a7341970c7c4425f98e3e718839743d11c997e434c1c2027a11769fd011b76e2495d1f83e31d0ae58b24eccb17f8539150f869ab1b8ce87b625cc52993e05a92f030fe6a790f3f62443f05c482c42e65280106c43d3f35ca273070a440dc490b77502103925599d7d3ba576db2d6257ec2945b3f16c6609a575fe556303aa0e4427f2234fe0e18e84f0cceb8baf5abb10982fe4c27fdb2aeda7aba94277001d0020613f7c9b4efa181e720de9c1e406b7a6ef17c94ff97053fac456c36faf200e0afe0d011a0000010001710020008eb36ce91deadb92ff7983761ac68ce58cec044231899f73c5b5eb4464c64800f02925bb0094febfd8fc3960f861148f71ac4e4134ef5861e84d04ff3d79e7e773748e5fe6d947c768c22f42a0dfaa53575a0f13526d74d232605bbc1ab682aa61841396cd3191cfb76d82f3053549333d8325488e7a3b61707d567753ac98cd6b44ce26ba353bcd1853036f0f8db85b8b920afa6235e1403feb2ce44af2151e6c48d535102225a074626a7157096b3def88655d79fa1bc21fe7954d661995b8ac8f7cba70c2fff5fa8cf2e3b1ed83be5884e0c4b4576ab0cc589daf4494e0e911858cc6030f78e7f1c4765ebd356585f75ad9204505e4b2916126a51cdbeacfe3eff962d78f48795d966d3d32b7f6ce85002d00020101001b0003020002000d001200100403080404010503080505010806060144cd000500030268320005000501000000000010000e000c02683208687474702f312e3100230000000a000c000a8a8a11ec001d001700180000000f000d00000a7465737473736c2e7368001200006a6a000100") + protos+=("-no_ssl3 -no_ssl2") + tlsvers+=("-tls1_3 -tls1_2") + lowest_protocol+=("0x0303") + highest_protocol+=("0x0304") + alpn+=("h2,http/1.1") + service+=("ANY") + minDhBits+=(-1) + maxDhBits+=(-1) + minRsaBits+=(-1) + maxRsaBits+=(-1) + minEcdsaBits+=(-1) + curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1") + requiresSha2+=(true) + ja3+=("1039cdb7642a736c706f52a335544033") + ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd") + # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here. + current+=(true) + names+=("Edge 17 Win 10") short+=("edge_17_win10") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA") From b4e58dfbb551a4b0c41d303d96929a1a394e857f Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 18 May 2026 18:45:04 +0200 Subject: [PATCH 08/11] Consolidated Handshakes went through a couple of pcap files and determined ja3 + ja4 sums. - Android 15/16 are the same (previously ja3 taken instead of ja4 and wrong host. One has to use chrome !) - Edge 101/Chrome 101 are the same (will be deprated next time) - surprisingly Java 17.0.3 and 21.0.6 were the same. - Added: Ja3/ja4 for old Apple Mail and Thunderbird --- etc/client-simulation.txt | 32 ++++++++++++++++++--------- etc/client-simulation.wiresharked.txt | 15 +++++++++++-- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 9a6eab127..49fbee60d 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -310,8 +310,8 @@ ja4+=("t13d1713h1_5b57614c22b0_352634941f3a") current+=(true) - names+=("Android 15 (native)") - short+=("android_15") + names+=("Android 15/16 (native)") + short+=("android_15_16") ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") ch_sni+=("$SNI") @@ -330,8 +330,8 @@ minEcdsaBits+=(-1) curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1") requiresSha2+=(true) - ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5") - ja4+=("t13d1517h2_8daaf6152771_b6f405a00624") + ja3+=("a04f2226447ea413dd5bf057ca4a4bdf") + ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd") # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here. current+=(true) @@ -358,7 +358,8 @@ ja3+=("1039cdb7642a736c706f52a335544033") ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd") # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here. - current+=(true) + current+=(false) + # same as above, deducted from ja4 fingerprint names+=("Chrome 27 Win 7") short+=("chrome_27_win7") @@ -993,7 +994,9 @@ names+=("Chrome 27 Win 7") minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(true) - current+=(true) + ja3+=("cd08e31494f9531f560d64c695473da9") + ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1") + current+=(false) names+=("Chromium 137 (Win 11)") short+=("chromium_137_win11") @@ -2097,7 +2100,7 @@ names+=("Firefox 137 (Win 11)") requiresSha2+=(false) current+=(false) - names+=("Edge 101 Win 10 21H2") + names+=("Edge 101/Chrome 101 Win 10 21H2") short+=("edge_101_win10_21h2") ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") @@ -2117,6 +2120,8 @@ names+=("Firefox 137 (Win 11)") minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(true) + ja3+=("cd08e31494f9531f560d64c695473da9") + ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1") current+=(true) names+=("Edge 133 Win 11 23H2") @@ -3002,8 +3007,8 @@ names+=("Opera 66 (Win 10)") requiresSha2+=(false) current+=(false) - names+=("Java 17.0.3 (OpenJDK)") - short+=("java_1703") + names+=("Java 17.0.3/21.0.6 (OpenJDK)") + short+=("java_1703_2106") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256") ch_sni+=("$SNI") @@ -3021,6 +3026,8 @@ names+=("Opera 66 (Win 10)") minEcdsaBits+=(224) curves+=("x25519:secp256r1:secp384r1:secp521r1:x448:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192") requireseha2+=(true) + ja3+=("60f3e2285bc991c380f822c6ac51f947") + ja4+=("t13d311200_e8f1e7e78f70_6077d120928a") current+=(true) names+=("Java 21.0.6 (OpenJDK)") @@ -3044,7 +3051,8 @@ names+=("Opera 66 (Win 10)") requiresSha2+=(true) ja3+=("60f3e2285bc991c380f822c6ac51f947") ja4+=("t13d311200_e8f1e7e78f70_6077d120928a") - current+=(true) + current+=(false) + # same as above names+=("go 1.17.8") short+=("go_1178") @@ -3400,6 +3408,8 @@ names+=("Opera 66 (Win 10)") minEcdsaBits+=(-1) curves+=("secp256r1:secp384r1:secp521r1") requiresSha2+=(false) + ja3+=("e4d448cdfe06dc1243c1eb026c74ac9a") + ja4+=("t12d220700_0d4ca5d4ec72_3304d8368043") current+=(true) names+=("Thunderbird (60.6)") @@ -3466,6 +3476,8 @@ names+=("Opera 66 (Win 10)") minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") requiresSha2+=(false) + ja3+=("490dba4384bdcf3fb9f1682374dd4afc") + ja4+=("t13d181400_e8a523a41297_3d5424432f57") current+=(true) names+=("Baidu Jan 2015") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 4261a5dd6..8465acadf 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -213,8 +213,8 @@ minEcdsaBits+=(-1) curves+=("X25519MLKEM768:x25519:secp256r1:secp384r1") requiresSha2+=(true) - ja3+=("78c89591bc3fffbc6aa884cc7ebbbdb5") - ja4+=("t13d1517h2_8daaf6152771_b6f405a00624") + ja3+=("a04f2226447ea413dd5bf057ca4a4bdf") + ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd") current+=(true) names+=("Android 16 (native)") @@ -241,6 +241,7 @@ ja4+=("t13d1516h2_8daaf6152771_d8a2da3f94cd") # careful! ja3 is is not unique here, probably because of GREASE. It's difficult to find to matching ja3 at all. ja4 seems more consistent here. current+=(true) + # Same as above names+=("Edge 17 Win 10") short+=("edge_17_win10") @@ -284,6 +285,8 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(true) + ja3+=("cd08e31494f9531f560d64c695473da9") + ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1") current+=(true) names+=("Edge 133 Win 11 23H2") @@ -418,6 +421,8 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(true) + ja3+=("cd08e31494f9531f560d64c695473da9") + ja4+=("t13d1516h2_8daaf6152771_e5627efa2ab1") current+=(true) names+=("Chromium 137 (Win 11)") @@ -618,6 +623,8 @@ minEcdsaBits+=(224) curves+=("x25519:secp256r1:secp384r1:secp521r1:x448:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192") requiresSha2+=(true) + ja3+=("60f3e2285bc991c380f822c6ac51f947") + ja4+=("t13d311200_e8f1e7e78f70_6077d120928a") current+=(true) names+=("Java 21.0.6 (OpenJDK)") @@ -979,6 +986,8 @@ minEcdsaBits+=(-1) curves+=("secp256r1:secp384r1:secp521r1") requiresSha2+=(false) + ja3+=("e4d448cdfe06dc1243c1eb026c74ac9a") + ja4+=("t12d220700_0d4ca5d4ec72_3304d8368043") current+=(true) names+=("Thunderbird (60.6)") @@ -1045,6 +1054,8 @@ minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") requiresSha2+=(false) + ja3+=("490dba4384bdcf3fb9f1682374dd4afc") + ja4+=("t13d181400_e8a523a41297_3d5424432f57") current+=(true) names+=("Safari 12.1 (iOS 12.2)") From 56697cee488bd728a78585c2e2c6981b6d3d9633 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 18 May 2026 21:16:43 +0200 Subject: [PATCH 09/11] Consolidate handshakes for all Safaris 26.4 Looked before at ja3, but for Chromium-browsers ja4 is relevant. The client column needed to be extended with 1 space. --- etc/client-simulation.txt | 5 +++-- etc/client-simulation.wiresharked.txt | 1 + testssl.sh | 12 ++++++------ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index 49fbee60d..b75a1e663 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2636,7 +2636,8 @@ names+=("Opera 66 (Win 10)") requiresSha2+=(false) ja3+=("ecdf4f49dd59effc439639da29186671") ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") - current+=(true) + current+=(false) + # identical to MaCOS Safari 26.4, see ja4 names+=("Safari 12.1 (macOS 10.13.6)") short+=("safari_121_osx_10136") @@ -2728,7 +2729,7 @@ names+=("Opera 66 (Win 10)") ja4+=("t13d2014h2_a09f3c656075_e42f34c56612") current+=(true) - names+=("Safari 26.4 (macOS 26.4)") + names+=("Safari 26.4 (macOS/iOS/iPadOS 26.4)") short+=("safari_264_osx_264") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") diff --git a/etc/client-simulation.wiresharked.txt b/etc/client-simulation.wiresharked.txt index 8465acadf..e73c58423 100644 --- a/etc/client-simulation.wiresharked.txt +++ b/etc/client-simulation.wiresharked.txt @@ -1124,6 +1124,7 @@ ja3+=("ecdf4f49dd59effc439639da29186671") ja4+=("t13d2013h2_a09f3c656075_7f0f34a4126d") current+=(true) + # iOS/iPadOS is the same, see ja4 names+=("Safari 12.1 (macOS 10.13.6)") short+=("safari_121_osx_10136") diff --git a/testssl.sh b/testssl.sh index 9c6ef52a0..7fddfd10b 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5280,17 +5280,17 @@ run_client_simulation() { debugme echo if [[ "$DISPLAY_CIPHERNAMES" =~ openssl ]]; then - out " Browser/Client Protocol Cipher Suite Name (OpenSSL) " + out " Browser/Client Protocol Cipher Suite Name (OpenSSL) " { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy" outln - out "--------------------------------------------------------------------------------" + out "---------------------------------------------------------------------------------" else - out " Browser/Client Protocol Cipher Suite Name (IANA/RFC) " + out " Browser/Client Protocol Cipher Suite Name (IANA/RFC) " { "$using_sockets" || "$HAS_DH_BITS"; } && out "Forward Secrecy" outln - out "------------------------------------------------------------------------------------------------" + out "-------------------------------------------------------------------------------------------------" fi - { "$using_sockets" || "$HAS_DH_BITS"; } && out "----------------------" + { "$using_sockets" || "$HAS_DH_BITS"; } && out "-----------------------" outln if ! "$using_sockets"; then # We can't use the connectivity checker here as of now the openssl reply is always empty (reason??) @@ -5302,7 +5302,7 @@ run_client_simulation() { if "${current[i]}" || "$ALL_CLIENTS" ; then # for ANY we test this service or if the service we determined from STARTTLS matches if [[ "${service[i]}" == ANY ]] || [[ "${service[i]}" =~ $client_service ]]; then - out " $(printf -- "%-35s" "${names[i]}")" + out " $(printf -- "%-36s" "${names[i]}")" if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then client_simulation_sockets "${handshakebytes[i]}" sclient_success=$? From 01b7ad7cc8f9acdcf71d54d4dab868a2e15337cc Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 18 May 2026 21:30:34 +0200 Subject: [PATCH 10/11] correct name --- etc/client-simulation.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/client-simulation.txt b/etc/client-simulation.txt index b75a1e663..e7af0bd27 100644 --- a/etc/client-simulation.txt +++ b/etc/client-simulation.txt @@ -2730,7 +2730,7 @@ names+=("Opera 66 (Win 10)") current+=(true) names+=("Safari 26.4 (macOS/iOS/iPadOS 26.4)") - short+=("safari_264_osx_264") + short+=("safari_264_all") ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA") ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256") ch_sni+=("$SNI") From 7871d800f9bb78250c93cd36805de84349691d5c Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 18 May 2026 21:30:57 +0200 Subject: [PATCH 11/11] adjust baseline runner output --- t/baseline_data/default_testssl.csvfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile index d19a8c362..3b5064982 100644 --- a/t/baseline_data/default_testssl.csvfile +++ b/t/baseline_data/default_testssl.csvfile @@ -106,8 +106,7 @@ "clientsimulation-android_X","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-android_11_12","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-android_13_14","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-android_15","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-chrome_101_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-android_15_16","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-chromium_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-firefox_100_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-firefox_137_win11","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" @@ -119,19 +118,18 @@ "clientsimulation-edge_15_win10","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" "clientsimulation-edge_101_win10_21h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-edge_133_win11_23h2","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-safari_184_ios_184","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-safari_154_osx_1231","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-safari_184_osx_154","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-safari_264_all","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-java_7u25","testssl.sh/81.169.235.32","443","INFO","No connection","","" "clientsimulation-java_80442","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-java_1102","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-java_1703","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" -"clientsimulation-java_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-java_1703_2106","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-go_1178","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-libressl_336","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-openssl_102e","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" "clientsimulation-openssl_111d","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-openssl_315","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-openssl_350","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" +"clientsimulation-openssl_400","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","","" "clientsimulation-apple_mail_16_0","testssl.sh/81.169.235.32","443","INFO","TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384","","" "clientsimulation-thunderbird_91_9","testssl.sh/81.169.235.32","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""