Tags: refraction-networking/utls
Tags
fix: add missing padding extension for chrome 120 Chrome removed this extension when sending pq keyshares but this was incorrectly removed in utls for the non-pq variant of Chrome 120 fingerprint. Only this fingerprint is effected since newer fingerprints have pq keyshares by default and older fingerprints have this extension. Thanks to telegram @acgdaily for reporting this issue.
fix: use AES in GREASE ECH for Chrome fingerprint There is a fingerprint mismatch with Chrome when using GREASE ECH, having to do with ciphersuite selection. When Chrome selects the preferred ciphersuite in the outer ClientHello and the ciphersuite for ECH, it does so consistently based on hardware support. That means, for example, if it prefers AES for the outer ciphersuite, it would also use AES for ECH. The Chrome parrot in utls hardcodes AES preference for outer ciphersuites but selects the ECH ciphersuite randomly between AES and ChaCha20. So there is a 50% chance of selecting ChaCha20 for ECH while using AES for the outer ciphersuite, which is impossible in Chrome. This commit makes the Chrome parrot use AES only for GREASE ECH, consistent with the currrent AES outer ciphersuite preference. I think this is only a problem in GREASE ECH, since in real ECH Chrome selects the first valid ciphersuite when AES is preferred, which is the same in utls. So no change is done there. Thanks to the original reporter for reporting this issue.
refactor: remove unused cf circl ech config Remove code using cloudflare circl's ECHConfig since ech has been implemented via the standard library. Given that real ech was never implemented using cf circl code in utls, this shouldn't be breaking any user's code from what I can tell.
feat: generate different ecdhe key for pq key When the client sends both pq and non-pq keyshares, the ecdhe key was reused in line with stdlib. However this can be used to fingerprint utls ClientHellos. Generate different ecdhe keys instead, in line with Chrome. This will have to change when we support more browsers with different ways of handling this.
PreviousNext