From 080288df798e3da34433816595b56139a2607e80 Mon Sep 17 00:00:00 2001 From: Daniel Roethlisberger Date: Sun, 19 Jan 2025 16:27:35 +0100 Subject: [PATCH] JA4: Remove fictional (and mis-mapped to "s3") SSL 1 SSL 1 was never actually deployed, the design was iterated upon to become SSL 2 before it was released by Netscape [1] [2] [3] [4]. I don't think it's public knowledge what the version field for SSL 1 would have looked like, or if it even was two bytes large or at the same offset on the wire; given that SSL 2 used 0x0002 it seems more likely to have been 0x0001 than 0x0100. Version field 0x0100, that is currently misattributed to SSL 1, was used by an early pre-RFC4347 implementation of DTLS in OpenSSL before 0.9.8f [5], when OpenSSL switched to the version field specified by RFC4347. This use of 0x0100 is also reflected in Wireshark's TLS dissector [4] (`DTLSV1DOT0_OPENSSL_VERSION`). For these reasons, it seems to make sense to remove the fictional SSL 1 code entirely. This also removes an issue where the resulting JA4 string would be "s3" instead of the intended "s1". An earlier version of the JA4 spec [6] also mistakenly used 0x0200 for SSL 2 and 0x0100 for SSL 1. This was fixed in [7] in August 2024. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277 [5] https://github.com/openssl/openssl/compare/OpenSSL_0_9_8e...OpenSSL_0_9_8f [6] https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md#tls-and-dtls-version [7] FoxIO-LLC/ja4#150 --- src/lib/protocols/tls.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index d05c5ddada0..88c6fddde6f 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -2098,11 +2098,6 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, ja_str[2] = '2'; break; - case 0x0100: /* SSL 1.0 = “s1” */ - ja_str[1] = 's'; - ja_str[2] = '3'; - break; - case 0xFEFF: /* DTLS 1.0 = “d1” */ ja_str[1] = 'd'; ja_str[2] = '1';