TLS Client Hello Mirror

This service presents your browser's TLS Client Hello message in multiple formats. It can be used directly or in CI tests to check for TLS privacy pitfalls (session resumption, fingerprinting, system time exposure) and security shortcomings (deprecated TLS versions, weak cipher suites, missing features, etc).

Details here

API endpoints

json/v1 - basic

json/v2 - detailed

API Documentation

Connection

TLS version: TLS 1.3

Cipher suite: TLS_AES_128_GCM_SHA256

TLS session resumed: false

If you haven't already, refresh the page to check if your browser supports session resumption.

Supported features

Signed certificate timestamps: false

OCSP stapling: false

Supported TLS/SSL versions

TLS 1.3

TLS 1.2

Cipher suites

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (not recommended)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (not recommended)

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (not recommended)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (not recommended)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (not recommended)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (not recommended)

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Extensions

server_name

ec_point_formats

supported_groups

session_ticket

encrypt_then_mac

extended_master_secret

signature_algorithms

supported_versions

psk_key_exchange_modes

key_share

padding

Supported groups

x25519

secp256r1

x448

secp521r1

secp384r1

Signature algorithms

ecdsa_secp256r1_sha256

ecdsa_secp384r1_sha384

ecdsa_secp521r1_sha512

ed25519

ed448

rsa_pss_pss_sha256

rsa_pss_pss_sha384

rsa_pss_pss_sha512

rsa_pss_rsae_sha256

rsa_pss_rsae_sha384

rsa_pss_rsae_sha512

rsa_pkcs1_sha256

rsa_pkcs1_sha384

rsa_pkcs1_sha512

sha224,ecdsa (not recommended)

sha224,rsa (not recommended)

sha224,dsa (not recommended)

sha256,dsa (not recommended)

sha384,dsa (not recommended)

sha512,dsa (not recommended)

TLS fingerprint

JA3: 771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103-255,0-11-10-35-22-23-13-43-45-51-21,29-23-30-25-24,0-1-2

JA3 MD5: 5833fcd5a2599274dacc5a94102ac943

NJA3v1: 769,771,4866-4867-4865-49196-49200-49195-49199-52393-52392-49188-49192-49187-49191-159-158-107-103-255,10-11-13-22-23-43-45-51,29-23-30-25-24,0-1-2,772-771,1027-1283-1539-2055-2056-2057-2058-2059-2052-2053-2054-1025-1281-1537-771-769-770-1026-1282-1538,1,

NJA3v1 SHA256/128: 4063ac5d92c772cdc37fb2bb812e4fcd

Parameters in the Client Hello message differ between clients, enabling servers and on-path observers to detect what browser you are likely using (down to its version, or a range of versions) by deriving its fingerprint from said parameters. Worse, if you change any TLS-related settings, your TLS fingerprint becomes specific to a much smaller group of users, possibly even to you alone.

JA3 is a simple and popular type of TLS fingerprint. NJA3 is a similar style of fingerprint which aims to improve the robustness and accuracy of JA3.

TLS Fingerprinting with JA3 and JA3S

NJA3 documentation

_____________________

Author: nervuri

Source (contributions welcome)

License: BSD-3-Clause