Add boringssl support to the ja4_fingerprint plugin #12790
Conversation
|
[approve ci autest 1] |
bneradt
left a comment
bneradt
left a comment
There was a problem hiding this comment.
Thank you @jasmine-nahrain for exploring this. I think your patch here makes the plugin code look much better. I'm content with this idea as a compromise that addresses our variety of wants here (minimize noise in the ts.h namespace along with a clean boring+openssl interface for the plugin).
@maskit : I'm curious to hear your opinion on this as well. Are you content with this patch?
| struct tsapi_ssl_client_hello { | ||
| uint16_t version; | ||
| const uint8_t *cipher_suites; | ||
| size_t cipher_suites_len; | ||
| const uint8_t *extensions; | ||
| size_t extensions_len; | ||
| int *extension_ids; | ||
| size_t extension_ids_len; | ||
| void *ssl_ptr; | ||
| }; |
There was a problem hiding this comment.
Let's initialize these here (nullptr, 0).
Also: as a tweak on this, what do you think of making these private and adding public getters for these such that we can lazily load them as they are requested? Subsequent requests can then return the populated (cached) values if the same value is asked for twice. Currently, the caller has to pay for the population of all of these even though they might not need them all.
There was a problem hiding this comment.
Lazy load would be tricky. Best we can do is probably read and cache everything in TSVConnClientHelloGet.
As I commented on somewhere, SSL_CLIENT_HELLO is only available during BoringSSL callback functions are called. So TSVConnClientHelloGet needs to be called on certain hooks (this should be documented). This plugin seems fine since TSVConnClientHelloGet and TSClientHelloDestroy are called on TS_SSL_CLIENT_HELLO_HOOK, but if another plugin needs information from Client Hello later on another hook, everything needs to be deep copied when TSVConnClientHelloGet is called.
There was a problem hiding this comment.
Public getters would be nice even if we don't do lazy land. Those would enable removing ifdef from the plugin code.
maskit
left a comment
maskit
left a comment
There was a problem hiding this comment.
API documentation is mandatory.
The structure should probably be a class with public getters (and private members). Regardless, some of member variables should have const.
4 participants
Problem
OpenSSL provides
SSL_client_hello_get0_ext(),SSL_client_hello_get0_ciphers()andSSL_client_hello_get1_extensions_present()to get client hello from an SSL object. BoringSSL doesn't have comparable functions. It requires theSSL_CLIENT_HELLOobject viaSSL_early_callback_ctx_extension_get(). Currently, there's no way to get theSSL_CLIENT_HELLOobject in plugins, which causes friction when writing SSL-related plugins that need to work with both libraries.Proposed Solution:
TSClientHello TSVConnClientHelloGet(TSVConn sslp);This API provides access to the
SSL_CLIENT_HELLOobject within plugins and is usable during SSL hooks (TS_SSL_CLIENT_HELLO_HOOK, TS_SSL_SERVERNAME_HOOK).Use Case: This enables plugins to access ClientHello data (cipher suites, extensions, SNI, ALPN, supported TLS versions) when using BoringSSL. Currently, the ja4_fingerprint plugin only works for openssl, this change allows us to add boringssl support.
Implementation Notes:
This is a non-breaking addition. Existing OpenSSL-based plugins continue to work unchanged.