Is there a way to get the TLS client-hello in a plugin?

mridang · February 19, 2025, 8:54am

I'm building a plugin and I need to compute a JA3/JA4 hash from the request. I cannot seem to find any way to accessing the raw TLS client-hello? Is there a way to do this?

func (sh *MyPlugin) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
  // req.TLS has everything but the raw hello
}

Without the CH, there doesn't seem to way to build the JA3/4 hash. Thank you.

bluepuma77 · February 19, 2025, 10:11am

This is probably not possible, as Traefik's model is

entrypoint -> router -> middleware -> service

and TLS is usually terminated before the router.

mridang · February 20, 2025, 5:59am

Yeah, this really doesn't seem possible. I found this issue TLS(Ja3) Fingerprint in ForwardAuth Middleware · Issue #8627 · traefik/traefik · GitHub

Topic		Replies	Views
Ja3 fingerprinting middleware Traefik v2 middleware	0	812	December 7, 2020
How to use Plugins. Cant find Yaml, toml or cli on TrueNAS Scale Traefik v2 plugin	10	2057	December 4, 2022
How do I develop a TLS middleware plugin Traefik v2 plugin	4	474	December 6, 2022
Don't respond to non-TLS HTTP request Traefik v3 (latest) tcp	0	24	December 11, 2024
Traefik to Traefik mTLS authentication Traefik v1 file	13	3548	December 9, 2020

Is there a way to get the TLS client-hello in a plugin?

Related topics