TLS Fingerprinting - a method for identifying a TLS client without decrypting

Hello, Kevin Stewart here. A while back someone asked an interesting question in the DevCentral forum about selecting a client SSL profile based on the device (ex. iOS, Android, Windows Phone). Norma...
Published Dec 30, 2016
Version 1.0
application delivery
BIG-IP
iRules
security
ssl
tls
Saravanan_M_K's avatar
Saravanan_M_K
Icon for Employee rankEmployee
Oct 02, 2019
<quote>
While testing this I noticed that newer versions of Chrome and Opera added what looked like "markers" to the ciphersuite list, extensions list, and elliptic curves list (ex. 9A9A, 5A5A, EAEA, BABA - always some alphanumeric value, followed by 'A', and repeated.). A cursory search didn't explain what these are, so maybe someone will know and report back.
</quote>

  I know this is old article and by now you might have already figured it out. I am replying it for the readers just in case if they are not aware of this. the strange codes (e.g. 0x9a9a, etc) that you see are TLS GREASE values. For more info see the internet draft https://www.ietf.org/id/draft-ietf-tls-grease-04.txt (as of today it is in version 4).