Add /tls/client-hello endpoint

pimterry · pimterry · commit 77dbe17f1884 · 2026-03-25T13:36:57.000+01:00
diff --git a/src/endpoints/http-index.ts b/src/endpoints/http-index.ts
@@ -48,4 +48,5 @@ export * from './http/encoding/deflate.js';
 export * from './http/encoding/zstd.js';
 export * from './http/encoding/brotli.js';
 export * from './http/encoding/identity.js';
-export * from './http/tls-fingerprint.js';
+export * from './http/tls-fingerprint.js';
+export * from './http/tls-client-hello.js';
diff --git a/src/endpoints/http/tls-client-hello.ts b/src/endpoints/http/tls-client-hello.ts
@@ -0,0 +1,114 @@
+import {
+    CIPHER_SUITES,
+    EXTENSIONS,
+    SUPPORTED_GROUPS,
+    SIGNATURE_ALGORITHMS,
+    EC_POINT_FORMATS,
+    TLS_VERSIONS,
+    COMPRESSION_METHODS,
+    PSK_KEY_EXCHANGE_MODES,
+    CERTIFICATE_COMPRESSION_ALGORITHMS,
+    CERTIFICATE_STATUS_TYPES
+} from 'read-tls-client-hello';
+
+import { HttpEndpoint } from '../http-index.js';
+import { getClientHello } from '../../tls-client-hello.js';
+
+function annotateId(id: number, table: Record<number, string | undefined>) {
+    return { id, name: table[id] ?? null };
+}
+
+function annotateIds(ids: number[], table: Record<number, string | undefined>) {
+    return ids.map(id => annotateId(id, table));
+}
+
+function annotateExtensionData(
+    extensionId: number,
+    data: Record<string, unknown> | null
+): unknown {
+    if (data === null || Object.keys(data).length === 0) return data;
+
+    switch (extensionId) {
+        case 5: // status_request
+            return {
+                ...data,
+                statusType: annotateId(data.statusType as number, CERTIFICATE_STATUS_TYPES)
+            };
+        case 10: // supported_groups
+            return {
+                groups: annotateIds(data.groups as number[], SUPPORTED_GROUPS)
+            };
+        case 11: // ec_point_formats
+            return {
+                formats: annotateIds(data.formats as number[], EC_POINT_FORMATS)
+            };
+        case 13: // signature_algorithms
+        case 50: // signature_algorithms_cert
+            return {
+                algorithms: annotateIds(data.algorithms as number[], SIGNATURE_ALGORITHMS)
+            };
+        case 17: // status_request_v2
+            return {
+                statusTypes: annotateIds(data.statusTypes as number[], CERTIFICATE_STATUS_TYPES)
+            };
+        case 27: // compress_certificate
+            return {
+                algorithms: annotateIds(
+                    data.algorithms as number[],
+                    CERTIFICATE_COMPRESSION_ALGORITHMS
+                )
+            };
+        case 43: // supported_versions
+            return {
+                versions: annotateIds(data.versions as number[], TLS_VERSIONS)
+            };
+        case 45: // psk_key_exchange_modes
+            return {
+                modes: annotateIds(data.modes as number[], PSK_KEY_EXCHANGE_MODES)
+            };
+        case 51: // key_share
+            return {
+                entries: (data.entries as Array<{ group: number; keyExchangeLength: number }>)
+                    .map(entry => ({
+                        group: annotateId(entry.group, SUPPORTED_GROUPS),
+                        keyExchangeLength: entry.keyExchangeLength
+                    }))
+            };
+        default:
+            return data;
+    }
+}
+
+export const tlsClientHello: HttpEndpoint = {
+    matchPath: (path) => path === '/tls/client-hello',
+    handle: (req, res) => {
+        const helloData = getClientHello(req);
+
+        if (!helloData) {
+            res.writeHead(500, { 'content-type': 'application/json' });
+            res.end(JSON.stringify({ error: 'TLS client hello data not available' }));
+            return;
+        }
+
+        res.writeHead(200, { 'content-type': 'application/json' });
+        res.end(JSON.stringify({
+            version: annotateId(helloData.version, TLS_VERSIONS),
+            random: helloData.random.toString('hex'),
+            sessionId: helloData.sessionId.length > 0
+                ? helloData.sessionId.toString('hex')
+                : null,
+            cipherSuites: annotateIds(helloData.cipherSuites, CIPHER_SUITES),
+            compressionMethods: annotateIds(helloData.compressionMethods, COMPRESSION_METHODS),
+            extensions: helloData.extensions.map(ext => ({
+                id: ext.id,
+                name: EXTENSIONS[ext.id] ?? null,
+                data: annotateExtensionData(ext.id, ext.data)
+            }))
+        }));
+    },
+    meta: {
+        path: '/tls/client-hello',
+        description: 'Returns the fully parsed TLS ClientHello. Requires HTTPS.',
+        examples: ['/tls/client-hello']
+    }
+};
diff --git a/src/endpoints/http/tls-fingerprint.ts b/src/endpoints/http/tls-fingerprint.ts
@@ -1,38 +1,18 @@
-import { TLSSocket } from 'tls';
-import { HttpEndpoint, HttpRequest } from '../http-index.js';
-import { TLS_CLIENT_HELLO } from '../../tls-client-hello.js';
-
-function getTlsSocket(req: HttpRequest): TLSSocket | undefined {
-    // HTTP/1: socket is directly available
-    if (req.socket instanceof TLSSocket) {
-        return req.socket;
-    }
-
-    // HTTP/2: socket is on the session
-    const stream = (req as any).stream;
-    const session = stream?.session;
-    const socket = session?.socket;
-    if (socket instanceof TLSSocket) {
-        return socket;
-    }
-
-    return undefined;
-}
+import { HttpEndpoint } from '../http-index.js';
+import { getClientHello } from '../../tls-client-hello.js';
 
 export const tlsFingerprint: HttpEndpoint = {
     matchPath: (path) => path === '/tls/fingerprint',
     handle: (req, res) => {
-        const tlsSocket = getTlsSocket(req);
+        const helloData = getClientHello(req);
 
-        if (!tlsSocket) {
+        if (!helloData) {
             res.writeHead(400, { 'content-type': 'application/json' });
             res.end(JSON.stringify({ error: 'Not a TLS connection' }));
             return;
         }
 
-        const helloData = tlsSocket[TLS_CLIENT_HELLO];
-
-        if (!helloData?.ja3 || !helloData?.ja4) {
+        if (!helloData.ja3 || !helloData.ja4) {
             res.writeHead(500, { 'content-type': 'application/json' });
             res.end(JSON.stringify({ error: 'TLS fingerprint not available' }));
             return;
diff --git a/src/http-handler.ts b/src/http-handler.ts
@@ -8,7 +8,7 @@ import { HttpRequest, HttpResponse } from './endpoints/http-index.js';
 import { handleWebSocketUpgrade } from './ws-handler.js';
 import { resolveEndpointChain } from './endpoint-chain.js';
 import { getDocsHtml } from './docs-page.js';
-import { TLS_CLIENT_HELLO } from './tls-client-hello.js';
+import { getClientHello } from './tls-client-hello.js';
 
 function stopRawDataCapture(req: HttpRequest): void {
     if (req.httpVersion === '2.0') {
@@ -76,9 +76,9 @@ function createHttpRequestHandler(options: {
             const authority = req.headers[':authority']?.toString();
             if (authority) {
                 const hostWithoutPort = authority.replace(/:\d+$/, '').toLowerCase();
-                const tlsClientHello = socket.stream?.[TLS_CLIENT_HELLO];
-                const sni = (tlsClientHello
-                    ? getExtensionData(tlsClientHello, 'sni')?.serverName
+                const clientHello = getClientHello(req);
+                const sni = (clientHello
+                    ? getExtensionData(clientHello, 'sni')?.serverName
                     : undefined
                 )?.toLowerCase();
 
diff --git a/src/tls-client-hello.ts b/src/tls-client-hello.ts
@@ -1,8 +1,26 @@
+import { TLSSocket } from 'tls';
 import type { TlsClientHelloMessage } from 'read-tls-client-hello';
+import type { HttpRequest } from './endpoints/http-index.js';
 
 export const TLS_CLIENT_HELLO: unique symbol = Symbol('tlsClientHello');
 
 export interface TlsClientHelloData extends TlsClientHelloMessage {
     ja3: string;
     ja4: string;
 }
+
+export function getClientHello(req: HttpRequest): TlsClientHelloData | undefined {
+    // HTTP/1: socket is directly available
+    if (req.socket instanceof TLSSocket) {
+        return req.socket[TLS_CLIENT_HELLO];
+    }
+
+    // HTTP/2: socket is on the session, wrapped in JSStreamSocket
+    const stream = (req as any).stream;
+    const socket = stream?.session?.socket;
+    if (socket instanceof TLSSocket) {
+        return socket[TLS_CLIENT_HELLO];
+    }
+
+    return undefined;
+}
diff --git a/test/tls-client-hello.spec.ts b/test/tls-client-hello.spec.ts
@@ -0,0 +1,155 @@
+import * as net from 'net';
+import * as http from 'http';
+import * as https from 'https';
+import * as streamConsumers from 'stream/consumers';
+
+import { expect } from 'chai';
+import { DestroyableServer, makeDestroyable } from 'destroyable-server';
+
+import { createServer } from '../src/server.js';
+
+describe("TLS client hello endpoint", () => {
+
+    let server: DestroyableServer;
+    let serverPort: number;
+
+    beforeEach(async () => {
+        server = makeDestroyable(await createServer());
+        await new Promise<void>((resolve) => server.listen(resolve));
+        serverPort = (server.address() as net.AddressInfo).port;
+    });
+
+    afterEach(async () => {
+        await server.destroy();
+    });
+
+    it("returns the full annotated client hello", async () => {
+        const response = await new Promise<any>((resolve, reject) => {
+            https.get(`https://localhost:${serverPort}/tls/client-hello`, {
+                rejectUnauthorized: false
+            }, async (res) => {
+                try {
+                    const body = await streamConsumers.text(res);
+                    resolve(JSON.parse(body));
+                } catch (e) {
+                    reject(e);
+                }
+            }).on('error', reject);
+        });
+
+        // Top-level structure
+        expect(response).to.have.keys([
+            'version', 'random', 'sessionId',
+            'cipherSuites', 'compressionMethods', 'extensions'
+        ]);
+
+        // Version is annotated with id and name
+        expect(response.version).to.deep.equal({ id: 0x0303, name: 'TLS 1.2' });
+
+        // Random is a 32-byte hex string
+        expect(response.random).to.be.a('string').with.lengthOf(64);
+
+        // SessionId is a hex string or null
+        expect(response.sessionId).to.satisfy(
+            (v: any) => typeof v === 'string' || v === null
+        );
+
+        // Cipher suites are annotated
+        expect(response.cipherSuites).to.be.an('array').that.is.not.empty;
+        for (const cipher of response.cipherSuites) {
+            expect(cipher).to.have.property('id').that.is.a('number');
+            expect(cipher).to.have.property('name');
+        }
+
+        // Compression methods — modern TLS only sends null (0)
+        expect(response.compressionMethods).to.deep.include({ id: 0, name: 'null' });
+
+        // Extensions are annotated
+        expect(response.extensions).to.be.an('array').that.is.not.empty;
+        for (const ext of response.extensions) {
+            expect(ext).to.have.property('id').that.is.a('number');
+            expect(ext).to.have.property('name');
+            expect(ext).to.have.property('data');
+        }
+    });
+
+    it("includes server_name extension with correct hostname", async () => {
+        const response = await new Promise<any>((resolve, reject) => {
+            https.get(`https://localhost:${serverPort}/tls/client-hello`, {
+                rejectUnauthorized: false
+            }, async (res) => {
+                try {
+                    const body = await streamConsumers.text(res);
+                    resolve(JSON.parse(body));
+                } catch (e) {
+                    reject(e);
+                }
+            }).on('error', reject);
+        });
+
+        const sniExt = response.extensions.find((e: any) => e.id === 0);
+        expect(sniExt).to.exist;
+        expect(sniExt.name).to.equal('server_name');
+        expect(sniExt.data).to.deep.equal({ serverName: 'localhost' });
+    });
+
+    it("annotates IDs within extension data", async () => {
+        const response = await new Promise<any>((resolve, reject) => {
+            https.get(`https://localhost:${serverPort}/tls/client-hello`, {
+                rejectUnauthorized: false
+            }, async (res) => {
+                try {
+                    const body = await streamConsumers.text(res);
+                    resolve(JSON.parse(body));
+                } catch (e) {
+                    reject(e);
+                }
+            }).on('error', reject);
+        });
+
+        // supported_versions should have annotated version objects
+        const versionsExt = response.extensions.find((e: any) => e.id === 43);
+        expect(versionsExt).to.exist;
+        expect(versionsExt.name).to.equal('supported_versions');
+        expect(versionsExt.data.versions).to.be.an('array').that.is.not.empty;
+        for (const v of versionsExt.data.versions) {
+            expect(v).to.have.property('id').that.is.a('number');
+            expect(v).to.have.property('name');
+        }
+
+        // supported_groups should have annotated group objects
+        const groupsExt = response.extensions.find((e: any) => e.id === 10);
+        expect(groupsExt).to.exist;
+        expect(groupsExt.data.groups).to.be.an('array').that.is.not.empty;
+        for (const g of groupsExt.data.groups) {
+            expect(g).to.have.property('id').that.is.a('number');
+            expect(g).to.have.property('name');
+        }
+
+        // signature_algorithms should have annotated algorithm objects
+        const sigAlgsExt = response.extensions.find((e: any) => e.id === 13);
+        expect(sigAlgsExt).to.exist;
+        expect(sigAlgsExt.data.algorithms).to.be.an('array').that.is.not.empty;
+        for (const a of sigAlgsExt.data.algorithms) {
+            expect(a).to.have.property('id').that.is.a('number');
+            expect(a).to.have.property('name');
+        }
+    });
+
+    it("returns 400 for non-TLS connections", async () => {
+        const response = await new Promise<{ status: number; body: any }>((resolve, reject) => {
+            http.get(`http://localhost:${serverPort}/tls/client-hello`, async (res) => {
+                try {
+                    const body = await streamConsumers.text(res);
+                    resolve({ status: res.statusCode!, body: JSON.parse(body) });
+                } catch (e) {
+                    reject(e);
+                }
+            }).on('error', reject);
+        });
+
+        expect(response.status).to.equal(400);
+        expect(response.body.error).to.equal('Not a TLS connection');
+    });
+
+});
