feat(tls): wire utls Chrome 120 ClientHelloID to defeat Cloudflare on x.com

lroolle · lroolle · commit e88b25b18d43 · 2026-04-13T07:36:58.000-07:00
Live test surfaced the real reason for the 403s: x.com's /i/api/graphql/* path is fronted by Cloudflare Bot Management, which matches on the TLS ClientHello fingerprint (JA3/JA4). Go's stdlib crypto/tls has a distinctive non-browser JA3 that Cloudflare flags as "not a real browser" and serves an HTML challenge page instead of the real GraphQL response. The diagnostic body-dump from the previous commit made this unmistakable — error message contained: <title>Attention Required! | Cloudflare</title> That's a literal Cloudflare interstitial. Not an X auth error, not a features-blob problem, not a stale cookie, not the wrong profile. Cloudflare's bot management was rejecting the request before it ever reached X's gateway. (For context: this is also why XActions' CLI uses Puppeteer instead of its own HTTP scraper. Their HTTP path probably 403s on the same Cloudflare wall. Puppeteer drives a real Chrome which trivially passes because it IS Chrome — same TLS fingerprint, same h2 settings, same everything. Heavier solution; we're trying the lighter one first.) Approach: impersonate Chrome 120 at the TLS handshake layer using github.com/refraction-networking/utls. Cloudflare's basic JA3 check should now see a Chrome 120 ClientHello and let us through. If Cloudflare also inspects HTTP/2 frame ordering or runs a JS challenge, this isn't enough — the next escalation is bogdanfinn/tls-client (full HTTP/2 fingerprint) or chromedp (real Chrome via CDP). internal/tlsprint/tlsprint.go (new): NewChromeTransport() returns an *http.Transport whose DialTLSContext performs a uTLS handshake with utls.HelloChrome_120. ALPN is pinned to http/1.1 so Go's stdlib handles the HTTP layer (we cannot match Chrome's HTTP/2 frame fingerprint with Go stdlib anyway, so advertising h1-only is the cleanest cut). Plain HTTP connections fall through DialContext, so unit tests using httptest.NewServer keep working unchanged. api/client.go: api.New() default HTTPClient is now constructed with tlsprint.NewChromeTransport() instead of the bare http.Client. All existing tests still pass because httptest is HTTP, not HTTPS. cmd/doctor.go: Updated the TLS line from "no Chrome impersonation" warning to a Success line announcing "Chrome 120 impersonation via uTLS". go.mod / go.sum: github.com/refraction-networking/utls v1.8.2, plus its indirect deps (brotli, klauspost/compress). Expected next run output: ✓ using chrome / Tammie (...) » imported 14 cookie(s): ... » verifying session against X (UserByRestId via twid)... » GET https://x.com/i/api/graphql/.../UserByRestId?… → 200 (Xms) ✓ logged in as @yourhandle (Your Name) If it's STILL Cloudflare HTML in the body, the next commit wires chromedp.
diff --git a/api/client.go b/api/client.go
@@ -16,6 +16,8 @@ import (
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/thevibeworks/x-cli/internal/tlsprint"
 )
 
 // Client is the HTTP transport for x-cli. One per authenticated session.
@@ -57,11 +59,22 @@ type Options struct {
 
 func New(opts Options) *Client {
 	if opts.HTTPClient == nil {
-		// 15s per request is generous for a single GraphQL call. Combined
-		// with the (lowered) default retry count of 1, total worst-case
-		// wall-clock for one client.GraphQL is ~30s — short enough that
-		// an interactive user does not assume the program is hung.
-		opts.HTTPClient = &http.Client{Timeout: 15 * time.Second}
+		// The default HTTP client is wired with a uTLS Chrome 120
+		// ClientHelloID round-tripper. x.com's /i/api/graphql/* path
+		// is behind Cloudflare Bot Management which JA3-fingerprints
+		// clients; Go's stdlib TLS gets flagged as non-browser and
+		// served a challenge page. Impersonating Chrome at the TLS
+		// handshake defeats that. See internal/tlsprint/ for detail.
+		//
+		// 15s per request is generous for a single GraphQL call. With
+		// the (lowered) default retry count of 1, total worst-case
+		// wall-clock for one client.GraphQL is ~30s — short enough
+		// that an interactive user does not assume the program is
+		// hung.
+		opts.HTTPClient = &http.Client{
+			Transport: tlsprint.NewChromeTransport(),
+			Timeout:   15 * time.Second,
+		}
 	}
 	if opts.UserAgent == "" {
 		opts.UserAgent = defaultUserAgent
diff --git a/cmd/doctor.go b/cmd/doctor.go
@@ -86,10 +86,13 @@ func runDoctor(cmd *cobra.Command, _ []string) error {
 
 	// 4. TLS impersonation
 	//
-	// v0.1 does not wrap the http.Client with a uTLS round-tripper, so our
-	// TLS ClientHello does not match a real Chrome. Say so loudly — it's the
-	// biggest single fingerprinting delta between x-cli and a browser.
-	cmdutil.Warn("tls: no Chrome impersonation (v0.1); JA3/JA4 differs from real browser")
+	// The default http.Client is wired with a uTLS Chrome 120
+	// ClientHelloID round-tripper (internal/tlsprint). This matches
+	// Chrome's JA3/JA4 fingerprint at the TLS handshake, which is
+	// what Cloudflare Bot Management on x.com's /i/api/graphql/* path
+	// inspects. Without this, every call gets a Cloudflare challenge
+	// page instead of the real response.
+	cmdutil.Success("tls: Chrome 120 impersonation via uTLS")
 
 	if !ok {
 		return fmt.Errorf("doctor reports one or more issues")
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.24.0
 
 require (
 	github.com/browserutils/kooky v0.2.9
+	github.com/refraction-networking/utls v1.8.2
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
 	github.com/zalando/go-keyring v0.2.7
@@ -12,6 +13,7 @@ require (
 )
 
 require (
+	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/browserutils/ese v0.0.0-20260314233042-37b6a03a93ce // indirect
 	github.com/danieljoos/wincred v1.2.3 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
@@ -21,6 +23,7 @@ require (
 	github.com/gonuts/binary v0.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/keybase/go-keychain v0.0.1 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pierrec/lz4/v4 v4.1.26 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
+github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/browserutils/ese v0.0.0-20260314233042-37b6a03a93ce h1:xb/LXUukZgVLMRnTUyEiCfMNH7KUCFOS4aOZnc/N+H8=
 github.com/browserutils/ese v0.0.0-20260314233042-37b6a03a93ce/go.mod h1:Rj9TJxm7cExxJmdec83sr8cjvyF3raBsszTFviSo/6U=
 github.com/browserutils/kooky v0.2.9 h1:EY1evaA/nbrFXt6F5PFUXDxoxzQNxC4IZdsVEf+wtiQ=
@@ -26,6 +28,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
+github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
+github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -36,6 +40,8 @@ github.com/pierrec/lz4/v4 v4.1.26 h1:GrpZw1gZttORinvzBdXPUXATeqlJjqUG/D87TKMnhjY
 github.com/pierrec/lz4/v4 v4.1.26/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/refraction-networking/utls v1.8.2 h1:j4Q1gJj0xngdeH+Ox/qND11aEfhpgoEvV+S9iJ2IdQo=
+github.com/refraction-networking/utls v1.8.2/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
diff --git a/internal/tlsprint/tlsprint.go b/internal/tlsprint/tlsprint.go
@@ -0,0 +1,78 @@
+// Package tlsprint provides an http.Transport that performs the TLS
+// handshake using uTLS with a Chrome 120 ClientHelloID. x.com's
+// /i/api/graphql/* path is fronted by Cloudflare Bot Management, and
+// Cloudflare matches on the TLS ClientHello fingerprint (JA3/JA4).
+// Go's stdlib net/http has a distinctive JA3 that Cloudflare flags as
+// "non-browser" and serves a challenge page instead of the real
+// response. Impersonating Chrome at the TLS layer is how we get past.
+//
+// Scope: TLS handshake only. We deliberately pin ALPN to http/1.1 so
+// Go's stdlib handles the HTTP layer. Chrome actually negotiates h2 in
+// ALPN, which means Cloudflare sees our http/1.1-only advertisement as
+// slightly-odd-but-not-suspicious. If a future commit needs full h2
+// fingerprint parity, `github.com/bogdanfinn/tls-client` is the next
+// escalation.
+//
+// Plain HTTP connections (httptest servers in unit tests) go through
+// the standard DialContext path, so the transport is a drop-in for
+// local testing too.
+package tlsprint
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"time"
+
+	utls "github.com/refraction-networking/utls"
+)
+
+// NewChromeTransport returns an *http.Transport wired to impersonate
+// Chrome 120 for HTTPS connections. Safe to reuse across requests
+// and goroutines (http.Transport is concurrency-safe).
+func NewChromeTransport() *http.Transport {
+	dialer := &net.Dialer{
+		Timeout:   15 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}
+	return &http.Transport{
+		DialContext:           dialer.DialContext,
+		DialTLSContext:        dialTLSWithUTLS(dialer, utls.HelloChrome_120),
+		ForceAttemptHTTP2:     false,
+		MaxIdleConns:          16,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+}
+
+// dialTLSWithUTLS returns a DialTLSContext hook that performs a uTLS
+// handshake with the given ClientHelloID.
+func dialTLSWithUTLS(dialer *net.Dialer, helloID utls.ClientHelloID) func(ctx context.Context, network, addr string) (net.Conn, error) {
+	return func(ctx context.Context, network, addr string) (net.Conn, error) {
+		raw, err := dialer.DialContext(ctx, network, addr)
+		if err != nil {
+			return nil, err
+		}
+		host, _, err := net.SplitHostPort(addr)
+		if err != nil {
+			raw.Close()
+			return nil, err
+		}
+		config := &utls.Config{
+			ServerName: host,
+			// Force h1 so Go's stdlib handles the HTTP layer. Chrome
+			// actually advertises `h2, http/1.1` in ALPN; we don't
+			// match that exactly, but JA3/JA4 is what Cloudflare's
+			// bot-management layer checks first and matching the Hello
+			// itself is the load-bearing part.
+			NextProtos: []string{"http/1.1"},
+		}
+		uconn := utls.UClient(raw, config, helloID)
+		if err := uconn.HandshakeContext(ctx); err != nil {
+			uconn.Close()
+			return nil, err
+		}
+		return uconn, nil
+	}
+}
