Add Chrome 150 TLS profiles#404
Open
icew4y wants to merge 10 commits into
Open
Conversation
f87bfe3 to
424eb6c
Compare
c10332a to
cdfcd97
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HelloChrome_150andHelloChrome_150_PSKprofiles.0x0904,0x0905, and0x0906.HelloChrome_Autoon Chrome 133 until upstream Go TLS support for ML-DSA certificate signatures is available in uTLS.trust_anchorsout of the Chrome 150 profiles.Rationale
Chrome 150 advertises ML-DSA signature schemes, but the current uTLS handshake implementation is based on a Go TLS stack that cannot verify or produce ML-DSA CertificateVerify signatures yet. The explicit Chrome 150 profiles are still useful for fingerprint parity, while
HelloChrome_Autoshould avoid advertising capabilities that the stack cannot complete. Go 1.27 draft release notes includecrypto/mldsa,crypto/x509ML-DSA support, andcrypto/tlsML-DSA TLS 1.3 support, so Auto can move after that upstream support is available here.Sources
kTLSTrustAnchorIDsdisabled by default and enableskTlsMldsaSignatures: https://github.com/chromium/chromium/blob/150.0.7871.47/net/base/features.cc#L625-L627crypto/mldsa,crypto/x509, andcrypto/tls: https://go.dev/doc/go1.27#crypto_mldsaTests
go test -run 'TestHelloChrome150|TestHelloChromeAuto'go test -count=1 ./...