Finalize TLS Client Hello to impersonate Chrome

2025-08-08 20:59:59 +00:00 · 2022-02-19 00:48:26 +02:00
parent b7d9388bf3
commit 647c4f428c
2 changed files with 20 additions and 10 deletions
--- a/Dockerfile.chrome
+++ b/Dockerfile.chrome
@@ -61,9 +61,10 @@ RUN cd ${CURL_VERSION} && \
    for p in $(ls curl-*.patch); do patch -p1 < $p; done && \
    autoreconf -fi

-# Compile curl with BoringSSL
+# Compile curl with BoringSSL & nghttp2.
+# Enable keylogfile for debugging of TLS traffic.
 RUN cd ${CURL_VERSION} && \
-    ./configure --with-openssl=/build/boringssl/build --enable-static --disable-shared --with-nghttp2=/usr/local LIBS="-pthread" CFLAGS="-I/build/boringssl/build" && \
+    ./configure --with-openssl=/build/boringssl/build --enable-static --disable-shared --with-nghttp2=/usr/local LIBS="-pthread" CFLAGS="-I/build/boringssl/build" USE_CURL_SSLKEYLOGFILE=true && \
    make

 # 'xxd' is needed for the wrapper script
--- a/curl-openssl.patch
+++ b/curl-openssl.patch
@@ -1,5 +1,5 @@
 --- curl-7.81.0-original/lib/vtls/openssl.c	2022-01-03 18:36:46.000000000 +0200
-+++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 18:07:04.220805893 +0200
+++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 20:02:23.559231773 +0200
@@ -78,2 +78,4 @@
 
 +#include <brotli/decode.h>
@@ -49,7 +49,7 @@
     SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data);
 +  */
 #endif
-@@ -2939,2 +2972,19 @@
+@@ -2939,2 +2972,15 @@
 
 +  /* curl-impersonate:
 +   * Configure BoringSSL to behave like Chrome. 
@@ -64,21 +64,30 @@
 +   * Add Brotli decompression. See Chromium net/ssl/cert_compression.cc */
 +  SSL_CTX_add_cert_compression_alg(backend->ctx,
 +          TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert);
-+
-+  /* Enable TLS extensions 5 - status_request and 18 - signed_certificate_timestamp. */
-+  SSL_CTX_enable_ocsp_stapling(backend->ctx);
-+  SSL_CTX_enable_signed_cert_timestamps(backend->ctx);
 
-@@ -3238,2 +3288,24 @@
+@@ -3238,2 +3284,37 @@
 
 +#ifdef USE_HTTP2
 +  /* curl-impersonate: This adds the ALPS extension (17513).
 +   * Chromium calls this function as well in SSLClientSocketImpl::Init().
 +   * The 4th parameter is called "settings", and I don't know what it
 +   * should contain. For now, use an empty string. */
-+  SSL_add_application_settings(backend->handle, "h2", 2, "", 0);
+  SSL_add_application_settings(backend->handle, "h2", 2, NULL, 0);
 +#endif
 +
+  SSL_set_options(backend->handle,
+      SSL_OP_LEGACY_SERVER_CONNECT);
+  SSL_set_mode(backend->handle,
+      SSL_MODE_CBC_RECORD_SPLITTING | SSL_MODE_ENABLE_FALSE_START);
+
+  /* curl-impersonate: Enable TLS extensions 5 - status_request and
+   * 18 - signed_certificate_timestamp. */
+  SSL_enable_signed_cert_timestamps(backend->handle);
+  SSL_enable_ocsp_stapling(backend->handle);
+
+  /* curl-impersonate: Some SSL settings copied over from Chrome. */
+  SSL_set_shed_handshake_config(backend->handle, 1);
+
 +  /* curl-impersonate: Set the signature algorithms.
 +   * (TLS extension 13).
 +   * See net/socket/ssl_client_socket_impl.cc in Chromium's source. */