ci: Use JA4+ to compare NSS fingerprints #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: JA4+ | |
| on: | |
| push: | |
| branches: ["main"] | |
| paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"] | |
| pull_request: | |
| branches: ["main"] | |
| paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"] | |
| merge_group: | |
| workflow_dispatch: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| ja4: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| HOST: localhost | |
| PORT: 4433 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/rust | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - id: nss-version | |
| run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT" | |
| - uses: ./.github/actions/nss | |
| with: | |
| minimum-version: ${{ steps.nss-version.outputs.minimum }} | |
| - if: runner.os == 'Linux' | |
| run: | | |
| sudo add-apt-repository ppa:wireshark-dev/stable | |
| sudo apt-get update | |
| sudo apt-get install -y --no-install-recommends tshark tcpdump netcat firefox | |
| echo "LOOPBACK=lo" >> "$GITHUB_ENV" | |
| - if: runner.os == 'MacOS' | |
| run: | | |
| brew install wireshark tcpdump netcat firefox | |
| echo "LOOPBACK=lo0" >> "$GITHUB_ENV" | |
| - name: JA4+ fingerprint for H3 | |
| run: | | |
| cargo build --bin neqo-client | |
| PCAP="$(mktemp)" | |
| sudo tcpdump -U -i "$LOOPBACK" -w "$PCAP" host "$HOST" and port "$PORT" & | |
| netcat -l -u "$HOST" "$PORT" > /dev/null & | |
| target/debug/neqo-client --idle 3 "https://$HOST:$PORT/$SIZE" || true | |
| tshark -r "$PCAP" | |
| read -r JA4 <<<"$(tshark -n -r "$PCAP" -T fields -e tls.handshake.ja4)" | |
| echo "$JA4" | |
| echo "H3_JA4=$JA4" >> "$GITHUB_ENV" | |
| - name: JA4+ fingerprint for H2 | |
| run: | | |
| # Make a cert and key. | |
| TMP=$(mktemp -d) | |
| openssl req -nodes -new -x509 -keyout "$TMP/key" -out "$TMP/cert" -subj "/CN=DOMAIN" 2>/dev/null | |
| PCAP="$(mktemp)" | |
| sudo tcpdump -U -i "$LOOPBACK" -w "$PCAP" host "$HOST" and port "$PORT" & | |
| openssl s_server -key "$TMP/key" -cert "$TMP/cert" -accept "$PORT" -www & | |
| firefox --headless "https://$HOST:$PORT/$SIZE" & | |
| PID=$! | |
| sleep 10 | |
| kill "$PID" | |
| tshark -r "$PCAP" | |
| read -r JA4 <<<"$(tshark -n -r "$PCAP" -T fields -e tls.handshake.ja4)" | |
| echo "$JA4" | |
| echo "H2_JA4=$JA4" >> "$GITHUB_ENV" |