ci: Use JA4+ to compare NSS fingerprints #12
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: JA4+ | |
| on: | |
| push: | |
| branches: ["main"] | |
| paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"] | |
| pull_request: | |
| branches: ["main"] | |
| paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"] | |
| merge_group: | |
| workflow_dispatch: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| ja4: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| HOST: localhost | |
| PORT: 4433 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/rust | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - id: nss-version | |
| run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT" | |
| - uses: ./.github/actions/nss | |
| with: | |
| minimum-version: ${{ steps.nss-version.outputs.minimum }} | |
| - if: runner.os == 'Linux' | |
| run: | | |
| sudo add-apt-repository ppa:wireshark-dev/stable | |
| sudo apt-get update | |
| sudo apt-get install -y --no-install-recommends tshark tcpdump netcat firefox | |
| echo "LOOPBACK=lo" >> "$GITHUB_ENV" | |
| - if: runner.os == 'MacOS' | |
| run: | | |
| brew install wireshark tcpdump netcat firefox | |
| echo "LOOPBACK=lo0" >> "$GITHUB_ENV" | |
| - name: JA4+ fingerprint for H3 | |
| run: | | |
| cargo build --bin neqo-client | |
| # Putting the pcap under /tmp doesn't work on Linux, due to a permissions error. | |
| sudo tcpdump -U -i "$LOOPBACK" -w pcap host "$HOST" and port "$PORT" & | |
| DUMP=$! | |
| netcat -l -u "$HOST" "$PORT" > /dev/null & | |
| target/debug/neqo-client --idle 3 "https://$HOST:$PORT/$SIZE" || true | |
| kill "$DUMP" | |
| tshark -r pcap | |
| read -r JA4 <<<"$(tshark -n -r pcap -T fields -e tls.handshake.ja4)" | |
| echo "$JA4" | |
| echo "H3_JA4=$JA4" >> "$GITHUB_ENV" | |
| rm pcap | |
| - name: JA4+ fingerprint for H2 | |
| run: | | |
| # Make a cert and key. | |
| TMP=$(mktemp -d) | |
| openssl req -nodes -new -x509 -keyout "$TMP/key" -out "$TMP/cert" -subj "/CN=DOMAIN" 2>/dev/null | |
| # Putting the pcap under /tmp doesn't work on Linux, due to a permissions error. | |
| sudo tcpdump -U -i "$LOOPBACK" -w pcap host "$HOST" and port "$PORT" & | |
| DUMP=$! | |
| openssl s_server -key "$TMP/key" -cert "$TMP/cert" -accept "$PORT" -www & | |
| firefox --headless "https://$HOST:$PORT/$SIZE" & | |
| PID=$! | |
| sleep 10 | |
| kill "$PID" "$DUMP" | |
| tshark -r pcap | |
| read -r JA4 <<<"$(tshark -n -r pcap -T fields -e tls.handshake.ja4)" | |
| echo "$JA4" | |
| echo "H2_JA4=$JA4" >> "$GITHUB_ENV" | |
| rm pcap | |
| - run: | | |
| echo "H3_JA4=$H3_JA4" | |
| echo "H2_JA4=$H2_JA4" | |
| [ "$H3_JA4" = "$H2_JA4" ] |