nginx-ssl-ja3: nginx variables for ja3 fingerprint

    *) nginx modules
      *) config
      *) http_ssl_ja3_hash variable
      *) stream_ssl_ja3_hash variable
    *) docker
      *) dockerfiles
      *) compose
    *) travis

Author: fooinha

.travis.yml

@@ -0,0 +1,53 @@
+sudo: required
+dist: trusty
+
+os: linux
+
+language: c
+
+compiler:
+  - gcc
+
+cache:
+  apt: true
+  directories:
+
+env:
+  global:
+    - NGINX_PREFIX=/opt/nginx
+    - JOBS=4
+    - PATH=$PATH:$NGINX_PREFIX/sbin
+
+before_install:
+  - sudo apt-get install -qq -y software-properties-common
+  - sudo add-apt-repository "deb http://us.archive.ubuntu.com/ubuntu/ xenial main universe"
+  - sudo apt-get update -qq -y --fix-missing
+  - sudo apt-get install -qq -y --fix-missing cpanminus mercurial build-essential make clang valgrind
+
+install:
+  - if [ ! -d /opt ]; then mkdir /opt; fi
+  - git clone https://github.com/openresty/test-nginx.git
+  - hg clone http://hg.nginx.org/nginx
+  - git clone https://github.com/openssl/openssl
+
+script:
+  - ls -la
+  - cd openssl
+  - ./config -d
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo make install > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ..
+  - cd test-nginx
+  - sudo cpanm .
+  - cd ..
+  - export LD_LIBRARY_PATH=/usr/local/lib/
+  - cp -v docker/debian-nginx-ssl-ja3/nginx.ssl.extensions.patch nginx/.
+  - cd nginx
+  - patch -p1 < nginx.ssl.extensions.patch
+  - auto/configure --with-debug --with-stream --with-ld-opt="-Wl,-E" --prefix=$NGINX_PREFIX  --with-http_ssl_module --with-stream_ssl_module --add-module=$PWD/.. > build.log 2>&1 || (cat build.log && exit 1)
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo make install > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ..
+  - export PATH=$NGINX_PREFIX/sbin:$PATH
+  - /opt/nginx/sbin/nginx -V
+  - ldd /opt/nginx/sbin/nginx

CHANGES

@@ -0,0 +1,11 @@
+Changes with nginx-ssl-ja3 0.0.1                                   20 Aug  2017
+
+    *) nginx modules
+      *) config
+      *) http_ssl_ja3_hash variable
+      *) stream_ssl_ja3_hash variable
+    *) docker
+      *) dockerfiles
+      *) compose
+    *) travis
+

COPYRIGHT

@@ -0,0 +1,30 @@
+-----------------------------------------------------------------------------
+NGINX License
+
+/* 
+ * Copyright (C) 2002-2016 Igor Sysoev
+ * Copyright (C) 2011-2016 Nginx, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+-----------------------------------------------------------------------------

README.md

@@ -0,0 +1,108 @@
+# nginx-ssl-ja3  [![Build Status](https://travis-ci.org/fooinha/nginx-ssl-ja3.svg?branch=master)](https://travis-ci.org/fooinha/nginx-ssl-ja3)
+
+nginx module for SSL/TLS ja3 fingerprint.
+
+## Description
+
+This module adds to nginx the ability of new nginx variables for the TLS/SSL ja3 fingerprint.
+
+For details about the ja3 fingerprint algorithm, check initial [project](https://github.com/salesforce/ja3).
+
+## Configuration
+
+### Directives
+
+No directives yet.
+
+### Variables
+
+#### $http_ssl_ja3_hash
+
+The ja3 fingerprint MD5 hash for a SSL connection for a HTTP server.
+
+Example:
+
+```
+http {
+    server {
+        listen                 127.0.0.1:443 ssl;
+        ssl_certificate        cert.pem;
+        ssl_certificate_key    rsa.key;
+        error_log              /dev/stderr debug;
+        return                 200 "$time_iso8601-$http_ssl_ja3_hash\n";
+    }
+}
+```
+
+#### $stream_ssl_ja3_hash
+
+The ja3 fingerprint MD5 hash for a SSL connection for a stream server.
+
+Example:
+
+```
+stream {
+    server {
+        listen                 127.0.0.1:12345 ssl;
+        ssl_certificate        cert.pem;
+        ssl_certificate_key    rsa.key;
+        error_log              /dev/stderr debug;
+        return                 "$time_iso8601-$stream_ssl_ja3_hash\n";
+    }
+}
+```
+
+## Build
+
+### Dependencies
+
+* [OpenSSL](https://github.com/openssl) - master dev version
+
+The master version OpenSSL is required because this module fetches the
+extensions types declared at SSL/TLS Client Hello by using the new early
+callback [SSL_CTX_set_early_c](https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_early_cb.html).
+
+I was unable to find a way to get these values with the current versions of
+nginx and OpenSSL.
+
+So, in order to, have the client extensions available for the fingerprint,
+we also need to apply a patch to the nginx code.
+
+If you use, for development, the [docker](#docker) supplied in this repo,
+the patch is already applied. Check the Dockerfile of the dev image.
+
+### Patches
+
+ - [save Client Hello extensions at nginx's SSL connection](docker/debian-nginx-ssl-ja3/nginx.ssl.extensions.patch)
+
+
+### Compilation and installation
+
+Build as a common nginx module.
+
+```bash
+$ ./configure --add-module=/build/ngx_ssl_ja3 --with-http_ssl_module --with-stream_ssl_module --with-debug --with-stream
+$ make && make install
+
+```
+## Tests
+
+Not available yet.
+
+## Docker
+
+Docker images and a docker compose file is available at the ./docker directory.
+
+```
+$ docker-compose up --build -d
+
+Creating nginx-ssl-ja3
+
+```
+
+## Fair Warning
+
+**THIS IS NOT PRODUCTION** ready.
+
+So there's no guarantee of success. It most probably blow up when running in real life scenarios.
+

config

@@ -0,0 +1,28 @@
+ngx_addon_name=ngx_ssl_ja3_module
+ngx_module_incs=$ngx_addon_dir/src
+
+NGINX_VERSION=`grep version src/core/nginx.h  | sed 's/#define nginx_version *//;'`
+
+#TODO: To validate if correct OpenSSL version is available
+
+if [ ! -z "${NGINX_VERSION}" ]
+then
+    if [ $NGINX_VERSION -gt 1011002 ]
+    then
+        STREAM_MODULES="ngx_stream_ssl_ja3_preread_module $STREAM_MODULES"
+        NGX_ADDON_SRCS="$NGX_ADDON_SRCS                           \
+         $ngx_addon_dir/src/ngx_stream_ssl_ja3_preread_module.c"
+        echo " + ngx_ssl_ja3: stream support"
+    fi
+fi
+
+HTTP_MODULES="$HTTP_MODULES ngx_http_ssl_ja3_module"
+
+CORE_INCS="$CORE_INCS $ngx_module_incs"
+
+NGX_ADDON_SRCS="$NGX_ADDON_SRCS                         \
+ $ngx_addon_dir/src/ngx_ssl_ja3.c                       \
+ $ngx_addon_dir/src/ngx_http_ssl_ja3_module.c
+ "
+
+CORE_LIBS="$CORE_LIBS"

docker/debian-nginx-ssl-ja3/Dockerfile

@@ -0,0 +1,115 @@
+FROM debian:sid
+
+LABEL maintainer "fooinha@gmail.com"
+
+# Build arguments
+ARG DEBIAN_REPO_HOST=httpredir.debian.org
+ARG GIT_LOCATION=https://github.com/fooinha/nginx-ssl-ja3.git
+ARG GIT_BRANCH=master
+
+# Mirror to my location
+RUN echo "deb http://${DEBIAN_REPO_HOST}/debian sid main" > /etc/apt/sources.list
+RUN echo "deb-src http://${DEBIAN_REPO_HOST}/debian sid main" >> /etc/apt/sources.list
+
+# Update
+RUN DEBIAN_FRONTEND=noninteractive apt-get update || true
+
+# Install build dependencies
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing \
+    apt-utils \
+    autoconf \
+    automake \
+    bind9-host \
+    build-essential \
+    dh-autoreconf \
+    cpanminus \
+    curl \
+    devscripts \
+    exuberant-ctags \
+    git-core \
+    jq \
+    llvm \
+    libgeoip1 \
+    libgeoip-dev \
+    libpcre3 \
+    libpcre3-dbg \
+    libpcre3-dev \
+    libperl-dev \
+    libmagic-dev \
+    libtool \
+    lsof \
+    make \
+    mercurial \
+    ngrep \
+    procps \
+    python \
+    telnet \
+    tcpflow \
+    valgrind \
+    vim \
+    wget \
+    zlib1g \
+    zlib1g-dev
+
+# Create build directory
+RUN mkdir -p /build
+
+WORKDIR /build
+
+# Fetches and clones from git location
+RUN git clone ${GIT_LOCATION}
+RUN cd nginx-ssl-ja3 && git checkout ${GIT_BRANCH}
+
+WORKDIR /build
+
+# Get openssl master from git
+RUN git clone https://github.com/openssl/openssl
+
+# Build and install openssl
+WORKDIR /build/openssl
+RUN ./config -d
+RUN make
+RUN make install
+
+# Clone from nginx
+WORKDIR /build
+RUN hg clone http://hg.nginx.org/nginx
+
+# Patch nginx for fetching ssl client extensions
+WORKDIR /build/nginx
+COPY nginx.ssl.extensions.patch /build/nginx
+RUN cat nginx.ssl.extensions.patch
+RUN patch -p1 < nginx.ssl.extensions.patch
+
+# Get test framework
+RUN git clone https://github.com/openresty/test-nginx.git
+
+# Install test framework and dependencies
+RUN cd test-nginx/ && cpanm .
+
+# Configure, make and install
+RUN export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
+RUN ./auto/configure --add-module=/build/nginx-ssl-ja3 --with-http_ssl_module --with-stream_ssl_module --with-debug --with-stream --with-cc-opt="-fsanitize=address -O -fno-omit-frame-pointer" --with-ld-opt="-Wl,-E -lasan"
+RUN make install
+
+# Install files
+RUN mkdir -p /usr/local/nginx/conf/
+COPY nginx.conf /usr/local/nginx/conf/nginx.conf
+
+# Install self-signed certificate
+RUN LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib /usr/local/bin/openssl req -new -x509 -days 365 -nodes -out /usr/local/nginx/conf/cert.pem -keyout /usr/local/nginx/conf/rsa.key -subj "/C=PT/ST=Lisbon/L=Lisbon/O=Development/CN=foo.local"
+
+# exuberant ctags
+RUN cd /build/nginx-ssl-ja3 && ctags -R src/ ../nginx/src/
+
+# vim config
+COPY vimrc /etc/vim/vimrc
+
+RUN echo 'export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib' | tee -a /root/.bashrc
+RUN echo 'export PATH=$PATH:/usr/local/bin:/usr/local/nginx/sbin' | tee -a /root/.bashrc
+RUN echo '' | tee -a /root/.bashrc
+RUN echo 'export ASAN_OPTIONS=symbolize=1' | tee -a /root/.bashrc
+RUN echo 'export export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer' | tee -a /root/.bashrc
+RUN echo '' | tee -a /root/.bashrc
+RUN echo  'TO TEST RUN:\n    nginx &\n    openssl s_client -connect 127.0.0.1:12345 -cipher "AES128-SHA" -curves secp521r1' | tee -a /build/TEST.README
+

docker/debian-nginx-ssl-ja3/nginx.conf

@@ -0,0 +1,27 @@
+#user  nobody;
+worker_processes  1;
+daemon off;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen                 127.0.0.1:443 ssl;
+        ssl_certificate        cert.pem;
+        ssl_certificate_key    rsa.key;
+        error_log              /dev/stderr debug;
+        return                 200 "$time_iso8601-$http_ssl_ja3_hash\n";
+    }
+}
+
+stream {
+    server {
+        listen                 127.0.0.1:12345 ssl;
+        ssl_certificate        cert.pem;
+        ssl_certificate_key    rsa.key;
+        error_log              /dev/stderr debug;
+        return                 "$time_iso8601-$stream_ssl_ja3_hash\n";
+    }
+}