TLS Client Hello Mirror

This service presents your browser's TLS Client Hello message in multiple formats. It can be used directly or in CI tests to check for TLS privacy pitfalls (session resumption, fingerprinting, system time exposure) and security shortcomings (deprecated TLS versions, weak cipher suites, missing features, etc). Details here.

API endpoints

API documentation

Connection

TLS version: TLS 1.3
Cipher suite: TLS_AES_128_GCM_SHA256
TLS session resumed: false

If you haven't already, refresh the page to check if your browser supports session resumption.

Client Hello

Supported features

Signed certificate timestamps: true
OCSP stapling: true

Supported TLS/SSL versions

TLS 1.3
TLS 1.2

Cipher suites

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Extensions

supported_versions
ec_point_formats
supported_groups
signature_algorithms
extended_master_secret
status_request
server_name
signed_certificate_timestamp
key_share
psk_key_exchange_modes
application_layer_protocol_negotiation
session_ticket

Supported groups

x25519
secp256r1
secp384r1

Signature algorithms

ecdsa_secp384r1_sha384
ecdsa_secp256r1_sha256
ed25519
rsa_pss_rsae_sha512
rsa_pss_rsae_sha384
rsa_pss_rsae_sha256
rsa_pkcs1_sha512
rsa_pkcs1_sha384
rsa_pkcs1_sha256

TLS fingerprint

JA3: 771,4866-4865-4867-49196-49195-52393-49200-49199-52392-255,43-11-10-13-23-5-0-18-51-45-16-35,29-23-24,0
JA3 MD5: 8bbd943d14de60c73f5f627d91caccb5

NJA3v1: 769,771,4866-4865-4867-49196-49195-52393-49200-49199-52392-255,5-10-11-13-18-23-43-45-51,29-23-24,0,772-771,1283-1027-2055-2054-2053-2052-1537-1281-1025,1,
NJA3v1 SHA256/128: f25d416129db5414f62337c61e595782

Parameters in the Client Hello message differ between clients, enabling servers and on-path observers to detect what browser you are likely using (down to its version, or a range of versions) by deriving its fingerprint from said parameters. Worse, if you change any TLS-related settings, your TLS fingerprint becomes specific to a much smaller group of users, possibly even to you alone.

JA3 is a simple and popular type of TLS fingerprint. NJA3 is a similar style of fingerprint which aims to improve the robustness and accuracy of JA3.