WebRequest TLS fingerprint

0 votes
asked May 30 by Vinni (120 points)
edited May 30 by Vinni

Hello, I am trying to retry an HTTPS request to a site that is protected by Cloudflare. Through the browser, a 200 response comes to the first request, and a 403 error comes through its code (WebRequest). The request body is completely identical. There is an opinion that most likely Cloudflare, when establishing a TLS handshake, checks the request signature (sets of algorithms, curves, etc.) and verifies it with its database, understands that the request is not sent by the browser and returns a 403 error with additional verification for JS.

I was trying to recreate a similar TLS signature:

SslSettings.SslAllowedSuites - can I influence the order of the specified cipher suites. It is in the order of their transfer. As I am listing like this:

creator.Settings.SslAllowedSuites =
        TlsCipherSuite.ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
        TlsCipherSuite.ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
        TlsCipherSuite.ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
        TlsCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
        TlsCipherSuite.ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
        TlsCipherSuite.ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
        TlsCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
        TlsCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
        TlsCipherSuite.ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
        TlsCipherSuite.ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
        TlsCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA |
        TlsCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA |
        TlsCipherSuite.RSA_WITH_AES_256_GCM_SHA384 |
        TlsCipherSuite.RSA_WITH_AES_128_GCM_SHA256 |
        TlsCipherSuite.RSA_WITH_AES_256_CBC_SHA256 |
        TlsCipherSuite.RSA_WITH_AES_128_CBC_SHA256 |
        TlsCipherSuite.RSA_WITH_AES_256_CBC_SHA |
        TlsCipherSuite.RSA_WITH_AES_128_CBC_SHA |
        TlsCipherSuite.RSA_WITH_3DES_EDE_CBC_SHA;

and in the request they are ordered, not as I enumerate

Ciphers:
[C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[003D] TLS_RSA_WITH_AES_256_CBC_SHA256
[003C] TLS_RSA_WITH_AES_128_CBC_SHA256
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[00FF] TLS_EMPTY_RENEGOTIATION_INFO_SCSV

and there are ciphers that I did not specify, but it was substituted by TLS_EMPTY_RENEGOTIATION_INFO_SCSV, can it be excluded somehow?

1 Answer

0 votes
answered Jun 1 by Lukas Pokorny (123,470 points)

TLS_EMPTY_RENEGOTIATION_INFO_SCSV indicates support for Renegotiation Indication Extension and can be switched off using SslSettings.SslRenegotiationExtensionEnabled.

But the order of ciphers is not configurable yet, although we have a hotfix that adds preliminary API for that. Please contact us at support@rebex.net to get a download link. The new API will most likely appear in R6.0 later this year.

However, please be aware that simulating web browsers or circumventing Cloudflare's browser-detection is not a scenario we would support or aim for. Also, even if Cloudflare currently relies on the cipher list now (which we cannot confirm), they could improve the logic at any time (TLS ClientHello messages get quite complex and unique with all the extensions), so any workaround has to be viewed as temporary. Also, by actively working around Cloudflare's browser detection, you would most likely be violating Terms of Service of the websites you access.

...