Skip to content

Add Chrome 150 TLS profiles#404

Draft
icew4y wants to merge 10 commits into
refraction-networking:masterfrom
icew4y:feature/chrome-150-tls-profile-upstream
Draft

Add Chrome 150 TLS profiles#404
icew4y wants to merge 10 commits into
refraction-networking:masterfrom
icew4y:feature/chrome-150-tls-profile-upstream

Conversation

@icew4y

@icew4y icew4y commented Jul 2, 2026

Copy link
Copy Markdown

Summary

  • Add HelloChrome_150 and HelloChrome_150_PSK profiles.
  • Add ML-DSA signature scheme constants/string mappings for 0x0904, 0x0905, and 0x0906.
  • Keep HelloChrome_Auto on Chrome 133 until upstream Go TLS support for ML-DSA certificate signatures is available in uTLS.
  • Keep trust_anchors out of the Chrome 150 profiles.

Rationale

Chrome 150 advertises ML-DSA signature schemes, but the current uTLS handshake implementation is based on a Go TLS stack that cannot verify or produce ML-DSA CertificateVerify signatures yet. The explicit Chrome 150 profiles are still useful for fingerprint parity, while HelloChrome_Auto should avoid advertising capabilities that the stack cannot complete. Go 1.27 draft release notes include crypto/mldsa, crypto/x509 ML-DSA support, and crypto/tls ML-DSA TLS 1.3 support, so Auto can move after that upstream support is available here.

Sources

Tests

  • go test -run 'TestHelloChrome150|TestHelloChromeAuto'
  • go test -count=1 ./...

@icew4y icew4y marked this pull request as ready for review July 2, 2026 00:29
@icew4y icew4y marked this pull request as draft July 2, 2026 21:17
@icew4y icew4y force-pushed the feature/chrome-150-tls-profile-upstream branch 2 times, most recently from f87bfe3 to 424eb6c Compare July 7, 2026 06:40
@icew4y icew4y force-pushed the feature/chrome-150-tls-profile-upstream branch from c10332a to cdfcd97 Compare July 7, 2026 16:54
@icew4y icew4y marked this pull request as ready for review July 8, 2026 18:22
@4erdenko

Copy link
Copy Markdown

Am I reading the current implementation correctly?

The PR description says HelloChrome_Auto should remain on Chrome 133
until native Go ML-DSA support is available. However, the default
mldsa_circl.go implementation returns goMLDSASupported() == true, so
defaultChromeAutoID() selects HelloChrome_150 in normal builds.

Is the intention now to treat CIRCL support as sufficient for Auto,
despite pure ML-DSA certificate chains still not being verifiable by
crypto/x509?

It may be safer to:

  1. merge HelloChrome_150 as an explicit profile;
  2. keep HelloChrome_Auto on 133 for now;
  3. switch Auto separately after native Go/x509 support is integrated.

@icew4y icew4y marked this pull request as draft July 14, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants