You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[FEATURE] Enhance TLS/HTTP fingerprinting for Chrome 127-143 (#36)
* feat: Enhance TLS/HTTP fingerprinting for Chrome 127-143
- Added support for multiple Chrome profiles (127-143) with exact JA4 fingerprint matches.
- Implemented Brotli and zlib decompression for the compress_certificate extension.
- Updated SSL_CTX configuration to prevent redundant setups for browser profiles.
- Improved session creation logic to initialize cookie jars and connection pools.
- Enhanced tests to validate Chrome 143 fingerprint accuracy, including user-agent checks and TLS version support.
- Updated browser profile aliases to default to Chrome 143.
* updated pyproject.toml
* fix: Add brotli CI dependencies and bump version to 0.2.8
- Add brotli dependencies to Linux CI (brotli-devel/libbrotli-dev)
- Add brotli to macOS CI (brew install brotli)
- Add brotli:x64-windows to Windows CI (vcpkg)
- Update setup.py with Windows brotli path detection and linking
- Fix flaky test_simple_get to use local httpbin_server fixture
* fix: Build brotli from source on macOS for correct deployment target
Homebrew brotli has MACOSX_DEPLOYMENT_TARGET=15.0 which causes
delocate-wheel to fail when building wheels targeting macOS 11.0.
- Add brotli build to scripts/darwin/setup_vendors.sh
- Build with CMAKE_OSX_DEPLOYMENT_TARGET=11.0 for wheel compatibility
- Update setup.py to prefer vendor brotli over Homebrew on macOS
- Remove brotli from brew install in CI (built from source instead)
* fix: Use correct brotli library names (without -static suffix)
CMake builds brotli as libbrotlidec.a and libbrotlicommon.a,
not libbrotlidec-static.a and libbrotlicommon-static.a.
* feat: Enable HTTP/2 by default for Session class
Chrome browsers use HTTP/2 by default, so httpmorph should too.
This ensures correct JA4 fingerprint (h2 instead of h1) and
Akamai HTTP/2 fingerprint matching out of the box.
* feat: Perfect Chrome 143 fingerprint matching with documentation sync
- Add Chrome-like HTTP/2 priority (weight=256, exclusive=1) in http2_logic.c
- Remove zlib from certificate compression, use Brotli only (per Chrome behavior)
- Add Chrome default headers to Session (sec-ch-ua, sec-fetch-*, priority)
- Update all documentation to reflect Chrome 143 as default profile
- Sync README and ReadTheDocs with actual code behavior:
- Client and Session both default to http2=True
- Certificate compression is Brotli only
- Updated fingerprint characteristics (JA4, JA3N, Peetprint, Akamai)
- Fix test names to match http2=True default behavior
* fix: Restore zlib certificate decompression for server compatibility
Chrome 143 advertises brotli in the compress_certificate extension,
but some servers still send zlib-compressed certificates. Keep both
decompression handlers registered for compatibility.
Fixes TLS handshake failures with CERT_DECOMPRESSION_FAILED error
on servers using zlib certificate compression.
* fix: Match Chrome 143 TLS fingerprint exactly
Changes to match Chrome 143's actual TLS fingerprint:
1. Certificate compression (compress_certificate extension 27):
- Only advertise brotli (2), not zlib (1)
- Chrome only supports brotli certificate compression
- Servers compliant with RFC 8879 will only send brotli
2. Application settings (ALPS extension 17613):
- Only advertise "h2" protocol, not "http/1.1"
- Chrome only includes h2 in application_settings
3. Extension permutation:
- Enable SSL_CTX_set_permute_extensions() to randomize extension order
- Chrome randomizes extension order in each ClientHello
- JA4 sorts extensions alphabetically so order doesn't affect JA4
Matching fingerprints:
- Cipher hash (JA4 part 2): 8daaf6152771 ✓
- Akamai HTTP/2: 1:65536;2:0;4:6291456;6:262144|15663105|0|m,a,s,p ✓
- compress_certificate: brotli only ✓
- application_settings: h2 only ✓
Note: Chrome fingerprint shows 17 extensions vs httpmorph's 16 because
Chrome capture was from a resumed session with pre_shared_key (41).
Fresh connections don't include pre_shared_key, which is expected behavior.
* fix: Prevent heap corruption in HTTP/2 response body buffer cleanup on Windows
The HTTP/2 code was replacing the response body buffer (originally from
the buffer pool) with a newly malloc'd buffer, but not properly handling
the cleanup:
1. The original buffer from the pool was never returned to the pool
2. _buffer_pool was still pointing to the pool
3. _body_actual_size wasn't updated for the new buffer
When httpmorph_response_destroy() was later called, it tried to return
the malloc'd buffer to the buffer pool using the stale _body_actual_size,
causing heap corruption (especially visible on Windows with error code
0xc0000374).
Fix: Before assigning the new malloc'd buffer to response->body:
- Return the original buffer to the pool (if from pool) or free it
- Clear _buffer_pool since the new buffer is not from the pool
- Set _body_actual_size to track the actual allocation size
Fixes Windows CI heap corruption crash in Session.__del__
The OS parameter only affects the User-Agent string, while all other fingerprinting characteristics (TLS, HTTP/2, JA3/JA4) remain consistent to match the specified browser profile.
- Built on BoringSSL (Google) with post-quantum cryptography support
440
439
- HTTP/2 support via nghttp2
441
440
- Inspired by Python's requests and httpx libraries
442
-
- Chrome 142 fingerprint matching with perfect JA3N, JA4, and JA4_R matches
443
-
- Certificate compression support for Cloudflare-protected sites
441
+
- Chrome 127-143 fingerprint matching with perfect JA4, JA3N, and HTTP/2 Akamai fingerprints
442
+
- Certificate compression (Brotli) for Cloudflare-protected sites
444
443
445
444
## FAQ
446
445
447
446
**Q: Why another HTTP client?**
448
447
A: httpmorph combines the performance of native C with browser fingerprinting capabilities, making it ideal for applications that need both speed and realistic browser behavior.
449
448
450
-
**Q: How accurate is the Chrome 142 fingerprint?**
451
-
A: httpmorph achieves perfect matches for modern fingerprints including JA3N, JA4, and JA4_R. This is verified against real Chrome 142 browsers. Test your fingerprint at https://suip.biz/?act=ja4
449
+
**Q: How accurate are the Chrome fingerprints?**
450
+
A: httpmorph achieves perfect JA4 matches for Chrome 127-143. Test your fingerprint at https://tls.peet.ws/api/all
452
451
453
452
**Q: Is it production-ready?**
454
453
A: No, httpmorph is still in active development and not yet recommended for production use.
@@ -457,7 +456,7 @@ A: No, httpmorph is still in active development and not yet recommended for prod
457
456
A: For most common use cases, yes! We've implemented the most widely-used requests API. Some advanced features may have slight differences.
458
457
459
458
**Q: Does it work with Cloudflare-protected sites?**
460
-
A: Yes! httpmorph supports certificate compression (Brotli, Zlib) which is required for many Cloudflare-protected sites. We successfully tested with icanhazip.com and postman-echo.com.
459
+
A: Yes! httpmorph supports certificate compression (Brotli) which is required for many Cloudflare-protected sites. We successfully tested with icanhazip.com and postman-echo.com.
461
460
462
461
**Q: How do I report a bug?**
463
462
A: Please open an issue on GitHub with a minimal reproduction example and your environment details (OS, Python version, httpmorph version).
@@ -53,7 +53,7 @@ Customize the User-Agent for different operating systems:
53
53
GREASE Values
54
54
~~~~~~~~~~~~~
55
55
56
-
Chrome 142 uses GREASE (Generate Random Extensions And Sustain Extensibility) values that are randomized per request to maintain TLS ecosystem extensibility:
56
+
Chrome 143 uses GREASE (Generate Random Extensions And Sustain Extensibility) values that are randomized per request to maintain TLS ecosystem extensibility:
0 commit comments