Some bug must be introduced in v0.6.0b7...v0.6.0b8

The http2 fingerprints have changed.

(This result is by someone sent me in PM)

TOR browser

Cipher Suites (11 suites)
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
    Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
    Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

Second legacy firefox 115esr tor based on it

Cipher Suites (17 suites)
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
    Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
    Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

I noticed that ja3 on the Tor browser on PC and on the Tor browser on Android is the same

Has anyone encountered occasional exceptions with the libcurl.dll library in the Windows x86_64 version? Through debugging and analysis, it was found that in the function void Curl_resolver_cancel(struct Curl_easy *data) { destroy_async_data(&data->conn->resolve_async); }, the data->conn is already null. It seems that the following function is called twice:`/*

• Curl_detach_connection() removes the given transfer from the connection.
• This is the only function that should clear data->conn. This will
• occasionally be called with the data->conn pointer already cleared.
  */
  void Curl_detach_connection(struct Curl_easy *data);`
  The comment within this function also indicates that there may be occasional multiple clearings of data->conn. In actual use, this occasionally triggers exceptions, and there is no 100% reproducible method found. However, after switching to using the c-ares library, the problem has not been observed so far.

As our patches keep growing, it's becoming more and more likely that we will introduce extra bugs. It would make us much more confident if we could run the curl tests after the patches have been applied.

The MACOSX_DEPLOYMENT_TARGET env var controls which minimum MacOS version the compilation will target. For arm64, the minimum possible version is always MacOS 11.0 (even if the env var is set to be lower), but for x86_64 the version could be even lower (e.g. 10.15).

Without setting this env var, libcurl may not work on users running an older MacOS than the gh actions worker - e.g. in this issue: jeffreydwalter/arlo#205

I was wondering if it was possible for you to integrate libcurl-impersonate into a native Node.js addon so it works in JS out-of-the-box, without the long and tedious process of building node-libcurl with the impersonate patch.
What I'm suggesting is a fork of node-libcurl because I feel like that would take a lot less work than creating a new thing from scratch. While I do understand there are a couple of forks which do that, they are all unmaintained and largely out of date. This repository seems somewhat alive so I hope it won't be an issue keeping it alive. (An occasional pull from upstream should be all of the maintenance it needs.)
I'm not very familiar with the development ecosystem of c++ and such so I'm afraid I won't be of much help, but logically it shouldn't be that big of a deal, right? Surely we can just replace which curl it uses in it's deps. (I understand it may not be this simple, but I really need a reliable impersonate library in Node. Thanks in advance!)

Tried adding this to build-and-test-make.yml but it errors out when building zlib

          - arch: arm
            target: arm-linux-gnueabihf.2.17
            host: arm-linux-gnueabihf
            capture_interface: eth0
            cflags: "-mfpu=vfp -mfloat-abi=soft -mcpu=cortex-a53"

The goal is to run curl-impersonate binaries and curl_cffi wheels on general purpose RISC-V SBCs.

I get the following errors when compiling on Debian 11.
How can I fix it ?
Thanks

# Fix the directory structure so that curl can compile against it.
# See https://everything.curl.dev/source/build/tls/boringssl
mkdir -p lib
ln -sf ../crypto/libcrypto.a lib/libcrypto.a
ln -sf ../ssl/libssl.a lib/libssl.a
cp -Rf ../include .
-- Configuring done
-- Generating done
-- Build files have been written to: /temp/curl-impersonate/build/boringssl/build
[5/747] Generating crypto_test_data.cc
FAILED: crypto_test_data.cc
cd /temp/curl-impersonate/build/boringssl && /usr/bin/go run util/embed_test_data.go -file-list /temp/curl-impersonate/build/boringssl/build/embed_test_data_args.txt > /temp/curl-impersonate/build/boringssl/build/crypto_test_data.cc
# command-line-arguments
util/embed_test_data.go:81:16: undefined: os.ReadFile
util/embed_test_data.go:131:16: undefined: os.ReadFile
note: module requires Go 1.19
[8/747] Generating aesv8-gcm-armv8-apple.S
ninja: build stopped: subcommand failed.
make: *** [Makefile:269: /temp/curl-impersonate/build/boringssl/build/lib/libssl.a] Error 1

Maybe we should build natively with VC, not mingw?

The Zig compiler supports building C and C++ code with zig cc and zig c++, since it uses clang internally. With clang, [cross] compiling to x86_64, aarch64, and arm32 is possible with the same toolchain, and even cross compiling to Windows/MacOS if desired. Additionally, Zig allows targeting a specific glibc release, which would make it easier to pin to glibc 2.17 (for manylinux2014 compliance) without using old distro containers.

I've had success in my Portable Python project using Zig to compile all of CPython and its dependencies against glibc 2.17, so I think it should be possible to do the same here.

Hello,

I've noticed that the priority header gets sent, however comparing it to browser requests (using webhook.site for example to get the request headers) shows that they do not in fact send it.
According to this article the header itself doesn't get sent.

No clue if that would break stuff in the impersonation level, however I've just bumped into issue with one site with the request headers being too big (http 431) and this might be a reason for such issues with servers that support up to http11 and not http2 and 3 which use the priority header.

https://github.com/Kikobeats/https-tls?tab=readme-ov-file

Setup TLS details according to user-agent

Could we use that project above to do things more dynamically?

It seems that our patch does not work on curl 8.5.0. curl is constantly changing how it compiles on Windows :(

curl-impersonate v0.7.0 crashes when making a request (e.g. if the executable is given URL input) on Windows 7 SP1.

It abruptly aborts with an error message of "This application has requested the Runtime to terminate it in an unusual way."

If the executable is run with the --help flag it does not error.

Here is a side-by-side comparison of upstream curl v8.8.0 vs curl-impersonate v0.7.0:

I can reproduce the issue with both the curl-impersonate 0.7.0 windows .exe and libcurl-impersonate 0.7.0/curl_cffi 0.7.0. See the linked issue below for an example of the crash with curl_cffi:

• yt-dlp/yt-dlp#10426 (comment)

I cannot reproduce this issue with curl_cffi 0.5.10 or the upstream libcurl-impersonate. Both work fine with Windows 7.

• System info: fully patched Windows 7 Professional Service Pack 1 Build 7601

• Note: v0.7.0 works fine if VxKex is activated.

I tried build with CMake but got error (Unknown CMake command "openssl_check_symbol_exists".) because of USE_ECH option. If I move ECH option snippet to below openssl_check_symbol_exists macro, it fixes.

Here it is new patch about ECH option snippet to fix the problem.

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a54c2ff..9b23a59 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -671,6 +671,29 @@ if(USE_OPENSSL OR USE_WOLFSSL)
   endif()
 endif()
 
+option(USE_ECH "Enable ECH support" OFF)
+if(USE_ECH)
+  if(USE_OPENSSL OR USE_WOLFSSL)
+    # Be sure that the OpenSSL/wolfSSL library actually supports ECH.
+    if(NOT DEFINED HAVE_ECH)
+      if(USE_OPENSSL AND HAVE_BORINGSSL)
+        openssl_check_symbol_exists(SSL_set1_ech_config_list "openssl/ssl.h" HAVE_ECH)
+      elseif(USE_OPENSSL)
+        openssl_check_symbol_exists(SSL_ech_set1_echconfig "openssl/ech.h" HAVE_ECH)
+      elseif(USE_WOLFSSL)
+        openssl_check_symbol_exists(wolfSSL_CTX_GenerateEchConfig "wolfssl/options.h;wolfssl/ssl.h" HAVE_ECH)
+      endif()
+    endif()
+    if(NOT HAVE_ECH)
+      message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/wolfSSL")
+    else()
+      message("ECH enabled.")
+    endif()
+  else()
+    message(FATAL_ERROR "ECH requires ECH-enablded OpenSSL, BoringSSL or wolfSSL")
+  endif()
+endif()
+
 option(USE_NGHTTP2 "Use nghttp2 library" OFF)
 if(USE_NGHTTP2)
   find_package(NGHTTP2 REQUIRED)

CMake configure command

cmake -GNinja -S curl -B build/curl -DCMAKE_BUILD_TYPE=Debug -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON -DBUILD_STATIC_CURL=ON -DCURL_USE_OPENSSL=ON -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DUSE_ZLIB=ON -DUSE_WIN32_IDN=ON -DUSE_NGHTTP2=ON -DUSE_ECH=ON -DENABLE_WEBSOCKETS=ON -DCMAKE_PREFIX_PATH=packages -DCMAKE_INSTALL_PREFIX=packages

CMake version: cmake version 3.28.0-msvc1
Platform: Windows 10 22H2 - 19045.3693

BoringSSL won't link without this option on Windows, due to missing symbols of the fiat lib.

This option literally means no assembly code at all, but the code says otherwise, it is not clear whether it turns off assembly completely or not. If so, performance can be hurt, if not, maybe we can leave it as is.

Useful links:

1. grpc/grpc#9440
2. https://github.com/mit-plv/fiat-crypto
3. https://boringssl.googlesource.com/boringssl/+/HEAD/BUILDING.md
4. https://stackoverflow.com/questions/26963740/linking-in-assembly-files-with-mingw
5. https://github.com/google/boringssl/blob/master/util/generate_build_files.py
6. mxschmitt/action-tmate#86

Hi Folks,

Want to start by saying love the project (only just discovered but very cool how you've opened up the curl impersonate even further to make on the fly customization even easier).

I'm having issues with certificate errors.

Is this because the files in the releases section were built without cert bundle or is it likely a miss-configuration on my end.
I wasn't sure if i maybe needed to add "-lboringssl" to my linker settings on compilation (Testing using windows mingw64 with vs code)

Error: 0x23e6c979530SSL peer certificate or SSH remote key was not OK

(This solves it but feels like it defeats the purpose: curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); )

Edit: the below is a the rough outline of what I'm using in my program, I have other code around it but I believe this is the only curl impersonate relevant parts

void chrome::init()
{
    if (ready == false)
    {
#ifdef _WIN32
        HMODULE curlLib = LoadLibraryW(L"libcurl.dll");
#else
        void *curlLib = dlopen("chrome/libcurl.so", RTLD_NOW | RTLD_GLOBAL);
#endif
        if (curlLib)
        {
            using CurlEasyInit = CURL *(*)();
#ifdef _WIN32
            CurlEasyInit curlEasyInit = (CurlEasyInit)GetProcAddress(curlLib, "curl_easy_init");
#else
            CurlEasyInit curlEasyInit = (CurlEasyInit)dlsym(curlLib, "curl_easy_init");
#endif
            if (curlEasyInit)
            {
                curl = curlEasyInit();
                ready = (curl != nullptr);
            }
        }
    }
}

std::pair<std::string, std::string> chrome::runCurl(const std::string& url, const std::string& method, const std::string& requestData, bool firstrun, long timeout)
{
    std::string responseData;
    std::string error;

    // Initialize libcurl if not already initialized
    if (!curl)
    {
        curl = curl_easy_init();
    }

    if (curl)
    {
        // Set URL
        std::cout << url << std::endl;
        curl_easy_setopt(curl, CURLOPT_URL, url.c_str());

        // Set method (GET or POST)
        if (method == "POST")
        {
            curl_easy_setopt(curl, CURLOPT_POST, 1L);

            if (!requestData.empty())
            {
                curl_easy_setopt(curl, CURLOPT_POSTFIELDS, requestData.c_str());
            }
        }
        else if (method != "GET")
        {
            error = "Invalid method. Only GET and POST supported.";
            return std::make_pair(responseData, error);
        }

        // Set data callback function
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteCallback);
        curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseData);

        curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);

        // Perform the request
        CURLcode res = curl_easy_perform(curl);

        if (res != CURLE_OK)
        {
            if (res == CURLE_OPERATION_TIMEDOUT)
            {
                error = "Timeout error";
            }
            else
            {
                error = curl_easy_strerror(res);
            }
        }
        else
        {
            error = "Ok";
        }
    }
    else
    {
        error = "Failed to initialize libcurl.";
    }

    std::cout << error << std::endl;
    std::cout << responseData << std::endl;

    return std::make_pair(error, responseData);
}

size_t chrome::WriteCallback(void *contents, size_t size, size_t nmemb, std::string *data)
{
    size_t totalSize = size * nmemb;
    data->append(static_cast<char *>(contents), totalSize);
    return totalSize;
}

• upgrading to curl 8.5.0
• build with ngtcp2 and nghttp3

Describe the bug
It is not possible to bind to an IPv6 address while creating
requests.Session(impersonate="chrome99", interface="ipv6_here")
Binding to ipv4 works.
The feature works until v0.6.0, it is broken for both 0.6.0 and 0.6.1
It works on 0.6.0b9

To Reproduce

session = requests.Session(impersonate="chrome99", interface="ipv6_here")`
ip = session.get('https://ifconfig.me/ip').text

Error Output

File "/home/user/Workspace/project/network/NetworkController.py", line 49, in init
self.ip = self.session.get('https://ifconfig.me/ip').text
, File "/home/user/.local/lib/python3.10/site-packages/curl_cffi/requests/session.py", line 834, in request
raise RequestsError(str(e), e.code, rsp) from e
, curl_cffi.requests.errors.RequestsError: Failed to perform, ErrCode: 45, Reason: 'Couldn't bind to 'IP HERE'. This may be a libcurl error, See https://curl.se/libcurl/c/libcurl-errors.html first for more details.

Expected behavior
Requests use the specified ip address for HTTP calls.

Versions

• OS: Ubuntu 22.04, x86_64
• curl_cffi version 0.6.0

Additional context

• I have only tried using Session.

Hi, i builded Dockerfile from /chrome
docker build .

and checked /build/out/curl-impersonate and this file contain two shared libraries libz, and libc.
i added --with-zlib flag in Dockerfile, with downloding and static linked zlib

But how link libc

https://chromestatus.com/feature/6186023867908096

By selecting a impersonate target, we have to iterate over the list. it makes more sense to put the recent ones up top. Or even better, use a dict-like sturcture.

While using impersonate="safari17_2_ios", I get different JA3 digest results between my Windows and macOS machines (8be0b641abb257fae7b13bcfd2657032 on Mac and a76d766e1e01aa4cfaee1331b1bada3b on Windows).
Unfortunately this issue is triggering cloudflare on the Windows machine while on Mac it works just fine every time.
Just for testing I've tried using different python versions with an older openssl version but that is not the problem as the digest doesn't change.

我在调用libcurl的curl_multi_socket_action时出现NULL错误。我看到有Issue提到是libcurl自身的BUG，升级到8.9.1版本可能解决这个问题。我已尝试fork仓库自行处理，通过简单的替换libcurl版本号，不能够平滑升级，请帮助我升级libcurl到8.9.1版本。

参考Issues:

• socket_function callbacks for unrelated sockets that are never removed #14280
• 异常持续高 CPU 占用 #1100

As discussed: #46 (comment)

Chrome 124 was released recently with a new quantum-resistent algorithm called X25519Kyber768.

See also:

• https://chromestatus.com/feature/5257822742249472
• https://tls.peet.ws/api/all

It seems to be in A/B testing as of Feb 2024, and shows up on my Chrome on macOS with M1.

I would like to know if there is any impact on using sec-ch-platform for windows in these versions.
What are the differences between different platforms?

Hi,

README mentions custom header for Edge or Android. Wrapper scripts metion Wireshark.

Wanted to get your 2 cents on how to contribute to the project, adding more natively supported browsers. Such as chrome120 on Windows, Linux, Android, and different MacOS versions.

I am using libcurl ffi bindings via env vars, so I don't believe creating new wrapper scripts will be usable.

Using selenium docker images, we should be able to capture chrome's fingerprints automatically, and generate the testing targets for this repository.

Hello,

Would it be possible for you to add support for Edge 120 as a supported browser emulation?

Thank you much in advance for your consideration.

• #18
• #40

This should make building new curl-impersonate versions fully self-contained within the repo's CI.

Stretch goal (optional) could be to make universal2 binaries from x86_64 + arm64 binaries.

Hello,

possible you will add this fix to your fork
lwthiker#196

Related:

lexiforest/curl_cffi#248
lexiforest/curl_cffi#74

We need to add a BoringSSL function like

SSL_CTX_set_extension_order(SSL_CTX ctx, const char* order);

similar to what SSL_CTX_set_permute_extensions does.