TLS Client Test

When your browser opens an HTTPS connection, the very first message it sends is the ClientHello. It advertises which TLS versions the browser understands, a prioritized list of cipher suites, the cryptographic groups and signature algorithms it can use, the server name it's connecting to (SNI), the application protocols it wants (ALPN — 'h2' for HTTP/2, 'http/1.1' for the older protocol), and a handful of other extensions. The server picks one option from each list and responds. This page shows exactly what your browser sent us.

JA3 is a hash of five fields from the ClientHello — TLS version, cipher suite IDs, extension IDs, supported elliptic curves, and EC point formats — concatenated and MD5-hashed. Because browsers send these fields in a specific order and include browser-specific extensions, the resulting 32-character hex string acts like a browser signature at the network layer. Fraud-detection systems and CDNs use JA3 to tell human traffic from bots, and to detect when a user agent header has been spoofed but the underlying TLS stack hasn't.

JavaScript running in a browser cannot see the bytes of the TLS handshake its own browser sent — the handshake happens below the JavaScript layer, in the network stack. The only way to expose it is to have a server on the other end of the connection read the ClientHello and report it back. That's what the Go backend behind this page does: it terminates TLS directly (no CDN, no reverse proxy that would re-terminate and hide your real ClientHello) and replays the raw handshake bytes to you over the same connection.

Almost. ALPN (Application-Layer Protocol Negotiation) is how the client and server agree, during the TLS handshake, which protocol to speak after TLS completes. 'h2' means HTTP/2, 'http/1.1' means HTTP/1.1, and 'h3' would mean HTTP/3 over QUIC (though HTTP/3 doesn't use TLS-over-TCP, so you'll never see h3 on this page). Seeing 'h2' in the list means your browser is willing to speak HTTP/2; the final value at the top of the report is what we actually negotiated.

Backwards compatibility. The ClientHello's top-level 'legacy version' field was frozen at TLS 1.2 to get past middleboxes that would reject anything newer. The real supported versions are carried in a separate extension called 'supported_versions', which you'll see listed in the ClientHello Summary section. If TLS 1.3 appears there and also as the negotiated version at the top, your connection is TLS 1.3.

Not easily. Every major browser (Chromium, Firefox, Safari) has its own TLS stack — BoringSSL, NSS, and Secure Transport/Network.framework respectively — and they each emit a fixed set of cipher suites and extensions in a fixed order. The main ways to change your JA3 are to change browsers, change OS (which changes the TLS library on Safari), or use a TLS-impersonating tool like curl-impersonate. Browser privacy extensions cannot change JA3 because they run above the TLS layer.