tls_client

package module
v0.0.0-...-d83bd93 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 12, 2026 License: BSD-4-Clause Imports: 37 Imported by: 0

README ΒΆ

TLS-Client

Preface

This TLS Client is built upon https://github.com/Carcraftz/fhttp and https://github.com/Carcraftz/utls (https://github.com/refraction-networking/utls). Big thanks to all contributors so far. Sadly it seems that the original repositories from Carcraftz are not maintained anymore.

What is TLS Fingerprinting?

Some people think it is enough to change the user-agent header of a request to let the server think that the client requesting a resource is a specific browser. Nowadays this is not enough, because the server might use a technique to detect the client browser which is called TLS Fingerprinting.

Even though this article is about TLS Fingerprinting in NodeJS it well describes the technique in general. https://httptoolkit.tech/blog/tls-fingerprinting-node-js/#how-does-tls-fingerprinting-work

Why is this library needed?

With this library you are able to create a http client implementing an interface which is similar to golangs net/http client interface. This TLS Client allows you to specify the Client (Browser and Version) you want to use, when requesting a server.

Features
  • βœ… HTTP/1.1, HTTP/2, HTTP/3 - Full protocol support with automatic negotiation
  • βœ… Protocol Racing - Chrome-like "Happy Eyeballs" for HTTP/2 vs HTTP/3
  • βœ… TLS Fingerprinting - Mimic Chrome, Firefox, Safari, and other browsers
  • βœ… HTTP/3 Fingerprinting - Accurate QUIC/HTTP/3 fingerprints matching real browsers
  • βœ… WebSocket Support - Maintain TLS fingerprinting over WebSocket connections
  • βœ… Custom Header Ordering - Control the order of HTTP headers
  • βœ… Proxy Support - HTTP and SOCKS5 proxies
  • βœ… Cookie Jar Management - Built-in cookie handling
  • βœ… Certificate Pinning - Enhanced security with custom certificate validation
  • βœ… Bandwidth Tracking - Monitor upload/download bandwidth
  • βœ… Language Bindings - Use from JavaScript (Node.js), Python, and C# via FFI
Interface

The HTTP Client interface extends the base net/http Client with additional functionality:

type HttpClient interface {
    GetCookies(u *url.URL) []*http.Cookie
    SetCookies(u *url.URL, cookies []*http.Cookie)
    SetCookieJar(jar http.CookieJar)
    GetCookieJar() http.CookieJar
    SetProxy(proxyUrl string) error
    GetProxy() string
    SetFollowRedirect(followRedirect bool)
    GetFollowRedirect() bool
    CloseIdleConnections()
    Do(req *http.Request) (*http.Response, error)
    Get(url string) (resp *http.Response, err error)
    Head(url string) (resp *http.Response, err error)
    Post(url, contentType string, body io.Reader) (resp *http.Response, err error)

    GetBandwidthTracker() bandwidth.BandwidthTracker
    GetDialer() proxy.ContextDialer
    GetTLSDialer() TLSDialerFunc
}
Detailed Documentation

https://bogdanfinn.gitbook.io/open-source-oasis/

Quick Usage Example
package main

import (
	"fmt"
	"io"
	"log"

	http "github.com/bogdanfinn/fhttp"
	tls_client "github.com/bogdanfinn/tls-client"
	"github.com/burruplambert/tls-client/profiles"
)

func main() {
	jar := tls_client.NewCookieJar()
	options := []tls_client.HttpClientOption{
		tls_client.WithTimeoutSeconds(30),
		tls_client.WithClientProfile(profiles.Chrome_144),
		tls_client.WithNotFollowRedirects(),
		tls_client.WithCookieJar(jar), // create cookieJar instance and pass it as argument
	}

	client, err := tls_client.NewHttpClient(tls_client.NewNoopLogger(), options...)
	if err != nil {
		log.Println(err)
		return
	}

	req, err := http.NewRequest(http.MethodGet, "https://tls.peet.ws/api/all", nil)
	if err != nil {
		log.Println(err)
		return
	}

	req.Header = http.Header{
		"accept":                    {"*/*"},
		"accept-language":           {"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"},
		"user-agent":                {"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"},
		http.HeaderOrderKey: {
			"accept",
			"accept-language",
			"user-agent",
		},
	}

	resp, err := client.Do(req)
	if err != nil {
		log.Println(err)
		return
	}

	defer resp.Body.Close()

	log.Println(fmt.Sprintf("status code: %d", resp.StatusCode))

	readBytes, err := io.ReadAll(resp.Body)
	if err != nil {
		log.Println(err)
		return
	}

	log.Println(string(readBytes))
}
Questions?

Join my discord support server for free: https://discord.gg/7Ej9eJvHqk No Support in DMs!

Appreciate my work?

πŸ›‘οΈ Need Antibot Bypass?

TLS fingerprinting alone isn't enough for modern bot protection. Hyper Solutions provides the missing piece - API endpoints that generate valid antibot tokens for:

Akamai β€’ DataDome β€’ Kasada β€’ Incapsula

No browser automation. Just simple API calls that return the exact cookies and headers these systems require.

πŸš€ Get Your API Key | πŸ“– Docs | πŸ’¬ Discord

Powered by

JetBrains logo.

Documentation ΒΆ

Index ΒΆ

Constants ΒΆ

View Source 
const CHROME_MAX_FIELD_SECTION_SIZE = 262144

Variables ΒΆ

View Source 
var DefaultBadPinHandler = func(req *http.Request) {
	fmt.Println("this is the default bad pin handler")
}
View Source 
var DefaultOptions = []HttpClientOption{
	WithTimeoutSeconds(DefaultTimeoutSeconds),
	WithClientProfile(profiles.DefaultClientProfile),
	WithRandomTLSExtensionOrder(),
	WithNotFollowRedirects(),
}
View Source 
var DefaultTimeoutSeconds = 30
View Source 
var ErrBadPinDetected = errors.New("bad ssl pin detected")
View Source 
var ErrContinueHooks = errors.New("continue hooks")

ErrContinueHooks can be returned (or wrapped) by a PreRequestHookFunc to signal that the error should be logged but hook execution should continue to the next hook. By default any error returned from a hook aborts subsequent hooks and the request.

View Source 
var H2SettingsMap = map[string]http2.SettingID{
	"HEADER_TABLE_SIZE":      http2.SettingHeaderTableSize,
	"ENABLE_PUSH":            http2.SettingEnablePush,
	"MAX_CONCURRENT_STREAMS": http2.SettingMaxConcurrentStreams,
	"INITIAL_WINDOW_SIZE":    http2.SettingInitialWindowSize,
	"MAX_FRAME_SIZE":         http2.SettingMaxFrameSize,
	"MAX_HEADER_LIST_SIZE":   http2.SettingMaxHeaderListSize,
	"UNKNOWN_SETTING_7":      0x7,
	"UNKNOWN_SETTING_8":      0x8,
	"UNKNOWN_SETTING_9":      0x9,
}
View Source 
var H3SettingsMap = map[string]uint64{
	"QPACK_MAX_TABLE_CAPACITY": 0x1,
	"MAX_FIELD_SECTION_SIZE":   0x6,
	"QPACK_BLOCKED_STREAMS":    0x7,
	"H3_DATAGRAM":              0x33,
}

Functions ΒΆ

func GetSpecFactoryFromJa3String ΒΆ 

func GetSpecFactoryFromJa3String(ja3String string, supportedSignatureAlgorithms, supportedDelegatedCredentialsAlgorithms, supportedVersions, keyShareCurves, supportedProtocolsALPN, supportedProtocolsALPS []string, echCandidateCipherSuites []CandidateCipherSuites, candidatePayloads []uint16, certCompressionAlgorithms []string, recordSizeLimit uint16) (func() (tls.ClientHelloSpec, error), error)

func Int64ToInt ΒΆ 

func Int64ToInt(x int64) (int, error)

Types ΒΆ

type BadPinHandlerFunc ΒΆ 

type BadPinHandlerFunc func(req *http.Request)

type CandidateCipherSuites ΒΆ 

type CandidateCipherSuites struct {
	KdfId  string
	AeadId string
}

type CertificatePinner ΒΆ 

type CertificatePinner interface {
	Pin(conn *tls.UConn, host string) error
}

func NewCertificatePinner ΒΆ 

func NewCertificatePinner(certificatePins map[string][]string) (CertificatePinner, error)

type ContextKeyHeader ΒΆ 

type ContextKeyHeader struct{}

Users of context.WithValue should define their own types for keys

type CookieJar ΒΆ 

type CookieJar interface {
	http.CookieJar
	GetAllCookies() map[string][]*http.Cookie
}

func NewCookieJar ΒΆ 

func NewCookieJar(options ...CookieJarOption) CookieJar

type CookieJarOption ΒΆ 

type CookieJarOption func(config *cookieJarConfig)

func WithAllowEmptyCookies ΒΆ 

func WithAllowEmptyCookies() CookieJarOption

func WithDebugLogger ΒΆ 

func WithDebugLogger() CookieJarOption

func WithLogger ΒΆ 

func WithLogger(logger Logger) CookieJarOption

func WithSkipExisting ΒΆ 

func WithSkipExisting() CookieJarOption

type HttpClient ΒΆ 

type HttpClient interface {
	GetCookies(u *url.URL) []*http.Cookie
	SetCookies(u *url.URL, cookies []*http.Cookie)
	SetCookieJar(jar http.CookieJar)
	GetCookieJar() http.CookieJar
	SetProxy(proxyUrl string) error
	GetProxy() string
	SetFollowRedirect(followRedirect bool)
	GetFollowRedirect() bool
	CloseIdleConnections()
	Do(req *http.Request) (*http.Response, error)
	Get(url string) (resp *http.Response, err error)
	Head(url string) (resp *http.Response, err error)
	Post(url, contentType string, body io.Reader) (resp *http.Response, err error)

	GetBandwidthTracker() bandwidth.BandwidthTracker
	GetDialer() proxy.ContextDialer

	PreConnect(urlStr string) error
	GetTLSDialer() TLSDialerFunc

	AddPreRequestHook(hook PreRequestHookFunc)
	AddPostResponseHook(hook PostResponseHookFunc)
	ResetPreHooks()
	ResetPostHooks()
}

func NewHttpClient ΒΆ 

func NewHttpClient(logger Logger, options ...HttpClientOption) (HttpClient, error)

NewHttpClient constructs a new HTTP client with the given logger and client options.

func ProvideDefaultClient ΒΆ 

func ProvideDefaultClient(logger Logger) (HttpClient, error)

type HttpClientOption ΒΆ 

type HttpClientOption func(config *httpClientConfig)

func WithBandwidthTracker ΒΆ 

func WithBandwidthTracker() HttpClientOption

WithBandwidthTracker configures a client to track the bandwidth used by the client.

func WithCatchPanics ΒΆ 

func WithCatchPanics() HttpClientOption

WithCatchPanics configures a client to catch all go panics happening during a request and not print the stacktrace.

func WithCertificatePinning ΒΆ 

func WithCertificatePinning(certificatePins map[string][]string, handlerFunc BadPinHandlerFunc) HttpClientOption

WithCertificatePinning enables SSL Pinning for the client and will throw an error if the SSL Pin is not matched. Please refer to https://github.com/tam7t/hpkp/#examples in order to see how to generate pins. The certificatePins are a map with the host as key. You can provide a BadPinHandlerFunc or nil as second argument. This function will be executed once a bad ssl pin is detected. BadPinHandlerFunc has to be defined like this: func(req *http.Request){}

func WithCharlesProxy ΒΆ 

func WithCharlesProxy(host string, port string) HttpClientOption

WithCharlesProxy configures the HTTP client to use a local running charles as proxy.

host and port can be empty, then default 127.0.0.1 and port 8888 will be used

func WithClientProfile ΒΆ 

func WithClientProfile(clientProfile profiles.ClientProfile) HttpClientOption

WithClientProfile configures a TLS client to use the specified client profile.

func WithConnectHeaders ΒΆ 

func WithConnectHeaders(headers http.Header) HttpClientOption

WithConnectHeaders configures a client to use the specified headers for the CONNECT request.

func WithCookieJar ΒΆ 

func WithCookieJar(jar http.CookieJar) HttpClientOption

WithCookieJar configures a HTTP client to use the specified cookie jar.

func WithCustomRedirectFunc ΒΆ 

func WithCustomRedirectFunc(redirectFunc func(req *http.Request, via []*http.Request) error) HttpClientOption

WithCustomRedirectFunc configures an HTTP client to use a custom redirect func. The redirect func have to look like that: func(req *http.Request, via []*http.Request) error Please only provide a custom redirect function if you know what you are doing. Check docs on net/http.Client CheckRedirect

func WithDebug ΒΆ 

func WithDebug() HttpClientOption

WithDebug configures a client to log debugging information.

func WithDefaultHeaders ΒΆ 

func WithDefaultHeaders(defaultHeaders http.Header) HttpClientOption

WithDefaultHeaders configures a TLS client to use a set of default headers if none are specified on the request.

func WithDialContext ΒΆ 

func WithDialContext(dialContext func(ctx context.Context, network, addr string) (net.Conn, error)) HttpClientOption

WithDialContext sets a custom dialer for TCP connections, allowing advanced networking (Zero-DNS, socket tagging, DPI bypass).

WARNING: This overrides built-in proxy settings. If you need a proxy, you must handle the CONNECT handshake manually. CHECK: https://github.com/bogdanfinn/tls-client/pull/218#issuecomment-3858171801

func WithDialer ΒΆ 

func WithDialer(dialer net.Dialer) HttpClientOption

WithDialer configures an HTTP client to use the specified dialer. This allows the use of a custom DNS resolver

func WithDisableHttp3 ΒΆ 

func WithDisableHttp3() HttpClientOption

WithDisableHttp3 configures a client to disable HTTP 3 as the used protocol. Will most likely fall back to HTTP 2

func WithDisableIPV4 ΒΆ 

func WithDisableIPV4() HttpClientOption

WithDisableIPV4 configures a dialer to use tcp6 network argument

func WithDisableIPV6 ΒΆ 

func WithDisableIPV6() HttpClientOption

WithDisableIPV6 configures a dialer to use tcp4 network argument

func WithDynamicAddr ΒΆ 

func WithDynamicAddr(localAddr *net.TCPAddr) HttpClientOption

WithDynamicAddr configures an HTTP client with a pointer to a local address, allowing the address to be modified between requests without client recreation. Note: Requires DisableKeepAlives to be set to true to ensure address changes take effect on subsequent requests.

func WithForceHttp1 ΒΆ 

func WithForceHttp1() HttpClientOption

WithForceHttp1 configures a client to force HTTP/1.1 as the used protocol.

func WithInsecureSkipVerify ΒΆ 

func WithInsecureSkipVerify() HttpClientOption

WithInsecureSkipVerify configures a client to skip SSL certificate verification.

func WithLocalAddr ΒΆ 

func WithLocalAddr(localAddr net.TCPAddr) HttpClientOption

WithLocalAddr configures an HTTP client to use the specified local address.

func WithNotFollowRedirects ΒΆ 

func WithNotFollowRedirects() HttpClientOption

WithNotFollowRedirects configures an HTTP client to not follow HTTP redirects.

func WithPostHook ΒΆ 

func WithPostHook(hook PostResponseHookFunc) HttpClientOption

WithPostHook adds a post-response hook that is called after each request completes. Multiple hooks can be added and they will be executed in the order they were added. All hooks are always executed, even if the request failed or a previous hook panicked.

func WithPreHook ΒΆ 

func WithPreHook(hook PreRequestHookFunc) HttpClientOption

WithPreHook adds a pre-request hook that is called before each request is sent. Multiple hooks can be added and they will be executed in the order they were added. If any hook returns an error, the request is aborted and subsequent hooks are not called.

func WithProtocolRacing ΒΆ 

func WithProtocolRacing() HttpClientOption

WithProtocolRacing configures a client to race HTTP/3 (QUIC) and HTTP/2 (TCP) connections in parallel. Similar to Chrome's "Happy Eyeballs" approach, this starts both connection types simultaneously and uses whichever connects first. The client will remember which protocol worked for each host and use it directly on subsequent requests. This option is ignored if WithForceHttp1 or WithDisableHttp3 is set.

func WithProxyDialerFactory ΒΆ 

func WithProxyDialerFactory(proxyDialerFactory ProxyDialerFactory) HttpClientOption

WithProxyDialerFactory configures an HTTP client to use a custom proxyDialerFactory instead of newConnectDialer(). This allows to implement custom proxy dialer use cases

func WithProxyUrl ΒΆ 

func WithProxyUrl(proxyUrl string) HttpClientOption

WithProxyUrl configures an HTTP client to use the specified proxy URL.

proxyUrl should be formatted as: 

"http://user:pass@host:port"

func WithRandomTLSExtensionOrder ΒΆ 

func WithRandomTLSExtensionOrder() HttpClientOption

WithRandomTLSExtensionOrder configures a TLS client to randomize the order of TLS extensions being sent in the ClientHello.

Placement of GREASE and padding is fixed and will not be affected by this.

func WithResolveMap ΒΆ 

func WithResolveMap(resolveMap map[string]string) HttpClientOption

WithResolveMap configures a client to use the specified map for hostname->IP resolution. Note: Not compatible with WithServerNameOverwrite()

func WithServerNameOverwrite ΒΆ 

func WithServerNameOverwrite(serverName string) HttpClientOption

WithServerNameOverwrite configures a TLS client to overwrite the server name being used for certificate verification and in the client hello. This option does only work properly if WithInsecureSkipVerify is set to true in addition

func WithTimeout ΒΆ 

func WithTimeout(timeout int) HttpClientOption

WithTimeout configures an HTTP client to use the specified request timeout.

timeout is the request timeout in seconds. Deprecated: use either WithTimeoutSeconds or WithTimeoutMilliseconds

func WithTimeoutMilliseconds ΒΆ 

func WithTimeoutMilliseconds(timeout int) HttpClientOption

WithTimeoutMilliseconds configures a hard deadline for the entire request lifecycle.

This includes connection time, redirects, and reading the response body. WARNING: If the timer expires, the connection is forcibly closed, even if you are actively downloading data.

- Use 0 to disable the deadline (Unlimited) for large downloads or long-polling. - Default is 30000 milliseconds (30 seconds).

func WithTimeoutSeconds ΒΆ 

func WithTimeoutSeconds(timeout int) HttpClientOption

WithTimeoutSeconds configures a hard deadline for the entire request lifecycle.

This includes connection time, redirects, and reading the response body. WARNING: If the timer expires, the connection is forcibly closed, even if you are actively downloading data.

- Use 0 to disable the deadline (Unlimited) for large downloads or long-polling. - Default is 30 seconds.

func WithTransportOptions ΒΆ 

func WithTransportOptions(transportOptions *TransportOptions) HttpClientOption

WithTransportOptions configures a client to use the specified transport options.

type Logger ΒΆ 

type Logger interface {
	Debug(format string, args ...any)
	Info(format string, args ...any)
	Warn(format string, args ...any)
	Error(format string, args ...any)
}

func NewDebugLogger ΒΆ 

func NewDebugLogger(logger Logger) Logger

func NewLogger ΒΆ 

func NewLogger() Logger

func NewNoopLogger ΒΆ 

func NewNoopLogger() Logger

type PostResponseContext ΒΆ 

type PostResponseContext struct {
	Request  *http.Request
	Response *http.Response
	Error    error // Non-nil if request failed
}

PostResponseContext contains response metadata for PostHook handlers.

type PostResponseHookFunc ΒΆ 

type PostResponseHookFunc func(ctx *PostResponseContext) error

PostResponseHookFunc is called after each request completes. Return an error to abort subsequent hooks, or wrap ErrContinueHooks to log and continue.

type PreRequestHookFunc ΒΆ 

type PreRequestHookFunc func(req *http.Request) error

PreRequestHookFunc is called before each request is sent. Return an error to abort the request, or wrap ErrContinueHooks to log and continue.

type ProxyDialerFactory ΒΆ 

type ProxyDialerFactory func(proxyUrlStr string, timeout time.Duration, localAddr *net.TCPAddr, connectHeaders http.Header, logger Logger) (proxy.ContextDialer, error)

type TLSDialerFunc ΒΆ 

type TLSDialerFunc func(ctx context.Context, network, addr string) (net.Conn, error)

TLSDialerFunc is a function that dials a TLS connection to the given address. It's used for WebSocket connections to ensure they use the same TLS fingerprinting as regular HTTP requests.

type TransportOptions ΒΆ 

type TransportOptions struct {
	// KeyLogWriter is an io.Writer that the TLS client will use to write the
	// TLS master secrets to. This can be used to decrypt TLS connections in
	// Wireshark and other applications.
	KeyLogWriter io.Writer
	// IdleConnTimeout is the maximum amount of time an idle (keep-alive)
	// connection will remain idle before closing itself. Zero means no limit.
	IdleConnTimeout *time.Duration
	// RootCAs is the set of root certificate authorities used to verify
	// the remote server's certificate.
	RootCAs                *x509.CertPool
	MaxIdleConns           int
	MaxIdleConnsPerHost    int
	MaxConnsPerHost        int
	MaxResponseHeaderBytes int64 // Zero means to use a default limit.
	WriteBufferSize        int   // If zero, a default (currently 4KB) is used.
	ReadBufferSize         int   // If zero, a default (currently 4KB) is used.
	DisableKeepAlives      bool
	DisableCompression     bool
}

type Websocket ΒΆ 

type Websocket struct {
	// contains filtered or unexported fields
}

func NewWebsocket ΒΆ 

func NewWebsocket(logger Logger, options ...WebsocketOption) (*Websocket, error)

NewWebsocket creates a new WebSocket wrapper that uses tls-client for connections. This allows WebSocket connections to use the same TLS fingerprinting and configuration as regular HTTP requests.

Example usage: 

// Create HTTP client with ForceHttp1 (required for WebSocket!)
client, _ := NewHttpClient(nil,
    WithClientProfile(profiles.Chrome_133),
    WithForceHttp1(),
)

// Create WebSocket with optional header ordering
headers := http.Header{
    "User-Agent": {"MyBot/1.0"},
    http.HeaderOrderKey: {"host", "upgrade", "connection", "user-agent"},
}

ws, _ := New(nil,
    WithTlsClient(client),
    WithUrl("wss://example.com/ws"),
    WithHeaders(headers),
)

conn, _ := ws.Connect(context.Background())
defer conn.Close()

func (*Websocket) Connect ΒΆ 

func (w *Websocket) Connect(ctx context.Context) (*websocket.Conn, error)

type WebsocketOption ΒΆ 

type WebsocketOption func(config *websocketConfig)

func WithCookiejar ΒΆ 

func WithCookiejar(cookiejar http.CookieJar) WebsocketOption

func WithHandshakeTimeoutMilliseconds ΒΆ 

func WithHandshakeTimeoutMilliseconds(timeout int) WebsocketOption

func WithHeaders ΒΆ 

func WithHeaders(headers http.Header) WebsocketOption

func WithReadBufferSize ΒΆ 

func WithReadBufferSize(readBufferSize int) WebsocketOption

func WithTlsClient ΒΆ 

func WithTlsClient(tlsClient HttpClient) WebsocketOption

WithTlsClient sets the tls-client HttpClient to use for the WebSocket connection. The underlying dialer from this client will be used to establish the connection, preserving TLS fingerprinting and other client configurations.

IMPORTANT: WebSocket connections require HTTP/1.1. When creating your HttpClient, you MUST use WithForceHttp1() option to ensure compatibility: 

client, _ := NewHttpClient(nil,
    WithClientProfile(profiles.Chrome_133),
    WithForceHttp1(), // Required for WebSocket!
)

func WithUrl ΒΆ 

func WithUrl(url string) WebsocketOption

func WithWriteBufferSize ΒΆ 

func WithWriteBufferSize(writeBufferSize int) WebsocketOption

Source Files ΒΆ

View all Source files

Directories ΒΆ

Path Synopsis
tls_client_cffi_src provides and manages a CFFI (C Foreign Function Interface) which allows code in other languages to interact with the module.
 tls_client_cffi_src provides and manages a CFFI (C Foreign Function Interface) which allows code in other languages to interact with the module.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.