Add support for set_client_hello_callback to expose TLS ClientHello in Python to enable JA3 TLS fingerprinting #1430
Description
Hello!
While working on GlobaLeaks we are evaluating performing TLS fingerprinting (e.g., JA3) during ALPN negotiation.
This is modern and common practice to being able to identify bots and ddos.
OpenSSL 1.1.1 and newer provide the SSL_CTX_set_client_hello_cb function, which allows registering a callback to receive the raw ClientHello during handshake.
Currently, PyOpenSSL does not expose this function or its related APIs, making it impossible to use this important OpenSSL feature from Python.
With this ticket i would like to propose exporting SSL_CTX_set_client_hello_cb and any related structures or functions needed to use this callback from Python, ideally via the existing SSL.Context interface.
This would allow Python projects to implement TLS ClientHello inspection cleanly and efficiently without requiring native patches or external dependencies.
Exposing this function would unlock powerful use cases such as:
- Passive TLS fingerprinting (JA3 hashing)
- Early protocol negotiation (ALPN)
- Custom TLS handshake behaviors based on ClientHello content
Thank you very much for considering this. I’m happy to assist with testing or provide examples if helpful.