improve ja3_hash performance

phuslu · Feb 27, 2024 · 5e789f1 · 5e789f1
1 parent 2f2d3f7
commit 5e789f1
Show file tree

Hide file tree

Showing 10 changed files with 85 additions and 63 deletions.
diff --git a/nginx.conf b/nginx.conf
@@ -14,7 +14,7 @@ http {
         access_log             /dev/stdout basic;
         ssl_certificate_key    "data:-----BEGIN EC PARAMETERS-----\nBggqhkjOPQMBBw==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIL02pwZutbzkmdIM0QpvD7W3pcL2dGaeWrbQ8pNCHPFeoAoGCCqGSM49\nAwEHoUQDQgAE0Jektzpg3tJx3iPU05WwG4GweCwGWv87kkZQGB+6vG/kQQeOhnZ7\n7TCroQgY4ZVnBRZTD0lvxSyR6rwt3lWQ4A==\n-----END EC PRIVATE KEY-----\n";
         ssl_certificate        "data:-----BEGIN CERTIFICATE-----\nMIIBtjCCAV2gAwIBAgIUN/O0uv7B+18ohuf05ygsoC82liswCgYIKoZIzj0EAwIw\nMTELMAkGA1UEBhMCVVMxDDAKBgNVBAsMA1dlYjEUMBIGA1UEAwwLZXhhbXBsZS5v\ncmcwHhcNMjIwNzI4MTgzMzA2WhcNMjMwNzI5MTgzMzA2WjAxMQswCQYDVQQGEwJV\nUzEMMAoGA1UECwwDV2ViMRQwEgYDVQQDDAtleGFtcGxlLm9yZzBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNCXpLc6YN7Scd4j1NOVsBuBsHgsBlr/O5JGUBgfurxv\n5EEHjoZ2e+0wq6EIGOGVZwUWUw9Jb8Uskeq8Ld5VkOCjUzBRMB0GA1UdDgQWBBSH\n9cc3JRcpyPh3nEa41Ux6RDGjLTAfBgNVHSMEGDAWgBSH9cc3JRcpyPh3nEa41Ux6\nRDGjLTAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIChRR5U7MMYQ\ntMK0zhNnt2SqRy30VcPIm9qoEms5cNxdAiBb273P7vSkj/PmDd1WsFVkg9NymBaT\n0nsIem2LKav60g==\n-----END CERTIFICATE-----\n";
-        return                 200 "ja3: $http_ssl_ja3\ngreased: $http_ssl_greased\nh2fp: $http2_fingerprint\n";
+        return                 200 "ja3: $http_ssl_ja3 ja3_hash: $http_ssl_ja3_hash greased: $http_ssl_greased h2fp: $http2_fingerprint\n";
     }
 }
 
@@ -25,6 +25,6 @@ stream {
         access_log             /dev/stdout basic;
         ssl_certificate_key    "data:-----BEGIN EC PARAMETERS-----\nBggqhkjOPQMBBw==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIL02pwZutbzkmdIM0QpvD7W3pcL2dGaeWrbQ8pNCHPFeoAoGCCqGSM49\nAwEHoUQDQgAE0Jektzpg3tJx3iPU05WwG4GweCwGWv87kkZQGB+6vG/kQQeOhnZ7\n7TCroQgY4ZVnBRZTD0lvxSyR6rwt3lWQ4A==\n-----END EC PRIVATE KEY-----\n";
         ssl_certificate        "data:-----BEGIN CERTIFICATE-----\nMIIBtjCCAV2gAwIBAgIUN/O0uv7B+18ohuf05ygsoC82liswCgYIKoZIzj0EAwIw\nMTELMAkGA1UEBhMCVVMxDDAKBgNVBAsMA1dlYjEUMBIGA1UEAwwLZXhhbXBsZS5v\ncmcwHhcNMjIwNzI4MTgzMzA2WhcNMjMwNzI5MTgzMzA2WjAxMQswCQYDVQQGEwJV\nUzEMMAoGA1UECwwDV2ViMRQwEgYDVQQDDAtleGFtcGxlLm9yZzBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNCXpLc6YN7Scd4j1NOVsBuBsHgsBlr/O5JGUBgfurxv\n5EEHjoZ2e+0wq6EIGOGVZwUWUw9Jb8Uskeq8Ld5VkOCjUzBRMB0GA1UdDgQWBBSH\n9cc3JRcpyPh3nEa41Ux6RDGjLTAfBgNVHSMEGDAWgBSH9cc3JRcpyPh3nEa41Ux6\nRDGjLTAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIChRR5U7MMYQ\ntMK0zhNnt2SqRy30VcPIm9qoEms5cNxdAiBb273P7vSkj/PmDd1WsFVkg9NymBaT\n0nsIem2LKav60g==\n-----END CERTIFICATE-----\n";
-        return                 "HTTP/1.1 200 OK\r\n\r\nja3: $stream_ssl_ja3\ngreased: $stream_ssl_greased";
+        return                 "HTTP/1.1 200 OK\r\n\r\nja3: $stream_ssl_ja3 ja3_hash: $stream_ssl_ja3_hash greased: $stream_ssl_greased\n";
     }
 }
diff --git a/patches/nginx-1.20.patch b/patches/nginx-1.20.patch
@@ -42,16 +42,17 @@ index ce2a566..98c71f7 100644
 
      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index 81b87d7..e54f32d 100644
+index 81b87d7..6d4d86b 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -119,6 +119,10 @@ struct ngx_ssl_connection_s {
+@@ -119,6 +119,11 @@ struct ngx_ssl_connection_s {
      unsigned                    in_ocsp:1;
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
 +
 +    ngx_str_t                   fp_ja3_data;
 +    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
 +    uint16_t                    fp_tls_greased;
  };
 

diff --git a/patches/nginx-1.21.patch b/patches/nginx-1.21.patch
@@ -1,5 +1,5 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 1e6fc96..e467b75 100644
+index 1e6fc9614..e467b75e6 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
 @@ -1710,6 +1710,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
@@ -42,22 +42,23 @@ index 1e6fc96..e467b75 100644
 
      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index c9e86d9..3b9d210 100644
+index c9e86d9c0..5fb6b3cf3 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -119,6 +119,10 @@ struct ngx_ssl_connection_s {
+@@ -119,6 +119,11 @@ struct ngx_ssl_connection_s {
      unsigned                    in_ocsp:1;
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
 +
 +    ngx_str_t                   fp_ja3_data;
 +    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
 +    uint16_t                    fp_tls_greased;
  };
 
 
 diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 0e45a7b..8d8f7df 100644
+index 0e45a7b27..8d8f7dfc2 100644
 --- a/src/http/v2/ngx_http_v2.c
 +++ b/src/http/v2/ngx_http_v2.c
 @@ -332,6 +332,14 @@ ngx_http_v2_init(ngx_event_t *rev)
@@ -124,7 +125,7 @@ index 0e45a7b..8d8f7df 100644
      while (!ngx_queue_empty(&h2c->waiting)) {
          q = ngx_queue_head(&h2c->waiting);
 diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 70ee287..c57f4f2 100644
+index 70ee287ae..c57f4f241 100644
 --- a/src/http/v2/ngx_http_v2.h
 +++ b/src/http/v2/ngx_http_v2.h
 @@ -164,6 +164,13 @@ struct ngx_http_v2_connection_s {

diff --git a/patches/nginx-1.22.patch b/patches/nginx-1.22.patch
@@ -1,5 +1,5 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 1e6fc96..e467b75 100644
+index 1e6fc9614..e467b75e6 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
 @@ -1710,6 +1710,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
@@ -42,22 +42,23 @@ index 1e6fc96..e467b75 100644
 
      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index c9e86d9..3b9d210 100644
+index c9e86d9c0..5fb6b3cf3 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -119,6 +119,10 @@ struct ngx_ssl_connection_s {
+@@ -119,6 +119,11 @@ struct ngx_ssl_connection_s {
      unsigned                    in_ocsp:1;
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
 +
 +    ngx_str_t                   fp_ja3_data;
 +    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
 +    uint16_t                    fp_tls_greased;
  };
 
 
 diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 0e45a7b..8d8f7df 100644
+index 0e45a7b27..8d8f7dfc2 100644
 --- a/src/http/v2/ngx_http_v2.c
 +++ b/src/http/v2/ngx_http_v2.c
 @@ -332,6 +332,14 @@ ngx_http_v2_init(ngx_event_t *rev)
@@ -124,7 +125,7 @@ index 0e45a7b..8d8f7df 100644
      while (!ngx_queue_empty(&h2c->waiting)) {
          q = ngx_queue_head(&h2c->waiting);
 diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 70ee287..c57f4f2 100644
+index 70ee287ae..c57f4f241 100644
 --- a/src/http/v2/ngx_http_v2.h
 +++ b/src/http/v2/ngx_http_v2.h
 @@ -164,6 +164,13 @@ struct ngx_http_v2_connection_s {

diff --git a/patches/nginx-1.23.patch b/patches/nginx-1.23.patch
@@ -1,8 +1,8 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 7b0417e..ac4f6a8 100644
+index 104e8daf7..e52ffba5b 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
-@@ -1710,6 +1710,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
+@@ -1758,6 +1758,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
      return NGX_OK;
  }
 
@@ -32,7 +32,7 @@ index 7b0417e..ac4f6a8 100644
 
  ngx_int_t
  ngx_ssl_handshake(ngx_connection_t *c)
-@@ -1730,6 +1753,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
+@@ -1778,6 +1801,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
 
      ngx_ssl_clear_error(c->log);
 
@@ -42,22 +42,23 @@ index 7b0417e..ac4f6a8 100644
 
      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index c9e86d9..3b9d210 100644
+index 860ea26dd..b64d80ea2 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -119,6 +119,10 @@ struct ngx_ssl_connection_s {
+@@ -120,6 +120,11 @@ struct ngx_ssl_connection_s {
      unsigned                    in_ocsp:1;
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
 +
 +    ngx_str_t                   fp_ja3_data;
 +    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
 +    uint16_t                    fp_tls_greased;
  };
 
 
 diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 0e45a7b..8d8f7df 100644
+index ea3f27c07..911808cff 100644
 --- a/src/http/v2/ngx_http_v2.c
 +++ b/src/http/v2/ngx_http_v2.c
 @@ -332,6 +332,14 @@ ngx_http_v2_init(ngx_event_t *rev)
@@ -90,7 +91,7 @@ index 0e45a7b..8d8f7df 100644
      return ngx_http_v2_state_header_block(h2c, pos, end);
 
  rst_stream:
-@@ -1804,6 +1820,9 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
+@@ -1799,6 +1815,9 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
      }
 
      if (header->name.data[0] == ':') {
@@ -100,7 +101,7 @@ index 0e45a7b..8d8f7df 100644
          rc = ngx_http_v2_pseudo_header(r, header);
 
          if (rc == NGX_OK) {
-@@ -2227,6 +2246,12 @@ ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
+@@ -2224,6 +2243,12 @@ ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
          ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
                         "http2 setting %ui:%ui", id, value);
 
@@ -113,7 +114,7 @@ index 0e45a7b..8d8f7df 100644
          switch (id) {
 
          case NGX_HTTP_V2_INIT_WINDOW_SIZE_SETTING:
-@@ -2519,6 +2544,9 @@ ngx_http_v2_state_window_update(ngx_http_v2_connection_t *h2c, u_char *pos,
+@@ -2516,6 +2541,9 @@ ngx_http_v2_state_window_update(ngx_http_v2_connection_t *h2c, u_char *pos,
      }
 
      h2c->send_window += window;
@@ -124,7 +125,7 @@ index 0e45a7b..8d8f7df 100644
      while (!ngx_queue_empty(&h2c->waiting)) {
          q = ngx_queue_head(&h2c->waiting);
 diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 4e25293..151e585 100644
+index 4e252931c..151e58571 100644
 --- a/src/http/v2/ngx_http_v2.h
 +++ b/src/http/v2/ngx_http_v2.h
 @@ -164,6 +164,13 @@ struct ngx_http_v2_connection_s {

diff --git a/patches/nginx-1.24.patch b/patches/nginx-1.24.patch
@@ -1,5 +1,5 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 104e8da..e52ffba 100644
+index 104e8daf7..e52ffba5b 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
 @@ -1758,6 +1758,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
@@ -42,22 +42,23 @@ index 104e8da..e52ffba 100644
 
      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index 860ea26..6650deb 100644
+index 860ea26dd..b64d80ea2 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -120,6 +120,10 @@ struct ngx_ssl_connection_s {
+@@ -120,6 +120,11 @@ struct ngx_ssl_connection_s {
      unsigned                    in_ocsp:1;
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
 +
 +    ngx_str_t                   fp_ja3_data;
 +    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
 +    uint16_t                    fp_tls_greased;
  };
 
 
 diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index ea3f27c..911808c 100644
+index ea3f27c07..911808cff 100644
 --- a/src/http/v2/ngx_http_v2.c
 +++ b/src/http/v2/ngx_http_v2.c
 @@ -332,6 +332,14 @@ ngx_http_v2_init(ngx_event_t *rev)
@@ -124,7 +125,7 @@ index ea3f27c..911808c 100644
      while (!ngx_queue_empty(&h2c->waiting)) {
          q = ngx_queue_head(&h2c->waiting);
 diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 4e25293..151e585 100644
+index 4e252931c..151e58571 100644
 --- a/src/http/v2/ngx_http_v2.h
 +++ b/src/http/v2/ngx_http_v2.h
 @@ -164,6 +164,13 @@ struct ngx_http_v2_connection_s {

diff --git a/patches/nginx-1.25.patch b/patches/nginx-1.25.patch
@@ -1,8 +1,8 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 8468101..1c47425 100644
+index 89f277fe5..d0e8558bb 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
-@@ -1792,6 +1792,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
+@@ -1793,6 +1793,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
      return NGX_OK;
  }
 
@@ -32,7 +32,7 @@ index 8468101..1c47425 100644
 
  ngx_int_t
  ngx_ssl_handshake(ngx_connection_t *c)
-@@ -1812,6 +1835,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
+@@ -1813,6 +1836,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
 
      ngx_ssl_clear_error(c->log);
 
@@ -42,22 +42,23 @@ index 8468101..1c47425 100644
 
      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index c062f91..8fd7174 100644
+index ebb2c35bf..b075c2cf3 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -128,6 +128,10 @@ struct ngx_ssl_connection_s {
+@@ -128,6 +128,11 @@ struct ngx_ssl_connection_s {
      unsigned                    in_ocsp:1;
      unsigned                    early_preread:1;
      unsigned                    write_blocked:1;
 +
 +    ngx_str_t                   fp_ja3_data;
 +    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
 +    uint16_t                    fp_tls_greased;
  };
 
 
 diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 0f5bd3d..aae8ec9 100644
+index 0f5bd3de8..aae8ec9d6 100644
 --- a/src/http/v2/ngx_http_v2.c
 +++ b/src/http/v2/ngx_http_v2.c
 @@ -301,6 +301,14 @@ ngx_http_v2_init(ngx_event_t *rev)
@@ -124,7 +125,7 @@ index 0f5bd3d..aae8ec9 100644
      while (!ngx_queue_empty(&h2c->waiting)) {
          q = ngx_queue_head(&h2c->waiting);
 diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 6751b30..d519092 100644
+index 6751b3026..d519092dd 100644
 --- a/src/http/v2/ngx_http_v2.h
 +++ b/src/http/v2/ngx_http_v2.h
 @@ -168,6 +168,13 @@ struct ngx_http_v2_connection_s {

diff --git a/src/nginx_ssl_fingerprint.c b/src/nginx_ssl_fingerprint.c
@@ -3,6 +3,7 @@
 #include <ngx_http.h>
 #include <ngx_log.h>
 #include <ngx_http_v2.h>
+#include <ngx_md5.h>
 
 #define IS_GREASE_CODE(code) (((code)&0x0f0f) == 0x0a0a && ((code)&0xff) == ((code)>>8))
 
@@ -292,6 +293,40 @@ int ngx_ssl_ja3(ngx_connection_t *c)
     return NGX_OK;
 }
 
+int ngx_ssl_ja3_hash(ngx_connection_t *c)
+{
+    if (c == NULL) {
+        return NGX_DECLINED;
+    }
+
+    if (c->ssl == NULL) {
+        return NGX_DECLINED;
+    }
+
+    if (c->ssl->fp_ja3_hash.len > 0) {
+        return NGX_OK;
+    }
+
+    if (ngx_ssl_ja3(c) == NGX_DECLINED) {
+        return NGX_DECLINED;
+    }
+
+    c->ssl->fp_ja3_hash.len = 32;
+    c->ssl->fp_ja3_hash.data = ngx_pnalloc(c->pool, c->ssl->fp_ja3_hash.len);
+
+    ngx_log_debug(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_ja3_hash: alloc bytes: [%d]\n", c->ssl->fp_ja3_hash.len);
+
+    ngx_md5_t  ctx;
+    u_char hash_buf[16];
+
+    ngx_md5_init(&ctx);
+    ngx_md5_update(&ctx, c->ssl->fp_ja3_str.data, c->ssl->fp_ja3_str.len);
+    ngx_md5_final(hash_buf, &ctx);
+    ngx_hex_dump(c->ssl->fp_ja3_hash.data, hash_buf, 16);
+
+    return NGX_OK;
+}
+
 int ngx_http2_fingerprint(ngx_connection_t *c, ngx_http_v2_connection_t *h2c)
 {
     unsigned char *pstr = NULL;

diff --git a/src/ngx_http_ssl_fingerprint_module.c b/src/ngx_http_ssl_fingerprint_module.c
@@ -1,9 +1,9 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
-#include <ngx_md5.h>
 
 extern int ngx_ssl_ja3(ngx_connection_t *c);
+extern int ngx_ssl_ja3_hash(ngx_connection_t *c);
 extern int ngx_http2_fingerprint(ngx_connection_t *c, ngx_http_v2_connection_t *h2c);
 
 static ngx_int_t ngx_http_ssl_fingerprint_init(ngx_conf_t *cf);
@@ -95,10 +95,6 @@ static ngx_int_t
 ngx_http_ssl_fingerprint_hash(ngx_http_request_t *r,
                  ngx_http_variable_value_t *v, uintptr_t data)
 {
-    ngx_md5_t               ctx;
-    u_char                  hash_buf[16];
-
-
     if (r->connection == NULL)
     {
         return NGX_OK;
@@ -109,19 +105,13 @@ ngx_http_ssl_fingerprint_hash(ngx_http_request_t *r,
         return NGX_OK;
     }
 
-    if (ngx_ssl_ja3(r->connection) == NGX_DECLINED)
+    if (ngx_ssl_ja3_hash(r->connection) == NGX_DECLINED)
     {
         return NGX_ERROR;
     }
 
-    v->data = ngx_pcalloc(r->pool, 32);
-
-    ngx_md5_init(&ctx);
-    ngx_md5_update(&ctx, r->connection->ssl->fp_ja3_str.data, r->connection->ssl->fp_ja3_str.len);
-    ngx_md5_final(hash_buf, &ctx);
-    ngx_hex_dump(v->data, hash_buf, 16);
-
-    v->len = 32;
+    v->data = r->connection->ssl->fp_ja3_hash.data;
+    v->len = r->connection->ssl->fp_ja3_hash.len;
     v->valid = 1;
     v->no_cacheable = 1;
     v->not_found = 0;