Hello, I'm trying to capture the cipher suites sent by browser when negociating the encryption level with HAProxy. Digging into the haproxy doc, I can already find the TLS version and cipher used (variables %sslc and %sslv), but not the complete list of ciphers sent by the browser.
Why such information ? This could be used as a method of fingerprintin ! For example, finding malware that emulates a browser. Such malwares could be spotted by comparing the user-agent field (on http level) with the cipher suites used (and how the are ordered) and see if they match. An example of implementation could be found here : https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ Is this even possible with HAProxy ? Thanks all Olivier
