← Glossary / TLS Handshake

What is TLS Handshake?

Q: Can I just change my User-Agent to fix TLS blocks?

No. The User-Agent is an HTTP header, which is sent after the TLS handshake completes. If the server drops your connection during the handshake, it never even sees your User-Agent. Furthermore, if the handshake succeeds but your TLS signature (e.g., Python) contradicts your User-Agent (e.g., Chrome), modern anti-bots will flag the mismatch and block you.

The TLS handshake is the cryptographic negotiation that occurs before any HTTP data is exchanged between a client and a server. For web scraping, it is the most critical vulnerability point in the network layer. Before your scraper even requests a URL, the exact sequence of ciphers, extensions, and elliptic curves you broadcast in the plaintext ClientHello message tells the target's anti-bot edge whether you are a real Chrome browser or a Python script.

Network LayerJA3/JA4CryptographyClientHelloAnti-Bot

// 02 — definitions

The pre-flight
interrogation.

Before a single byte of HTTP is transferred, the server has already profiled your client's cryptographic DNA.

Ask a DataFlirt engineer →

TL;DR

The TLS handshake establishes a secure connection by agreeing on protocol versions and encryption keys. Modern anti-bot systems like Cloudflare and Akamai intercept the initial ClientHello packet to extract a fingerprint (JA3/JA4). If your scraper's TLS signature doesn't perfectly match its advertised User-Agent, the connection is dropped or tarpitted before the HTTP request is even read.

01Definition & structure

The TLS handshake is the process that kicks off a secure HTTPS session. Before any application data (like HTTP headers or HTML) is sent, the client and server must agree on how to encrypt the connection. The client initiates this by sending a ClientHello message in plaintext. This message contains the TLS versions it supports, the cipher suites it can use, and various extensions. The server responds with a ServerHello, choosing the parameters for the session.

02How it works in practice

In web scraping, the TLS handshake is the first line of defense for anti-bot systems. Because the ClientHello is sent in plaintext, edge networks (like Cloudflare or Fastly) inspect it before deciding whether to complete the connection. Different HTTP clients (Python's requests, Node's axios, Go's net/http, or Google Chrome) use different underlying TLS libraries (OpenSSL, BoringSSL, crypto/tls). Each library constructs the ClientHello differently, creating a unique, identifiable signature.

03The coherence check

Anti-bot systems don't just look for known bot signatures; they look for coherence. If your scraper successfully completes the TLS handshake using Python's default OpenSSL signature, but then sends an HTTP request with a User-Agent claiming to be Chrome on Windows, the server flags the mismatch. A real Chrome browser uses BoringSSL and sends a very specific set of ciphers and GREASE extensions. If the TLS signature and the HTTP headers contradict each other, you get blocked.

04How DataFlirt handles it

We handle TLS spoofing at the proxy edge. When your scraper connects to DataFlirt, it uses standard TLS. However, the outbound connection from our proxy to the target site uses a heavily modified TLS engine. We dynamically generate a ClientHello that perfectly matches the exact browser profile (Chrome, Safari, Firefox) and operating system we are emulating for that specific request. This ensures total cryptographic coherence and bypasses network-layer blocks entirely.

05Did you know?

Google Chrome intentionally injects random, invalid values into its TLS handshakes. This mechanism, called GREASE (Generate Random Extensions And Sustain Extensibility), was designed to prevent servers from becoming intolerant to new TLS features. However, it inadvertently became a massive fingerprinting signal. If a client claims to be Chrome but lacks the correct GREASE implementation in its ClientHello, anti-bot systems instantly know it's an imposter.

// 03 — the math

How unique is a
ClientHello?

The entropy of a TLS handshake determines how easily an anti-bot system can cluster and block your scraping fleet. DataFlirt monitors handshake diversity to prevent signature exhaustion across our proxy edge.

JA3 Hash Generation = MD5(Version,Ciphers,Extensions,Curves,Formats)

The standard network-layer fingerprinting algorithm. Salesforce, 2017

Handshake Latency = 2 × RTT + ProcessingTime

TLS 1.2 requires 2 round trips; TLS 1.3 reduces this to 1 RTT. RFC 8446

DataFlirt Signature Coherence = P(JA4 | UserAgent) > 0.99

Probability that the TLS signature matches the HTTP headers. DataFlirt Edge SLO

// 04 — packet trace

Intercepting the
ClientHello.

A packet-level view of a Python requests library attempting to connect to a Cloudflare-protected target. The mismatch is flagged instantly.

WiresharkTLS 1.3JA3 mismatch

edge.dataflirt.io — live

CAPTURED

// [0.00ms] OUTBOUND: ClientHello
tls.version: 0x0303 (TLS 1.2)
tls.ciphers: [4865, 4866, 4867, 49195, 49199, 52393...]
tls.extensions: [0, 23, 65281, 10, 11, 35, 16, 5, 13, 18, 51, 45, 43, 27, 17513]

// [12.4ms] EDGE INTERCEPTION (Anti-Bot)
edge.ja3_hash: "cd08e31494f9531f560d64c695473da9"
edge.inferred_client: "Python/urllib3"
http.user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/124.0.0.0"

// [14.1ms] CLASSIFIER EVALUATION
check.coherence: FAILED // JA3 does not match Chrome 124
check.grease: MISSING // Chrome GREASE extensions absent
action: DROP_CONNECTION

// [15.8ms] INBOUND: Alert (Level: Fatal, Description: Handshake Failure)
socket.status: ERR_SSL_PROTOCOL_ERROR

// 05 — fingerprint vectors

Where the handshake
leaks identity.

The specific components of the ClientHello message that anti-bot vendors use to build your JA3/JA4 signature. Modifying these requires patching the underlying SSL library.

SIGNATURES TRACKED · · 14,200+

CHROME VARIANTS · · · 180+

UPDATED · · · · · · 2026-05-19

Cipher Suite Order

~14 bits · The exact sequence of supported ciphers

Extension Order

~12 bits · Order of TLS extensions (Chrome randomises GREASE)

Supported Elliptic Curves

~8 bits · Mathematical curves for key exchange

ALPN Negotiation

~4 bits · h2 vs http/1.1 preference

Signature Algorithms

~3 bits · Supported authentication algorithms

// 06 — our stack

Patching the socket,

not just the headers.

Spoofing a User-Agent is trivial. Spoofing a TLS handshake requires rewriting the networking stack. DataFlirt doesn't rely on standard OpenSSL or Go's crypto/tls. We use a custom, dynamically patched TLS engine that perfectly mirrors the cryptographic behaviour of the target browser profile. If we claim to be Chrome 124 on macOS, our ClientHello byte sequence is mathematically indistinguishable from a real MacBook.

DataFlirt TLS Engine

Live configuration for a residential proxy worker targeting a strict Cloudflare zone.

worker.profile Chrome 124 · macOS 14.4

tls.library df-boringssl-fork

grease.injection enabled · randomized

cipher.permutation strict-match

alpn.negotiation h2, http/1.1

ja4.signature t13d1516h2_8daaf6152771

edge.classification human · 0.01

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

// 07 — FAQ

Common
questions.

About TLS fingerprinting, JA3/JA4 signatures, connection errors, and how DataFlirt maintains cryptographic coherence at scale.

Ask us directly →

Why am I getting an SSL handshake error when scraping? +

If you can access the site in your browser but your script throws an ERR_SSL_PROTOCOL_ERROR or Connection reset by peer, you are likely being blocked at the TLS layer. The target's firewall inspected your ClientHello packet, recognised a known bot signature (like default Python or Node.js), and terminated the TCP connection before HTTP negotiation began.

Can I just change my User-Agent to fix TLS blocks? +

No. The User-Agent is an HTTP header, which is sent after the TLS handshake completes. If the server drops your connection during the handshake, it never even sees your User-Agent. Furthermore, if the handshake succeeds but your TLS signature (e.g., Python) contradicts your User-Agent (e.g., Chrome), modern anti-bots will flag the mismatch and block you.

What is the difference between JA3 and JA4? +

JA3 is the original TLS fingerprinting standard, hashing specific fields of the ClientHello into an MD5 string. JA4 is the modern evolution, designed to be more human-readable and robust against minor protocol variations. JA4 captures the TLS version, SNI indicator, cipher suites, and extensions in a structured format (e.g., t13d1516h2_8daaf6152771).

How does DataFlirt bypass TLS fingerprinting? +

We don't bypass it; we emulate it perfectly. Standard libraries like OpenSSL cannot generate a Chrome-like ClientHello without deep modifications. DataFlirt uses a proprietary fork of BoringSSL (Chrome's TLS library) integrated into our proxy edge. When you route a request through us, we terminate your standard TLS and originate a perfectly spoofed handshake to the target.

Is intercepting or modifying TLS handshakes legal? +

Yes, modifying your own outbound client requests is entirely legal. You are simply changing the cryptographic parameters your client advertises to the server. This is fundamentally different from Man-in-the-Middle (MitM) attacks, which intercept third-party traffic. We are strictly managing the client-side presentation layer to ensure access to public data.

Does TLS 1.3 prevent fingerprinting? +

No. While TLS 1.3 encrypts more of the handshake (like the server certificate), the initial ClientHello message from the client must still be sent in plaintext so the server knows how to communicate. Because the ClientHello is unencrypted, anti-bot systems can still extract the ciphers, extensions, and ALPN data to generate a JA3/JA4 fingerprint.

$ dataflirt scope --new-project --target=tls-handshake READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing

hello@dataflirt.com · Bengaluru · IST · typical reply < 4h

What is TLS Handshake?

The pre-flightinterrogation.

TL;DR

How unique is aClientHello?

Intercepting theClientHello.

Where the handshakeleaks identity.

Cipher Suite Order

Extension Order

Supported Elliptic Curves

ALPN Negotiation

Signature Algorithms

Patching the socket,

DataFlirt TLS Engine

Stay ahead of the pipeline

Data engineeringintel, weekly.

Commonquestions.

Tell us whatto extract.We do the rest.

Related glossary terms

TLS Fingerprinting

Cloudflare Error 1010 (Bad Browser Signature)

Multiplexed Requests (HTTP/2)

Anti-Detect Browser