Add ios-18 TLS profile

[bekesibeni]

Here is my IOS 18 tls peet dump
A bit more context on why this profile is high-value:

• On iOS, Apple's App Store rules force every app (Safari, Chrome iOS, Firefox iOS, Edge iOS, and any native app using NSURLSession/Network.framework/WKWebView) to use the OS networking stack. Both chrome, IOS and likely any app uses the same fingerprints so this works for full IOS support

• Fills a real gap. impit currently ships chrome*, firefox*, and okhttp*. The mobile coverage is Android-only — iOS is missing entirely.

Happy to open a PR if you want - I'd model it after okhttp.rs in impit/src/fingerprint/database/. Let me know if there's a preferred naming convention (safari_ios_18 vs ios_18 vs apple_ios_18).

Also noted one quirk worth preserving: the signature_algorithms extension contains a duplicate rsa_pss_rsae_sha384 entry. Verified across multiple captures -it's not a parser glitch, it's an iOS thing. Should be encoded as-is in the profile.

{
  "_note": "Sanitized capture from iPhone, iOS 18.7, Safari 26.5. Captured via tls.peet.ws. Per-connection randomness (client_random, session_id, key_share hex, GREASE values, TCP/IP) and PII (IP, locale) have been removed or normalized. JA3/JA4/Akamai fingerprint hashes are derived from the protocol-level data preserved here.",
  "http_version": "h2",
  "method": "GET",
  "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.5 Mobile/15E148 Safari/604.1",
  "tls": {
    "ciphers": [
      "TLS_GREASE",
      "TLS_AES_256_GCM_SHA384",
      "TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
    ],
    "extensions": [
      { "name": "TLS_GREASE" },
      { "name": "server_name (0)" },
      { "name": "extended_master_secret (23)" },
      { "name": "extensionRenegotiationInfo (boringssl) (65281)", "data": "00" },
      {
        "name": "supported_groups (10)",
        "supported_groups": [
          "TLS_GREASE",
          "X25519MLKEM768 (4588)",
          "X25519 (29)",
          "P-256 (23)",
          "P-384 (24)",
          "P-521 (25)"
        ]
      },
      {
        "name": "ec_point_formats (11)",
        "elliptic_curves_point_formats": ["0x00"]
      },
      {
        "name": "application_layer_protocol_negotiation (16)",
        "protocols": ["h2", "http/1.1"]
      },
      {
        "name": "status_request (5)",
        "status_request": {
          "certificate_status_type": "OSCP (1)",
          "responder_id_list_length": 0,
          "request_extensions_length": 0
        }
      },
      {
        "name": "signature_algorithms (13)",
        "signature_algorithms": [
          "ecdsa_secp256r1_sha256",
          "rsa_pss_rsae_sha256",
          "rsa_pkcs1_sha256",
          "ecdsa_secp384r1_sha384",
          "rsa_pss_rsae_sha384",
          "rsa_pss_rsae_sha384",
          "rsa_pkcs1_sha384",
          "rsa_pss_rsae_sha512",
          "rsa_pkcs1_sha512",
          "rsa_pkcs1_sha1"
        ],
        "_note": "duplicate rsa_pss_rsae_sha384 is intentional — iOS-specific quirk, preserve in profile"
      },
      { "name": "signed_certificate_timestamp (18)" },
      {
        "name": "key_share (51)",
        "shared_keys_groups": [
          "TLS_GREASE",
          "X25519MLKEM768 (4588)",
          "X25519 (29)"
        ],
        "_note": "Ephemeral public key bytes removed; only the group list and order are part of the fingerprint."
      },
      {
        "name": "psk_key_exchange_modes (45)",
        "PSK_Key_Exchange_Mode": "PSK with (EC)DHE key establishment (psk_dhe_ke) (1)"
      },
      {
        "name": "supported_versions (43)",
        "versions": ["TLS_GREASE", "TLS 1.3", "TLS 1.2"]
      },
      {
        "name": "compress_certificate (27)",
        "algorithms": ["zlib (1)"]
      },
      { "name": "TLS_GREASE" }
    ],
    "tls_version_record": "771",
    "tls_version_negotiated": "772",
    "ja3": "771,4866-4867-4865-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10,0-23-65281-10-11-16-5-13-18-51-45-43-27,4588-29-23-24-25,0",
    "ja3_hash": "ecdf4f49dd59effc439639da29186671",
    "ja4": "t13d2013h2_a09f3c656075_7f0f34a4126d",
    "ja4_r": "t13d2013h2_000a,002f,0035,009c,009d,1301,1302,1303,c008,c009,c00a,c012,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,002b,002d,0033,ff01_0403,0804,0401,0503,0805,0805,0501,0806,0601,0201",
    "peetprint": "GREASE-772-771|2-1.1|GREASE-4588-29-23-24-25|1027-2052-1025-1283-2053-2053-1281-2054-1537-513|1|1|GREASE-4866-4867-4865-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10|0-10-11-13-16-18-23-27-43-45-5-51-65281-GREASE-GREASE",
    "peetprint_hash": "62b834de729e78a9f0ebd1dd099314a7"
  },
  "http2": {
    "akamai_fingerprint": "2:0;3:100;4:2097152;9:1|10420225|0|m,s,a,p",
    "akamai_fingerprint_hash": "c52879e43202aeb92740be6e8c86ea96",
    "sent_frames": [
      {
        "frame_type": "SETTINGS",
        "length": 24,
        "settings": [
          "ENABLE_PUSH = 0",
          "MAX_CONCURRENT_STREAMS = 100",
          "INITIAL_WINDOW_SIZE = 2097152",
          "NO_RFC7540_PRIORITIES = 1"
        ]
      },
      {
        "frame_type": "WINDOW_UPDATE",
        "length": 4,
        "increment": 10420225
      },
      {
        "frame_type": "HEADERS",
        "stream_id": 1,
        "headers": [
          ":method: GET",
          ":scheme: https",
          ":authority: <example-host>",
          ":path: /",
          "sec-fetch-dest: document",
          "user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.5 Mobile/15E148 Safari/604.1",
          "accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
          "sec-fetch-site: none",
          "sec-fetch-mode: navigate",
          "accept-language: en-US,en;q=0.9",
          "priority: u=0, i",
          "accept-encoding: gzip, deflate, br, zstd"
        ],
        "flags": ["EndStream (0x1)", "EndHeaders (0x4)"]
      }
    ]
  }
}

[barjin]

Thank you, @bekesibeni, for your interest in this project. Feel free to open a PR with this new fingerprint. Cheers!

[bekesibeni]

@barjin before I open the PR, iOS 18 ClientHellos include 3 legacy 3DES suites that aren't in FingerprintCipherSuite: 0x000a, 0xc008, 0xc012. Without them the JA3/JA4 won't match a real iOS capture since the cipher list feeds into both.

The comment on to_cipher_suite() in rustls/src/crypto/emulation/mod.rs actually mentions 3DES as the "advertise but not implement" case but the variants were never added.

I can open a PR on the rustls fork to add them. The only thing I'd need guidance on is how you want to_supported_cipher_suite() to behave for suites with no aws-lc-rs implementation. Or if you'd rather ship the iOS profile without 3DES for now I can do that too, let me know.

[bekesibeni]

Opened apify/rustls#21, it adds Zlib to the cert-compression code path (also fixes a silent drop for Firefox 133/135/144) and adds the 3 advertise-only 3DES variants for iOS. impit PR will follow once that's merged so I can pin the SHA.

[barjin]

Thank you! The rustls PR is merged in apify/rustls@1ebb6d4, feel free to proceed with the impit PR.

[bekesibeni]

Opened it at #465