From da973165965962a435a23ade336d9a17daf044ef Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 11 Dec 2021 22:30:27 +0100
Subject: TODO: 13.3 Defeat TLS fingerprinting

Closes #8119
---
 docs/TODO | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/docs/TODO b/docs/TODO
index 11fe01db6..f9052c7be 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -110,9 +110,10 @@
  12. FILE
  12.1 Directory listing for FILE:
 
- 13. SSL
+ 13. TLS
  13.1 TLS-PSK with OpenSSL
  13.2 Provide mutex locking API
+ 13.3 Defeat TLS fingerprinting
  13.4 Cache/share OpenSSL contexts
  13.5 Export session ids
  13.6 Provide callback for cert verification
@@ -755,7 +756,7 @@
  output should probably be the same as/similar to FTP.
 
 
-13. SSL
+13. TLS
 
 13.1 TLS-PSK with OpenSSL
 
@@ -772,6 +773,14 @@
  library, so that the same application code can use mutex-locking
  independently of OpenSSL or GnutTLS being used.
 
+13.3 Defeat TLS fingerprinting
+
+ By changing the order of TLS extensions provided in the TLS handshake, it is
+ sometimes possible to circumvent TLS fingerprinting by servers. The TLS
+ extension order is of course not the only way to fingerprint a client.
+
+ See https://github.com/curl/curl/issues/8119
+
 13.4 Cache/share OpenSSL contexts
 
  "Look at SSL cafile - quick traces look to me like these are done on every
-- 
cgit v1.2.1