diff --git a/README.md b/README.md
index 7a5eedf..dde2dd6 100644
--- a/README.md
+++ b/README.md
@@ -5,20 +5,54 @@
 uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance, low-level access to handshake, fake session tickets and some other features. Handshake is still performed by "crypto/tls", this library merely changes ClientHello part of it and provides low-level access.  
 Golang 1.11+ is required.  
 If you have any questions, bug reports or contributions, you are welcome to publish those on GitHub. If you want to do so in private, you can contact one of developers personally via sergey.frolov@colorado.edu
+
+Documentation below may not keep up with all the changes and new features at all times,
+so you are encouraged to use [godoc](https://godoc.org/github.com/refraction-networking/utls#UConn).
+
 # Features
 ## Low-level access to handshake
 * Read/write access to all bits of client hello message.  
 * Read access to fields of ClientHandshakeState, which, among other things, includes ServerHello and MasterSecret.
 * Read keystream. Can be used, for example, to "write" something in ciphertext.
+
 ## ClientHello fingerprinting resistance
 Golang's ClientHello has a very unique fingerprint, which especially sticks out on mobile clients,
 where Golang is not too popular yet.
 Some members of anti-censorship community are concerned that their tools could be trivially blocked based on
 ClientHello with relatively small collateral damage. There are multiple solutions to this issue.
-### Randomized handshake
-This package can generate randomized ClientHello using only extensions and cipherSuites "crypto/tls" already supports.
-This provides a solid moving target without any compatibility or parrot-is-dead attack risks.  
-**Feedback about opinionated implementation details of randomized handshake is appreciated.**
+
+**It is highly recommended to use multiple fingeprints, including randomized ones to avoid relying on a single fingerprint.**
+[utls.Roller](#roller) does this automatically.
+
+### Randomized Fingerprint
+Randomized Fingerprints are supposedly good at defeating blacklists, since
+those fingerprints have random ciphersuites and extensions in random order.
+Note that all used ciphersuites and extensions are fully supported by uTLS,
+which provides a solid moving target without any compatibility or parrot-is-dead attack risks.  
+
+But note that there's a small chance that generated fingerprint won't work,
+so you may want to keep generating until a working one is found,
+and then keep reusing the working fingerprint to avoid suspicious behavior of constantly changing fingerprints.
+[utls.Roller](#roller) reuses working fingerprint automatically.
+
+#### Generating randomized fingerprints
+
+To generate a randomized fingerprint, simply do:
+```Golang
+uTlsConn := tls.UClient(tcpConn, &config, tls.HelloRandomized)
+```
+you can use `helloRandomizedALPN` or `helloRandomizedNoALPN` to ensure presence or absence of
+ALPN(Application-Layer Protocol Negotiation) extension.
+It is recommended, but certainly not required to include ALPN (or use helloRandomized which may or may not include ALPN).
+If you do use ALPN, you will want to correctly handle potential application layer protocols (likely h2 or http/1.1).
+
+#### Reusing randomized fingerprint
+```Golang
+// oldConn is an old connection that worked before, so we want to reuse it
+// newConn is a new connection we'd like to establish
+newConn := tls.UClient(tcpConn, &config, oldConn.ClientHelloID)
+```
+
 ### Parroting
 This package can be used to parrot ClientHello of popular browsers.
 There are some caveats to this parroting:
@@ -31,9 +65,11 @@ This is not a problem, if you fully control the server and turn unsupported thin
 | ------------- | -------- | ---------- | ---------------------- | --------------------------------------------- |
 | Chrome 62     | no       | no         | ChannelID              | [0a4a74aeebd1bb66](https://tlsfingerprint.io/id/0a4a74aeebd1bb66) |
 | Chrome 70     | no       | no         | ChannelID, Encrypted Certs | [bc4c7e42f4961cd7](https://tlsfingerprint.io/id/bc4c7e42f4961cd7) |
+| Chrome 72     | no       | no         | ChannelID, Encrypted Certs | [bbf04e5f1881f506](https://tlsfingerprint.io/id/bbf04e5f1881f506) |
 | Firefox 56    | very low | no         | None                   | [c884bad7f40bee56](https://tlsfingerprint.io/id/c884bad7f40bee56) |
-| Firefox 63    | very low | no         | MaxRecordSize                   | [6bfedc5d5c740d58](https://tlsfingerprint.io/id/6bfedc5d5c740d58) |
+| Firefox 65    | very low | no         | MaxRecordSize                   | [6bfedc5d5c740d58](https://tlsfingerprint.io/id/6bfedc5d5c740d58) |
 | iOS 11.1      | low** | no         | None                   | [71a81bafd58e1301](https://tlsfingerprint.io/id/71a81bafd58e1301) |
+| iOS 12.1      | low** | no         | None                   | [ec55e5b4136c7949](https://tlsfingerprint.io/id/ec55e5b4136c7949) |
 
 \* Denotes very rough guesstimate of likelihood that unsupported things will get echoed back by the server in the wild,
 *visibly breaking the connection*.  
@@ -48,10 +84,11 @@ It LGTM, but please open up Wireshark and check. If you see something — [say s
 
 There sure are. If you found one that approaches practicality at line speed — [please tell us](issues).
 
-#### Things to implement in Golang to make parrots better
-uTLS is fundamentially limited in parroting, because Golang's "crypto/tls" doesn't support many things. Would be nice to have:
- * ChannelID extension
- * In general, any modern crypto is likely to be useful going forward.
+However, there is a difference between this sort of parroting and techniques like SkypeMorth.
+Namely, TLS is highly standardized protocol, therefore simply not that many subtle things in TLS protocol
+could be different and/or suddenly change in one of mimicked implementation(potentially undermining the mimicry).
+It is possible that we have a distinguisher right now, but amount of those potential distinguishers is limited.
+
 ### Custom Handshake
 It is possible to create custom handshake by
 1) Use `HelloCustom` as an argument for `UClient()` to get empty config
@@ -63,6 +100,29 @@ If you need to manually control all the bytes on the wire(certainly not recommen
 you can set UConn.HandshakeStateBuilt = true, and marshal clientHello into UConn.HandshakeState.Hello.raw yourself.
 In this case you will be responsible for modifying other parts of Config and ClientHelloMsg to reflect your setup
 and not confuse "crypto/tls", which will be processing response from server.
+
+## Roller
+
+A simple wrapper, that allows to easily use multiple latest(auto-updated) fingerprints.
+
+```Golang
+// NewRoller creates Roller object with default range of HelloIDs to cycle
+// through until a working/unblocked one is found.
+func NewRoller() (*Roller, error)
+```
+
+```Golang
+// Dial attempts to connect to given address using different HelloIDs.
+// If a working HelloID is found, it is used again for subsequent Dials.
+// If tcp connection fails or all HelloIDs are tried, returns with last error.
+//
+// Usage examples:
+//
+// Dial("tcp4", "google.com:443", "google.com")
+// Dial("tcp", "10.23.144.22:443", "mywebserver.org")
+func (c *Roller) Dial(network, addr, serverName string) (*UConn, error)
+```
+
 ## Fake Session Tickets
 Fake session tickets is a very nifty trick that allows power users to hide parts of handshake, which may have some very fingerprintable features of handshake, and saves 1 RTT.
 Currently, there is a simple function to set session ticket to any desired state:
@@ -85,7 +145,7 @@ See full list of `clientHelloID` values [here](https://godoc.org/github.com/refr
 There are different behaviors you can get, depending  on your `clientHelloID`:
 
 1. ```utls.HelloRandomized``` adds/reorders extensions, ciphersuites, etc. randomly.  
-`HelloRandomized` adds ALPN in 50% of cases, you may want to use `HelloRandomizedALPN` or
+`HelloRandomized` adds ALPN in a percentage of cases, you may want to use `HelloRandomizedALPN` or
 `HelloRandomizedNoALPN` to choose specific behavior explicitly, as ALPN might affect application layer.
 2. ```utls.HelloGolang```
     HelloGolang will use default "crypto/tls" handshake marshaling codepath, which WILL
diff --git a/examples/examples.go b/examples/examples.go
index a84ab5c..6b1b506 100644
--- a/examples/examples.go
+++ b/examples/examples.go
@@ -52,6 +52,37 @@ func HttpGetByHelloID(hostname string, addr string, helloID tls.ClientHelloID) (
 	return httpGetOverConn(uTlsConn, uTlsConn.HandshakeState.ServerHello.AlpnProtocol)
 }
 
+// this example generates a randomized fingeprint, then re-uses it in a follow-up connection
+func HttpGetConsistentRandomized(hostname string, addr string) (*http.Response, error) {
+	config := tls.Config{ServerName: hostname}
+	tcpConn, err := net.DialTimeout("tcp", addr, dialTimeout)
+	if err != nil {
+		return nil, fmt.Errorf("net.DialTimeout error: %+v", err)
+	}
+	uTlsConn := tls.UClient(tcpConn, &config, tls.HelloRandomized)
+	defer uTlsConn.Close()
+	err = uTlsConn.Handshake()
+	if err != nil {
+		return nil, fmt.Errorf("uTlsConn.Handshake() error: %+v", err)
+	}
+	uTlsConn.Close()
+
+	// At this point uTlsConn.ClientHelloID holds a seed that was used to generate
+	// randomized fingerprint. Now we can establish second connection with same fp
+	tcpConn2, err := net.DialTimeout("tcp", addr, dialTimeout)
+	if err != nil {
+		return nil, fmt.Errorf("net.DialTimeout error: %+v", err)
+	}
+	uTlsConn2 := tls.UClient(tcpConn2, &config, uTlsConn.ClientHelloID)
+	defer uTlsConn2.Close()
+	err = uTlsConn2.Handshake()
+	if err != nil {
+		return nil, fmt.Errorf("uTlsConn.Handshake() error: %+v", err)
+	}
+
+	return httpGetOverConn(uTlsConn2, uTlsConn2.HandshakeState.ServerHello.AlpnProtocol)
+}
+
 func HttpGetExplicitRandom(hostname string, addr string) (*http.Response, error) {
 	dialConn, err := net.DialTimeout("tcp", addr, dialTimeout)
 	if err != nil {
@@ -306,7 +337,6 @@ func forgeConn() {
 
 }
 
-
 func main() {
 	var response *http.Response
 	var err error
@@ -325,11 +355,11 @@ func main() {
 		fmt.Printf("#> HttpGetByHelloID(HelloChrome_62) response: %+s\n", dumpResponseNoBody(response))
 	}
 
-	response, err = HttpGetByHelloID(requestHostname, requestAddr, tls.HelloRandomizedNoALPN)
+	response, err = HttpGetConsistentRandomized(requestHostname, requestAddr)
 	if err != nil {
-		fmt.Printf("#> HttpGetByHelloID(Randomized) failed: %+v\n", err)
+		fmt.Printf("#> HttpGetConsistentRandomized() failed: %+v\n", err)
 	} else {
-		fmt.Printf("#> HttpGetByHelloID(Randomized) response: %+s\n", dumpResponseNoBody(response))
+		fmt.Printf("#> HttpGetConsistentRandomized() response: %+s\n", dumpResponseNoBody(response))
 	}
 
 	response, err = HttpGetExplicitRandom(requestHostname, requestAddr)
diff --git a/handshake_client.go b/handshake_client.go
index b88030a..8f919c2 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -29,6 +29,8 @@ type clientHandshakeState struct {
 	finishedHash finishedHash
 	masterSecret []byte
 	session      *ClientSessionState
+
+	uconn *UConn // [UTLS]
 }
 
 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go
index cee9a00..d0c2d05 100644
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@@ -33,6 +33,8 @@ type clientHandshakeStateTLS13 struct {
 	transcript    hash.Hash
 	masterSecret  []byte
 	trafficSecret []byte // client_application_traffic_secret_0
+
+	uconn *UConn // [UTLS]
 }
 
 // handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and,
@@ -251,6 +253,68 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 		}
 	}
 
+	// [UTLS SECTION BEGINS]
+	// crypto/tls code above this point had changed crypto/tls structures in accordance with HRR, and is about
+	// to call default marshaller.
+	// Instead, we fill uTLS-specific structs and call uTLS marshaller.
+	// Only extensionCookie, extensionPreSharedKey, extensionKeyShare, extensionEarlyData, extensionSupportedVersions,
+	// and utlsExtensionPadding are supposed to change
+	if hs.uconn != nil {
+		if hs.uconn.ClientHelloID != HelloGolang {
+			if len(hs.hello.pskIdentities) > 0 {
+				// TODO: wait for someone who cares about PSK to implement
+				return errors.New("uTLS does not support reprocessing of PSK key triggered by HelloRetryRequest")
+			}
+
+			keyShareExtFound := false
+			for _, ext := range hs.uconn.Extensions {
+				// new ks seems to be generated either way
+				if ks, ok := ext.(*KeyShareExtension); ok {
+					ks.KeyShares = keyShares(hs.hello.keyShares).ToPublic()
+					keyShareExtFound = true
+				}
+			}
+			if !keyShareExtFound {
+				return errors.New("uTLS: received HelloRetryRequest, but keyshare not found among client's " +
+					"uconn.Extensions")
+			}
+
+			if len(hs.serverHello.cookie) > 0 {
+				// serverHello specified a cookie, let's echo it
+				cookieFound := false
+				for _, ext := range hs.uconn.Extensions {
+					if ks, ok := ext.(*CookieExtension); ok {
+						ks.Cookie = hs.serverHello.cookie
+						cookieFound = true
+					}
+				}
+
+				if !cookieFound {
+					// pick a random index where to add cookieExtension
+					// -2 instead of -1 is a lazy way to ensure that PSK is still a last extension
+					p, err := newPRNG()
+					if err != nil {
+						return err
+					}
+					cookieIndex := p.Intn(len(hs.uconn.Extensions) - 2)
+					if cookieIndex >= len(hs.uconn.Extensions) {
+						// this check is for empty hs.uconn.Extensions
+						return fmt.Errorf("cookieIndex >= len(hs.uconn.Extensions): %v >= %v",
+							cookieIndex, len(hs.uconn.Extensions))
+					}
+					hs.uconn.Extensions = append(hs.uconn.Extensions[:cookieIndex],
+						append([]TLSExtension{&CookieExtension{Cookie: hs.serverHello.cookie}},
+							hs.uconn.Extensions[cookieIndex:]...)...)
+				}
+			}
+			if err = hs.uconn.MarshalClientHello(); err != nil {
+				return err
+			}
+			hs.hello.raw = hs.uconn.HandshakeState.Hello.Raw
+		}
+	}
+	// [UTLS SECTION ENDS]
+
 	hs.transcript.Write(hs.hello.marshal())
 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
 		return err
diff --git a/testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70 b/testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70
new file mode 100644
index 0000000..af33801
--- /dev/null
+++ b/testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70
@@ -0,0 +1,181 @@
+>>> Flow 1 (client to server)
+00000000  16 03 01 02 00 01 00 01  fc 03 03 00 00 00 00 00  |................|
+00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
+00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 22 0a 0a  |............."..|
+00000050  13 01 13 02 13 03 c0 2b  c0 2f c0 2c c0 30 cc a9  |.......+./.,.0..|
+00000060  cc a8 c0 13 c0 14 00 9c  00 9d 00 2f 00 35 00 0a  |.........../.5..|
+00000070  01 00 01 91 0a 0a 00 00  ff 01 00 01 00 00 00 00  |................|
+00000080  05 00 03 00 00 00 00 17  00 00 00 23 00 00 00 0d  |...........#....|
+00000090  00 14 00 12 04 03 08 04  04 01 05 03 08 05 05 01  |................|
+000000a0  08 06 06 01 02 01 00 05  00 05 01 00 00 00 00 00  |................|
+000000b0  12 00 00 00 10 00 0e 00  0c 02 68 32 08 68 74 74  |..........h2.htt|
+000000c0  70 2f 31 2e 31 75 50 00  00 00 0b 00 02 01 00 00  |p/1.1uP.........|
+000000d0  33 00 2b 00 29 0a 0a 00  01 00 00 1d 00 20 2f e5  |3.+.)........ /.|
+000000e0  7d a3 47 cd 62 43 15 28  da ac 5f bb 29 07 30 ff  |}.G.bC.(.._.).0.|
+000000f0  f6 84 af c4 cf c2 ed 90  99 5f 58 cb 3b 74 00 2d  |........._X.;t.-|
+00000100  00 02 01 01 00 2b 00 0b  0a 0a 0a 03 04 03 03 03  |.....+..........|
+00000110  02 03 01 00 0a 00 0a 00  08 0a 0a 00 1d 00 17 00  |................|
+00000120  18 00 1b 00 03 02 00 02  1a 1a 00 01 00 00 15 00  |................|
+00000130  d4 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000200  00 00 00 00 00                                    |.....|
+>>> Flow 2 (server to client)
+00000000  16 03 03 00 58 02 00 00  54 03 03 cf 21 ad 74 e5  |....X...T...!.t.|
+00000010  9a 61 11 be 1d 8c 02 1e  65 b8 91 c2 a2 11 16 7a  |.a......e......z|
+00000020  bb 8c 5e 07 9e 09 e2 c8  a8 33 9c 20 00 00 00 00  |..^......3. ....|
+00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 13 01 00 00  |................|
+00000050  0c 00 2b 00 02 03 04 00  33 00 02 00 17 14 03 03  |..+.....3.......|
+00000060  00 01 01                                          |...|
+>>> Flow 3 (client to server)
+00000000  14 03 03 00 01 01 16 03  03 02 00 01 00 01 fc 03  |................|
+00000010  03 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000030  00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000050  00 00 00 22 0a 0a 13 01  13 02 13 03 c0 2b c0 2f  |...".........+./|
+00000060  c0 2c c0 30 cc a9 cc a8  c0 13 c0 14 00 9c 00 9d  |.,.0............|
+00000070  00 2f 00 35 00 0a 01 00  01 91 0a 0a 00 00 ff 01  |./.5............|
+00000080  00 01 00 00 00 00 05 00  03 00 00 00 00 17 00 00  |................|
+00000090  00 23 00 00 00 0d 00 14  00 12 04 03 08 04 04 01  |.#..............|
+000000a0  05 03 08 05 05 01 08 06  06 01 02 01 00 05 00 05  |................|
+000000b0  01 00 00 00 00 00 12 00  00 00 10 00 0e 00 0c 02  |................|
+000000c0  68 32 08 68 74 74 70 2f  31 2e 31 75 50 00 00 00  |h2.http/1.1uP...|
+000000d0  0b 00 02 01 00 00 33 00  47 00 45 00 17 00 41 04  |......3.G.E...A.|
+000000e0  1e 18 37 ef 0d 19 51 88  35 75 71 b5 e5 54 5b 12  |..7...Q.5uq..T[.|
+000000f0  2e 8f 09 67 fd a7 24 20  3e b2 56 1c ce 97 28 5e  |...g..$ >.V...(^|
+00000100  f8 2b 2d 4f 9e f1 07 9f  6c 4b 5b 83 56 e2 32 42  |.+-O....lK[.V.2B|
+00000110  e9 58 b6 d7 49 a6 b5 68  1a 41 03 56 6b dc 5a 89  |.X..I..h.A.Vk.Z.|
+00000120  00 2d 00 02 01 01 00 2b  00 0b 0a 0a 0a 03 04 03  |.-.....+........|
+00000130  03 03 02 03 01 00 0a 00  0a 00 08 0a 0a 00 1d 00  |................|
+00000140  17 00 18 00 1b 00 03 02  00 02 1a 1a 00 01 00 00  |................|
+00000150  15 00 b8 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000200  00 00 00 00 00 00 00 00  00 00 00                 |...........|
+>>> Flow 4 (server to client)
+00000000  16 03 03 00 9b 02 00 00  97 03 03 ae 07 28 f1 a3  |.............(..|
+00000010  39 96 a7 38 99 f8 a5 25  6d 14 56 a1 f4 3b 65 b7  |9..8...%m.V..;e.|
+00000020  5b dc 16 a8 0f bc 29 73  60 50 4e 20 00 00 00 00  |[.....)s`PN ....|
+00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 13 01 00 00  |................|
+00000050  4f 00 2b 00 02 03 04 00  33 00 45 00 17 00 41 04  |O.+.....3.E...A.|
+00000060  92 f1 80 7f 0f 5c 8a 9d  9c 5c d6 f1 1d 39 66 d9  |.....\...\...9f.|
+00000070  03 be c3 72 b9 92 43 90  90 15 b4 1f 02 0d ee 37  |...r..C........7|
+00000080  b4 21 ab bd bb 71 84 3c  55 5b 8b cb c3 fc 15 50  |.!...q.<U[.....P|
+00000090  a7 33 3b c9 97 3d f0 f9  be 5a 48 a5 e4 9d 4d cc  |.3;..=...ZH...M.|
+000000a0  17 03 03 00 17 e7 7d 13  54 c7 0a aa 33 45 80 5d  |......}.T...3E.]|
+000000b0  5f 58 c9 0b ca e7 ac 58  d0 8a e8 37 17 03 03 02  |_X.....X...7....|
+000000c0  6d 73 95 78 a2 69 03 17  92 b7 7a dd 7f 85 59 af  |ms.x.i....z...Y.|
+000000d0  55 28 93 0a 07 46 90 38  c4 d6 e5 0e 24 67 a0 68  |U(...F.8....$g.h|
+000000e0  17 50 05 16 fb f2 26 74  29 27 52 95 ee 9e ca f0  |.P....&t)'R.....|
+000000f0  41 77 55 a5 05 ed 50 79  7a 0f ca cc 67 1e 1f e9  |AwU...Pyz...g...|
+00000100  31 48 85 ae f8 6f d2 8e  f9 48 38 2d 7c 54 b4 23  |1H...o...H8-|T.#|
+00000110  52 d8 9a fd 69 d9 9b 12  0c 38 77 14 41 2d 43 bd  |R...i....8w.A-C.|
+00000120  9d 26 31 c0 bc 2e 9a ee  b3 5e f4 df 89 8c 0f 7d  |.&1......^.....}|
+00000130  c7 fd 80 42 a0 34 4a 5b  15 09 b6 d8 74 d8 85 36  |...B.4J[....t..6|
+00000140  d0 83 ee 02 4f f4 1c 12  c2 9b 0d b7 51 48 ff 50  |....O.......QH.P|
+00000150  05 8e bc a9 51 4c 9c e1  ec 81 31 0e 87 39 92 78  |....QL....1..9.x|
+00000160  6d 36 62 c3 38 8b a6 10  f5 9a da d4 13 f6 1a 48  |m6b.8..........H|
+00000170  a1 96 88 75 a6 d0 c8 99  8f ce 24 62 b2 20 fd e1  |...u......$b. ..|
+00000180  0f d4 49 dc b9 2a b7 85  39 15 41 a8 18 99 7e 1f  |..I..*..9.A...~.|
+00000190  77 9c 59 7a 62 6f fd 67  69 d8 a1 c6 e8 ef a3 6a  |w.Yzbo.gi......j|
+000001a0  6a dd a5 9e 2a aa da 27  25 62 ef be 68 d7 3f aa  |j...*..'%b..h.?.|
+000001b0  59 b7 5e 1e bc 13 87 1f  50 a6 f1 18 70 86 1e 92  |Y.^.....P...p...|
+000001c0  98 a4 0b 2a c0 71 65 9b  97 c7 c8 26 31 64 76 ff  |...*.qe....&1dv.|
+000001d0  13 eb 92 f4 ce 7e ab 6b  d8 bd 5a 22 62 20 64 1e  |.....~.k..Z"b d.|
+000001e0  4a 57 ea d2 39 31 db 00  97 2b 6b 76 11 e4 b8 c9  |JW..91...+kv....|
+000001f0  8f fe c3 54 1c f6 d8 52  a6 0d 3a f1 6b a2 cc 3f  |...T...R..:.k..?|
+00000200  e3 7e 7b cf 62 0e 52 e2  ea 9c 54 f3 7a 2f e4 40  |.~{.b.R...T.z/.@|
+00000210  ef 5e d4 84 5f 88 90 58  cd 35 c2 07 07 cf 85 62  |.^.._..X.5.....b|
+00000220  97 40 e1 09 6c cb f4 4f  6d 9a 77 62 cd f4 b1 01  |.@..l..Om.wb....|
+00000230  a4 1a 9a 81 37 ab de 20  22 f1 fa 7e e0 d7 74 89  |....7.. "..~..t.|
+00000240  ff b6 97 6e 38 e4 b2 05  8f 78 f0 ef 1c 3d 62 8e  |...n8....x...=b.|
+00000250  eb 28 ea 77 8f 8e 2b b5  e9 2f 3b 2c 06 98 41 79  |.(.w..+../;,..Ay|
+00000260  49 f5 2c 91 f5 9a 96 0d  5a 05 f0 72 8c 1a d3 3c  |I.,.....Z..r...<|
+00000270  b1 d6 04 fa 76 f3 35 63  c9 07 f5 6a 75 ca e7 a0  |....v.5c...ju...|
+00000280  13 d8 e7 ad 22 2b 27 65  c6 cc 13 f3 dc 12 9a 2a  |...."+'e.......*|
+00000290  07 54 d6 7f c2 66 87 7c  07 be 62 df 4a 82 8d 3a  |.T...f.|..b.J..:|
+000002a0  09 b5 ad 14 36 2a cd 0c  0d 21 31 9a 80 ae 14 65  |....6*...!1....e|
+000002b0  42 db a8 75 33 11 eb 01  71 b8 34 c4 0d 2f 74 0b  |B..u3...q.4../t.|
+000002c0  c6 c0 c9 e0 99 d1 ca f4  ff 1d 74 87 a8 17 0d 90  |..........t.....|
+000002d0  84 04 22 7f 91 ee 64 d3  0c 8f cd bc e4 a4 7c 4d  |.."...d.......|M|
+000002e0  10 cd 81 7d 29 eb 86 eb  7b ae fa d2 fc df ab c9  |...})...{.......|
+000002f0  44 6a 18 47 98 04 59 b2  97 e1 08 38 5e 19 1a e1  |Dj.G..Y....8^...|
+00000300  6f b5 7a 97 e7 f9 40 8f  35 f7 7f 38 7a 84 84 2e  |o.z...@.5..8z...|
+00000310  0f 35 5b dd e2 04 e5 fa  b1 44 a6 95 a4 01 97 cd  |.5[......D......|
+00000320  ac 88 71 89 0b eb 1b 7d  1f 6f 0e 5b 19 e7 17 03  |..q....}.o.[....|
+00000330  03 00 99 eb c7 e1 49 e2  42 25 50 25 07 80 67 3a  |......I.B%P%..g:|
+00000340  9a f4 bc 99 d5 49 f4 7f  f6 b4 91 f6 72 ba 7b 63  |.....I......r.{c|
+00000350  5a f8 11 73 91 e2 ee 81  12 34 f2 e7 9a 19 b1 06  |Z..s.....4......|
+00000360  4a 1e 4f 43 ff 13 de b0  a1 cf 5a 1e 2f 92 1c 11  |J.OC......Z./...|
+00000370  a6 83 22 4b 51 37 55 5b  74 ae 44 d0 5f 1f 72 f1  |.."KQ7U[t.D._.r.|
+00000380  11 dd 2d f3 97 d7 af fc  9f 53 7e 02 12 98 c8 4d  |..-......S~....M|
+00000390  78 8a c5 92 64 f1 76 98  de 7c 59 2b 7a 10 39 7b  |x...d.v..|Y+z.9{|
+000003a0  e1 25 7b c3 34 b8 d5 d3  17 51 30 f2 28 03 12 1a  |.%{.4....Q0.(...|
+000003b0  30 20 26 6d 3f d3 59 73  d9 dd 4e 33 2a 3a a4 33  |0 &m?.Ys..N3*:.3|
+000003c0  7b ab 5f 89 2f 93 2b 4a  e3 72 f6 0e 17 03 03 00  |{._./.+J.r......|
+000003d0  35 70 3d 70 6d 8a 69 d6  74 30 40 ec 50 1a e1 a5  |5p=pm.i.t0@.P...|
+000003e0  73 23 0d 90 81 b2 dd 8b  c6 0e e6 9e 11 0e 17 5b  |s#.............[|
+000003f0  30 d7 9c 28 e9 9d 47 32  5c a5 bb 65 86 a2 2b 24  |0..(..G2\..e..+$|
+00000400  62 2f 59 f0 da 05                                 |b/Y...|
+>>> Flow 5 (client to server)
+00000000  17 03 03 00 35 dd 48 af  8f 37 e2 24 fa 34 5c c6  |....5.H..7.$.4\.|
+00000010  c7 e3 29 dd ec cd 59 36  80 b4 11 be 5f 7e 90 2e  |..)...Y6...._~..|
+00000020  c9 e3 7e 53 34 12 5f 14  1c 38 d8 c7 49 b2 55 91  |..~S4._..8..I.U.|
+00000030  df e9 2b fd 79 78 60 7a  bf cd 17 03 03 00 17 bf  |..+.yx`z........|
+00000040  f4 06 52 2d c0 5c f8 73  32 55 13 00 52 b6 94 e5  |..R-.\.s2U..R...|
+00000050  03 7b a5 92 46 35                                 |.{..F5|
+>>> Flow 6 (server to client)
+00000000  17 03 03 00 da 61 bd 0a  99 51 52 9b d6 60 b9 c6  |.....a...QR..`..|
+00000010  73 74 6d e2 a8 ff c9 c3  6f 1c f8 9f 4a c0 4f 02  |stm.....o...J.O.|
+00000020  0a 51 0d 47 8a 3a 5a 9c  07 8d 3e e7 6c ef 98 11  |.Q.G.:Z...>.l...|
+00000030  76 89 43 9a 86 15 9a ed  e4 47 57 a1 b9 ec 17 d8  |v.C......GW.....|
+00000040  3a 90 85 db 95 5d 44 2a  c8 4d 04 3d f1 17 ca a9  |:....]D*.M.=....|
+00000050  bc 44 63 af c6 fe 88 77  ab 2e 3d 81 ca bd e4 00  |.Dc....w..=.....|
+00000060  aa 6b 2f fe 75 98 c4 94  f1 92 93 40 1d a4 4c f0  |.k/.u......@..L.|
+00000070  a4 3c b1 49 5b ec 27 38  e5 8f 5f 18 82 a7 b8 01  |.<.I[.'8.._.....|
+00000080  d9 5a 52 ce f2 6a e0 b7  1e a4 21 fc 10 74 f7 02  |.ZR..j....!..t..|
+00000090  33 0f e5 3c 77 6f 4d 68  79 9c ad 95 50 1d b8 9a  |3..<woMhy...P...|
+000000a0  d6 46 d3 f3 1d ee 25 ad  15 17 39 ec 50 64 04 1b  |.F....%...9.Pd..|
+000000b0  e1 ff 4c da d8 04 b3 9f  36 b3 43 f2 54 fe d3 dc  |..L.....6.C.T...|
+000000c0  bb a9 1e ef b4 06 6f 1b  47 0f f5 09 68 3f e6 58  |......o.G...h?.X|
+000000d0  be 99 51 b0 8f ce 06 c3  49 d7 8b f5 37 5c 5c 17  |..Q.....I...7\\.|
+000000e0  03 03 00 da c3 21 ac 77  44 d5 7b 4c 98 62 9a 98  |.....!.wD.{L.b..|
+000000f0  90 e5 00 e8 61 11 40 51  d9 6b e1 b1 02 06 7b 34  |....a.@Q.k....{4|
+00000100  af 80 09 74 29 06 b8 e6  78 cf 4c 62 86 e0 41 a4  |...t)...x.Lb..A.|
+00000110  39 aa c7 c2 13 c9 eb 7f  9c c6 d2 51 fc 69 fd 03  |9..........Q.i..|
+00000120  1b 26 45 b8 2b f0 69 31  d9 70 0f 2d 31 c3 fb f5  |.&E.+.i1.p.-1...|
+00000130  af a0 a1 e8 6c 63 d3 ed  33 bc 9c 4e 41 e7 1b df  |....lc..3..NA...|
+00000140  3e 5d 6a b3 c2 a0 f4 21  56 14 cf f5 9f f0 7b b4  |>]j....!V.....{.|
+00000150  de de 9c 8e c3 f4 81 25  20 9e ab a8 2f d0 ac 31  |.......% .../..1|
+00000160  c8 97 69 b5 e6 56 b6 6d  d3 9f 7e 5a b5 34 86 2c  |..i..V.m..~Z.4.,|
+00000170  29 23 d5 e1 84 fa 54 fd  b6 09 38 58 b2 16 79 d9  |)#....T...8X..y.|
+00000180  38 fd 41 d9 dd 18 ae 10  5a 1c ea 25 04 a5 fe f2  |8.A.....Z..%....|
+00000190  92 ca f7 e1 eb 3c a8 10  85 2b 08 f4 42 94 79 e8  |.....<...+..B.y.|
+000001a0  5b 2d ac 24 60 51 a0 27  51 02 1d b2 db 6a ad 6c  |[-.$`Q.'Q....j.l|
+000001b0  f6 01 06 e7 73 98 f3 cd  8c f7 51 ee a6 82        |....s.....Q...|
+>>> Flow 7 (client to server)
+00000000  17 03 03 00 13 8f 74 cd  f2 6c 0d a0 35 03 05 84  |......t..l..5...|
+00000010  cd 43 b8 2c 8f 23 18 41                           |.C.,.#.A|
diff --git a/u_common.go b/u_common.go
index 36514b1..285b9d4 100644
--- a/u_common.go
+++ b/u_common.go
@@ -58,30 +58,53 @@ var (
 	FakeFFDHE3072 = uint16(0x0101)
 )
 
-type ClientHelloID struct {
-	Browser string
-	Version uint16
-	// TODO: consider adding OS?
-}
-
-func (p *ClientHelloID) Str() string {
-	return fmt.Sprintf("%s-%d", p.Browser, p.Version)
-}
+// https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-04
+type CertCompressionAlgo uint16
 
 const (
-	helloGolang     = "Golang"
-	helloRandomized = "Randomized"
-	helloCustom     = "Custom"
-	helloFirefox    = "Firefox"
-	helloChrome     = "Chrome"
-	helloIOS        = "iOS"
-	helloAndroid    = "Android"
+	CertCompressionZlib   CertCompressionAlgo = 0x0001
+	CertCompressionBrotli CertCompressionAlgo = 0x0002
 )
 
 const (
-	helloAutoVers = iota
-	helloRandomizedALPN
-	helloRandomizedNoALPN
+	PskModePlain uint8 = pskModePlain
+	PskModeDHE   uint8 = pskModeDHE
+)
+
+type ClientHelloID struct {
+	Client string
+
+	// Version specifies version of a mimicked clients (e.g. browsers).
+	// Not used in randomized, custom handshake, and default Go.
+	Version string
+
+	// Seed is only used for randomized fingerprints to seed PRNG.
+	// Must not be modified once set.
+	Seed *PRNGSeed
+}
+
+func (p *ClientHelloID) Str() string {
+	return fmt.Sprintf("%s-%s", p.Client, p.Version)
+}
+
+func (p *ClientHelloID) IsSet() bool {
+	return (p.Client == "") && (p.Version == "")
+}
+
+const (
+	// clients
+	helloGolang           = "Golang"
+	helloRandomized       = "Randomized"
+	helloRandomizedALPN   = "Randomized-ALPN"
+	helloRandomizedNoALPN = "Randomized-NoALPN"
+	helloCustom           = "Custom"
+	helloFirefox          = "Firefox"
+	helloChrome           = "Chrome"
+	helloIOS              = "iOS"
+	helloAndroid          = "Android"
+
+	// versions
+	helloAutoVers = "0"
 )
 
 type ClientHelloSpec struct {
@@ -89,8 +112,8 @@ type ClientHelloSpec struct {
 	CompressionMethods []uint8        // nil => no compression
 	Extensions         []TLSExtension // nil => no extensions
 
-	TLSVersMin uint16 // [1.0-1.3]
-	TLSVersMax uint16 // [1.2-1.3]
+	TLSVersMin uint16 // [1.0-1.3] default: parse from .Extensions, if SupportedVersions ext is not present => 1.0
+	TLSVersMax uint16 // [1.2-1.3] default: parse from .Extensions, if SupportedVersions ext is not present => 1.2
 
 	// GreaseStyle: currently only random
 	// sessionID may or may not depend on ticket; nil => random
@@ -104,30 +127,33 @@ var (
 	// overwrite your changes to Hello(Config, Session are fine).
 	// You might want to call BuildHandshakeState() before applying any changes.
 	// UConn.Extensions will be completely ignored.
-	HelloGolang = ClientHelloID{helloGolang, helloAutoVers}
+	HelloGolang = ClientHelloID{helloGolang, helloAutoVers, nil}
 
 	// HelloCustom will prepare ClientHello with empty uconn.Extensions so you can fill it with
 	// TLSExtensions manually or use ApplyPreset function
-	HelloCustom = ClientHelloID{helloCustom, helloAutoVers}
+	HelloCustom = ClientHelloID{helloCustom, helloAutoVers, nil}
 
 	// HelloRandomized* randomly adds/reorders extensions, ciphersuites, etc.
-	HelloRandomized       = ClientHelloID{helloRandomized, helloAutoVers}
-	HelloRandomizedALPN   = ClientHelloID{helloRandomized, helloRandomizedALPN}
-	HelloRandomizedNoALPN = ClientHelloID{helloRandomized, helloRandomizedNoALPN}
+	HelloRandomized       = ClientHelloID{helloRandomized, helloAutoVers, nil}
+	HelloRandomizedALPN   = ClientHelloID{helloRandomizedALPN, helloAutoVers, nil}
+	HelloRandomizedNoALPN = ClientHelloID{helloRandomizedNoALPN, helloAutoVers, nil}
 
 	// The rest will will parrot given browser.
-	HelloFirefox_Auto = HelloFirefox_63
-	HelloFirefox_55   = ClientHelloID{helloFirefox, 55}
-	HelloFirefox_56   = ClientHelloID{helloFirefox, 56}
-	HelloFirefox_63   = ClientHelloID{helloFirefox, 63}
+	HelloFirefox_Auto = HelloFirefox_65
+	HelloFirefox_55   = ClientHelloID{helloFirefox, "55", nil}
+	HelloFirefox_56   = ClientHelloID{helloFirefox, "56", nil}
+	HelloFirefox_63   = ClientHelloID{helloFirefox, "63", nil}
+	HelloFirefox_65   = ClientHelloID{helloFirefox, "65", nil}
 
-	HelloChrome_Auto = HelloChrome_70
-	HelloChrome_58   = ClientHelloID{helloChrome, 58}
-	HelloChrome_62   = ClientHelloID{helloChrome, 62}
-	HelloChrome_70   = ClientHelloID{helloChrome, 70}
+	HelloChrome_Auto = HelloChrome_72
+	HelloChrome_58   = ClientHelloID{helloChrome, "58", nil}
+	HelloChrome_62   = ClientHelloID{helloChrome, "62", nil}
+	HelloChrome_70   = ClientHelloID{helloChrome, "70", nil}
+	HelloChrome_72   = ClientHelloID{helloChrome, "72", nil}
 
-	HelloIOS_Auto = HelloIOS_11_1
-	HelloIOS_11_1 = ClientHelloID{helloIOS, 111}
+	HelloIOS_Auto = HelloIOS_12_1
+	HelloIOS_11_1 = ClientHelloID{helloIOS, "111", nil} // legacy "111" means 11.1
+	HelloIOS_12_1 = ClientHelloID{helloIOS, "12.1", nil}
 )
 
 // based on spec's GreaseStyle, GREASE_PLACEHOLDER may be replaced by another GREASE value
diff --git a/u_conn.go b/u_conn.go
index 73fdb82..23f0001 100644
--- a/u_conn.go
+++ b/u_conn.go
@@ -21,7 +21,7 @@ type UConn struct {
 	*Conn
 
 	Extensions    []TLSExtension
-	clientHelloID ClientHelloID
+	ClientHelloID ClientHelloID
 
 	ClientHelloBuilt bool
 	HandshakeState   ClientHandshakeState
@@ -40,7 +40,8 @@ func UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID) *UConn
 	}
 	tlsConn := Conn{conn: conn, config: config, isClient: true}
 	handshakeState := ClientHandshakeState{C: &tlsConn, Hello: &ClientHelloMsg{}}
-	uconn := UConn{Conn: &tlsConn, clientHelloID: clientHelloID, HandshakeState: handshakeState}
+	uconn := UConn{Conn: &tlsConn, ClientHelloID: clientHelloID, HandshakeState: handshakeState}
+	uconn.HandshakeState.uconn = &uconn
 	return &uconn
 }
 
@@ -57,7 +58,7 @@ func UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID) *UConn
 // amd should only be called explicitly to inspect/change fields of
 // default/mimicked ClientHello.
 func (uconn *UConn) BuildHandshakeState() error {
-	if uconn.clientHelloID == HelloGolang {
+	if uconn.ClientHelloID == HelloGolang {
 		if uconn.ClientHelloBuilt {
 			return nil
 		}
@@ -73,7 +74,7 @@ func (uconn *UConn) BuildHandshakeState() error {
 		uconn.HandshakeState.C = uconn.Conn
 	} else {
 		if !uconn.ClientHelloBuilt {
-			err := uconn.applyPresetByID(uconn.clientHelloID)
+			err := uconn.applyPresetByID(uconn.ClientHelloID)
 			if err != nil {
 				return err
 			}
@@ -368,7 +369,7 @@ func (c *UConn) clientHandshake() (err error) {
 	hs12.serverHello = serverHello
 	hs12.hello = hello
 	err = hs12.handshake()
-	c.HandshakeState = *hs12.toPublic13()
+	c.HandshakeState = *hs12.toPublic12()
 	if err != nil {
 		return err
 	}
@@ -479,8 +480,58 @@ func (uconn *UConn) GetOutKeystream(length int) ([]byte, error) {
 	return nil, errors.New("Could not convert OutCipher to cipher.AEAD")
 }
 
-// SetVersCreateState set min and max TLS version in all appropriate places.
-func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16) error {
+// SetTLSVers sets min and max TLS version in all appropriate places.
+// Function will use first non-zero version parsed in following order:
+//   1) Provided minTLSVers, maxTLSVers
+//   2) specExtensions may have SupportedVersionsExtension
+//   3) [default] min = TLS 1.0, max = TLS 1.2
+//
+// Error is only returned if things are in clearly undesirable state
+// to help user fix them.
+func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16, specExtensions []TLSExtension) error {
+	if minTLSVers == 0 && maxTLSVers == 0 {
+		// if version is not set explicitly in the ClientHelloSpec, check the SupportedVersions extension
+		supportedVersionsExtensionsPresent := 0
+		for _, e := range specExtensions {
+			switch ext := e.(type) {
+			case *SupportedVersionsExtension:
+				findVersionsInSupportedVersionsExtensions := func(versions []uint16) (uint16, uint16) {
+					// returns (minVers, maxVers)
+					minVers := uint16(0)
+					maxVers := uint16(0)
+					for _, vers := range versions {
+						if vers == GREASE_PLACEHOLDER {
+							continue
+						}
+						if maxVers < vers || maxVers == 0 {
+							maxVers = vers
+						}
+						if minVers > vers || minVers == 0 {
+							minVers = vers
+						}
+					}
+					return minVers, maxVers
+				}
+
+				supportedVersionsExtensionsPresent += 1
+				minTLSVers, maxTLSVers = findVersionsInSupportedVersionsExtensions(ext.Versions)
+				if minTLSVers == 0 && maxTLSVers == 0 {
+					return fmt.Errorf("SupportedVersions extension has invalid Versions field")
+				} // else: proceed
+			}
+		}
+		switch supportedVersionsExtensionsPresent {
+		case 0:
+			// if mandatory for TLS 1.3 extension is not present, just default to 1.2
+			minTLSVers = VersionTLS10
+			maxTLSVers = VersionTLS12
+		case 1:
+		default:
+			return fmt.Errorf("uconn.Extensions contains %v separate SupportedVersions extensions",
+				supportedVersionsExtensionsPresent)
+		}
+	}
+
 	if minTLSVers < VersionTLS10 || minTLSVers > VersionTLS12 {
 		return fmt.Errorf("uTLS does not support 0x%X as min version", minTLSVers)
 	}
@@ -509,6 +560,9 @@ func (uconn *UConn) GetUnderlyingConn() net.Conn {
 func MakeConnWithCompleteHandshake(tcpConn net.Conn, version uint16, cipherSuite uint16, masterSecret []byte, clientRandom []byte, serverRandom []byte, isClient bool) *Conn {
 	tlsConn := &Conn{conn: tcpConn, config: &Config{}, isClient: isClient}
 	cs := cipherSuiteByID(cipherSuite)
+	if cs == nil {
+		return nil
+	}
 
 	// This is mostly borrowed from establishKeys()
 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
diff --git a/u_conn_test.go b/u_conn_test.go
index d4dd4cd..0a40ea9 100644
--- a/u_conn_test.go
+++ b/u_conn_test.go
@@ -142,6 +142,23 @@ func TestUTLSHandshakeClientParrotChrome_58_setclienthello(t *testing.T) {
 	runUTLSClientTestTLS12(t, test, helloID)
 }
 
+// tests consistency of fingerprint after HelloRetryRequest
+// chrome 70 is used, due to only specifying X25519 in keyshare, but being able to generate P-256 curve too
+// openssl server, configured to use P-256, will send HelloRetryRequest
+func TestUTLSHelloRetryRequest(t *testing.T) {
+	helloID := HelloChrome_70
+	config := testConfig.Clone()
+	config.CurvePreferences = []CurveID{X25519, CurveP256}
+
+	test := &clientTest{
+		name:    "UTLS-HelloRetryRequest-" + helloID.Str(),
+		command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
+		config:  config,
+	}
+
+	runUTLSClientTestTLS13(t, test, helloID)
+}
+
 /*
 *
  HELPER FUNCTIONS BELOW
diff --git a/u_parrots.go b/u_parrots.go
index a2ee775..ad4ab8c 100644
--- a/u_parrots.go
+++ b/u_parrots.go
@@ -5,16 +5,13 @@
 package tls
 
 import (
-	"crypto/rand"
 	"crypto/sha256"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
-	"math/big"
 	"sort"
 	"strconv"
-	"time"
 )
 
 func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
@@ -136,7 +133,81 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 					CurveP256,
 					CurveP384,
 				}},
-				&GenericExtension{id: fakeCertCompressionAlgs, data: []byte{02, 00, 02}},
+				&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{CertCompressionBrotli}},
+				&UtlsGREASEExtension{},
+				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
+			},
+		}, nil
+	case HelloChrome_72:
+		return ClientHelloSpec{
+			CipherSuites: []uint16{
+				GREASE_PLACEHOLDER,
+				TLS_AES_128_GCM_SHA256,
+				TLS_AES_256_GCM_SHA384,
+				TLS_CHACHA20_POLY1305_SHA256,
+				TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				TLS_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_RSA_WITH_AES_128_CBC_SHA,
+				TLS_RSA_WITH_AES_256_CBC_SHA,
+				TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			},
+			CompressionMethods: []byte{
+				0x00, // compressionNone
+			},
+			Extensions: []TLSExtension{
+				&UtlsGREASEExtension{},
+				&SNIExtension{},
+				&UtlsExtendedMasterSecretExtension{},
+				&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient},
+				&SupportedCurvesExtension{[]CurveID{
+					CurveID(GREASE_PLACEHOLDER),
+					X25519,
+					CurveP256,
+					CurveP384,
+				}},
+				&SupportedPointsExtension{SupportedPoints: []byte{
+					0x00, // pointFormatUncompressed
+				}},
+				&SessionTicketExtension{},
+				&ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}},
+				&StatusRequestExtension{},
+				&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
+					ECDSAWithP256AndSHA256,
+					PSSWithSHA256,
+					PKCS1WithSHA256,
+					ECDSAWithP384AndSHA384,
+					PSSWithSHA384,
+					PKCS1WithSHA384,
+					PSSWithSHA512,
+					PKCS1WithSHA512,
+					PKCS1WithSHA1,
+				}},
+				&SCTExtension{},
+				&KeyShareExtension{[]KeyShare{
+					{Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}},
+					{Group: X25519},
+				}},
+				&PSKKeyExchangeModesExtension{[]uint8{
+					PskModeDHE,
+				}},
+				&SupportedVersionsExtension{[]uint16{
+					GREASE_PLACEHOLDER,
+					VersionTLS13,
+					VersionTLS12,
+					VersionTLS11,
+					VersionTLS10,
+				}},
+				&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{
+					CertCompressionBrotli,
+				}},
 				&UtlsGREASEExtension{},
 				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
 			},
@@ -189,7 +260,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 			},
 			GetSessionID: nil,
 		}, nil
-	case HelloFirefox_63:
+	case HelloFirefox_63, HelloFirefox_65:
 		return ClientHelloSpec{
 			TLSVersMin: VersionTLS10,
 			TLSVersMax: VersionTLS13,
@@ -257,7 +328,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 					PKCS1WithSHA1,
 				}},
 				&PSKKeyExchangeModesExtension{[]uint8{pskModeDHE}},
-				&GenericExtension{id: fakeRecordSizeLimit, data: []byte{0x40, 0x01}},
+				&FakeRecordSizeLimitExtension{0x4001},
 				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
 			}}, nil
 	case HelloIOS_11_1:
@@ -319,6 +390,68 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 				}},
 			},
 		}, nil
+	case HelloIOS_12_1:
+		return ClientHelloSpec{
+			CipherSuites: []uint16{
+				TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+				TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+				TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+				TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+				TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				TLS_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_RSA_WITH_AES_128_GCM_SHA256,
+				DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256,
+				TLS_RSA_WITH_AES_128_CBC_SHA256,
+				TLS_RSA_WITH_AES_256_CBC_SHA,
+				TLS_RSA_WITH_AES_128_CBC_SHA,
+				0xc008,
+				TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+				TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			},
+			CompressionMethods: []byte{
+				compressionNone,
+			},
+			Extensions: []TLSExtension{
+				&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient},
+				&SNIExtension{},
+				&UtlsExtendedMasterSecretExtension{},
+				&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
+					ECDSAWithP256AndSHA256,
+					PSSWithSHA256,
+					PKCS1WithSHA256,
+					ECDSAWithP384AndSHA384,
+					ECDSAWithSHA1,
+					PSSWithSHA384,
+					PSSWithSHA384,
+					PKCS1WithSHA384,
+					PSSWithSHA512,
+					PKCS1WithSHA512,
+					PKCS1WithSHA1,
+				}},
+				&StatusRequestExtension{},
+				&NPNExtension{},
+				&SCTExtension{},
+				&ALPNExtension{AlpnProtocols: []string{"h2", "h2-16", "h2-15", "h2-14", "spdy/3.1", "spdy/3", "http/1.1"}},
+				&SupportedPointsExtension{SupportedPoints: []byte{
+					pointFormatUncompressed,
+				}},
+				&SupportedCurvesExtension{[]CurveID{
+					X25519,
+					CurveP256,
+					CurveP384,
+					CurveP521,
+				}},
+			},
+		}, nil
 	default:
 		return ClientHelloSpec{}, errors.New("ClientHello ID " + id.Str() + " is unknown")
 	}
@@ -326,25 +459,15 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 
 func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
 	var spec ClientHelloSpec
+	uconn.ClientHelloID = id
 	// choose/generate the spec
-	switch id {
-	case HelloRandomized:
-		if tossBiasedCoin(0.5) {
-			return uconn.applyPresetByID(HelloRandomizedALPN)
-		} else {
-			return uconn.applyPresetByID(HelloRandomizedNoALPN)
-		}
-	case HelloRandomizedALPN:
-		spec, err = uconn.generateRandomizedSpec(true)
+	switch id.Client {
+	case helloRandomized, helloRandomizedNoALPN, helloRandomizedALPN:
+		spec, err = uconn.generateRandomizedSpec()
 		if err != nil {
 			return err
 		}
-	case HelloRandomizedNoALPN:
-		spec, err = uconn.generateRandomizedSpec(false)
-		if err != nil {
-			return err
-		}
-	case HelloCustom:
+	case helloCustom:
 		return nil
 
 	default:
@@ -354,7 +477,6 @@ func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
 		}
 	}
 
-	uconn.clientHelloID = id
 	return uconn.ApplyPreset(&spec)
 }
 
@@ -363,7 +485,8 @@ func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
 // same ClientHelloSpec. It is advised to use different specs and avoid any shared state.
 func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 	var err error
-	err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax)
+
+	err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax, p.Extensions)
 	if err != nil {
 		return err
 	}
@@ -441,6 +564,11 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 			}
 			grease_extensions_seen += 1
 		case *SessionTicketExtension:
+			if session == nil && uconn.config.ClientSessionCache != nil {
+				cacheKey := clientSessionCacheKey(uconn.RemoteAddr(), uconn.config)
+				session, _ = uconn.config.ClientSessionCache.Get(cacheKey)
+				// TODO: use uconn.loadSession(hello.getPrivatePtr()) to support TLS 1.3 PSK-style resumption
+			}
 			err := uconn.SetSessionState(session)
 			if err != nil {
 				return err
@@ -486,24 +614,52 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 	return nil
 }
 
-func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, error) {
+func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) {
 	p := ClientHelloSpec{}
 
+	if uconn.ClientHelloID.Seed == nil {
+		seed, err := NewPRNGSeed()
+		if err != nil {
+			return p, err
+		}
+		uconn.ClientHelloID.Seed = seed
+	}
+
+	r := newPRNGWithSeed(uconn.ClientHelloID.Seed)
+
+	id := uconn.ClientHelloID
+
+	var WithALPN bool
+	switch id.Client {
+	case helloRandomizedALPN:
+		WithALPN = true
+	case helloRandomizedNoALPN:
+		WithALPN = false
+	case helloRandomized:
+		if r.FlipWeightedCoin(0.7) {
+			WithALPN = true
+		} else {
+			WithALPN = false
+		}
+	default:
+		return p, fmt.Errorf("using non-randomized ClientHelloID %v to generate randomized spec", id.Client)
+	}
+
 	p.CipherSuites = make([]uint16, len(defaultCipherSuites()))
 	copy(p.CipherSuites, defaultCipherSuites())
-	shuffledSuites, err := shuffledCiphers()
+	shuffledSuites, err := shuffledCiphers(r)
 	if err != nil {
 		return p, err
 	}
 
-	if tossBiasedCoin(0.4) {
+	if r.FlipWeightedCoin(0.4) {
 		p.TLSVersMin = VersionTLS10
 		p.TLSVersMax = VersionTLS13
-		tls13ciphers := defaultCipherSuitesTLS13()
-		err = shuffleUInts16(tls13ciphers)
-		if err != nil {
-			return p, err
-		}
+		tls13ciphers := make([]uint16, len(defaultCipherSuitesTLS13()))
+		copy(tls13ciphers, defaultCipherSuitesTLS13())
+		r.rand.Shuffle(len(tls13ciphers), func(i, j int) {
+			tls13ciphers[i], tls13ciphers[j] = tls13ciphers[j], tls13ciphers[i]
+		})
 		// appending TLS 1.3 ciphers before TLS 1.2, since that's what popular implementations do
 		shuffledSuites = append(tls13ciphers, shuffledSuites...)
 
@@ -514,7 +670,7 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
 		p.TLSVersMax = VersionTLS12
 	}
 
-	p.CipherSuites = removeRandomCiphers(shuffledSuites, 0.4)
+	p.CipherSuites = removeRandomCiphers(r, shuffledSuites, 0.4)
 
 	sni := SNIExtension{uconn.config.ServerName}
 	sessionTicket := SessionTicketExtension{Session: uconn.HandshakeState.Session}
@@ -528,26 +684,25 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
 		PKCS1WithSHA512,
 	}
 
-	if tossBiasedCoin(0.63) {
+	if r.FlipWeightedCoin(0.63) {
 		sigAndHashAlgos = append(sigAndHashAlgos, ECDSAWithSHA1)
 	}
-	if tossBiasedCoin(0.59) {
+	if r.FlipWeightedCoin(0.59) {
 		sigAndHashAlgos = append(sigAndHashAlgos, ECDSAWithP521AndSHA512)
 	}
-	if tossBiasedCoin(0.51) || p.TLSVersMax == VersionTLS13 {
+	if r.FlipWeightedCoin(0.51) || p.TLSVersMax == VersionTLS13 {
 		// https://tools.ietf.org/html/rfc8446 says "...RSASSA-PSS (which is mandatory in TLS 1.3)..."
 		sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA256)
-		if tossBiasedCoin(0.9) {
+		if r.FlipWeightedCoin(0.9) {
 			// these usually go together
 			sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA384)
 			sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA512)
 		}
 	}
 
-	err = shuffleSignatures(sigAndHashAlgos)
-	if err != nil {
-		return p, err
-	}
+	r.rand.Shuffle(len(sigAndHashAlgos), func(i, j int) {
+		sigAndHashAlgos[i], sigAndHashAlgos[j] = sigAndHashAlgos[j], sigAndHashAlgos[i]
+	})
 	sigAndHash := SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: sigAndHashAlgos}
 
 	status := StatusRequestExtension{}
@@ -556,11 +711,11 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
 	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
 
 	curveIDs := []CurveID{}
-	if tossBiasedCoin(0.71) || p.TLSVersMax == VersionTLS13 {
+	if r.FlipWeightedCoin(0.71) || p.TLSVersMax == VersionTLS13 {
 		curveIDs = append(curveIDs, X25519)
 	}
 	curveIDs = append(curveIDs, CurveP256, CurveP384)
-	if tossBiasedCoin(0.46) {
+	if r.FlipWeightedCoin(0.46) {
 		curveIDs = append(curveIDs, CurveP521)
 	}
 
@@ -586,28 +741,28 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
 		p.Extensions = append(p.Extensions, &alpn)
 	}
 
-	if tossBiasedCoin(0.62) || p.TLSVersMax == VersionTLS13 {
+	if r.FlipWeightedCoin(0.62) || p.TLSVersMax == VersionTLS13 {
 		// always include for TLS 1.3, since TLS 1.3 ClientHellos are often over 256 bytes
 		// and that's when padding is required to work around buggy middleboxes
 		p.Extensions = append(p.Extensions, &padding)
 	}
-	if tossBiasedCoin(0.74) {
+	if r.FlipWeightedCoin(0.74) {
 		p.Extensions = append(p.Extensions, &status)
 	}
-	if tossBiasedCoin(0.46) {
+	if r.FlipWeightedCoin(0.46) {
 		p.Extensions = append(p.Extensions, &sct)
 	}
-	if tossBiasedCoin(0.75) {
+	if r.FlipWeightedCoin(0.75) {
 		p.Extensions = append(p.Extensions, &reneg)
 	}
-	if tossBiasedCoin(0.77) {
+	if r.FlipWeightedCoin(0.77) {
 		p.Extensions = append(p.Extensions, &ems)
 	}
 	if p.TLSVersMax == VersionTLS13 {
 		ks := KeyShareExtension{[]KeyShare{
 			{Group: X25519}, // the key for the group will be generated later
 		}}
-		if tossBiasedCoin(0.25) {
+		if r.FlipWeightedCoin(0.25) {
 			// do not ADD second keyShare because crypto/tls does not support multiple ecdheParams
 			// TODO: add it back when they implement multiple keyShares, or implement it oursevles
 			// ks.KeyShares = append(ks.KeyShares, KeyShare{Group: CurveP256})
@@ -619,38 +774,14 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
 		}
 		p.Extensions = append(p.Extensions, &ks, &pskExchangeModes, &supportedVersionsExt)
 	}
-	err = shuffleTLSExtensions(p.Extensions)
-	if err != nil {
-		return p, err
-	}
-	err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax)
-	if err != nil {
-		return p, err
-	}
+	r.rand.Shuffle(len(p.Extensions), func(i, j int) {
+		p.Extensions[i], p.Extensions[j] = p.Extensions[j], p.Extensions[i]
+	})
 
 	return p, nil
 }
 
-func tossBiasedCoin(probability float32) bool {
-	// probability is expected to be in [0,1]
-	// this function never returns errors for ease of use
-	const precision = 0xffff
-	threshold := float32(precision) * probability
-	value, err := getRandInt(precision)
-	if err != nil {
-		// I doubt that this code will ever actually be used, as other functions are expected to complain
-		// about used source of entropy. Nonetheless, this is more than enough for given purpose
-		return ((time.Now().Unix() & 1) == 0)
-	}
-
-	if float32(value) <= threshold {
-		return true
-	} else {
-		return false
-	}
-}
-
-func removeRandomCiphers(s []uint16, maxRemovalProbability float32) []uint16 {
+func removeRandomCiphers(r *prng, s []uint16, maxRemovalProbability float64) []uint16 {
 	// removes elements in place
 	// probability to remove increases for further elements
 	// never remove first cipher
@@ -659,10 +790,10 @@ func removeRandomCiphers(s []uint16, maxRemovalProbability float32) []uint16 {
 	}
 
 	// remove random elements
-	floatLen := float32(len(s))
+	floatLen := float64(len(s))
 	sliceLen := len(s)
 	for i := 1; i < sliceLen; i++ {
-		if tossBiasedCoin(maxRemovalProbability * float32(i) / floatLen) {
+		if r.FlipWeightedCoin(maxRemovalProbability * float64(i) / floatLen) {
 			s = append(s[:i], s[i+1:]...)
 			sliceLen--
 			i--
@@ -671,46 +802,9 @@ func removeRandomCiphers(s []uint16, maxRemovalProbability float32) []uint16 {
 	return s[:sliceLen]
 }
 
-func removeRC4Ciphers(s []uint16) []uint16 {
-	// removes elements in place
-	sliceLen := len(s)
-	for i := 0; i < sliceLen; i++ {
-		cipher := s[i]
-		if cipher == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ||
-			cipher == TLS_ECDHE_RSA_WITH_RC4_128_SHA ||
-			cipher == TLS_RSA_WITH_RC4_128_SHA {
-			s = append(s[:i], s[i+1:]...)
-			sliceLen--
-			i--
-		}
-	}
-	return s[:sliceLen]
-}
-
-func getRandInt(max int) (int, error) {
-	bigInt, err := rand.Int(rand.Reader, big.NewInt(int64(max)))
-	return int(bigInt.Int64()), err
-}
-
-func getRandPerm(n int) ([]int, error) {
-	permArray := make([]int, n)
-	for i := 1; i < n; i++ {
-		j, err := getRandInt(i + 1)
-		if err != nil {
-			return permArray, err
-		}
-		permArray[i] = permArray[j]
-		permArray[j] = i
-	}
-	return permArray, nil
-}
-
-func shuffledCiphers() ([]uint16, error) {
+func shuffledCiphers(r *prng) ([]uint16, error) {
 	ciphers := make(sortableCiphers, len(cipherSuites))
-	perm, err := getRandPerm(len(cipherSuites))
-	if err != nil {
-		return nil, err
-	}
+	perm := r.Perm(len(cipherSuites))
 	for i, suite := range cipherSuites {
 		ciphers[i] = sortableCipher{suite: suite.id,
 			isObsolete: ((suite.flags & suiteTLS12) == 0),
@@ -754,41 +848,18 @@ func (ciphers sortableCiphers) GetCiphers() []uint16 {
 	return cipherIDs
 }
 
-// so much for generics
-func shuffleTLSExtensions(s []TLSExtension) error {
-	// shuffles array in place
-	perm, err := getRandPerm(len(s))
-	if err != nil {
-		return err
+func removeRC4Ciphers(s []uint16) []uint16 {
+	// removes elements in place
+	sliceLen := len(s)
+	for i := 0; i < sliceLen; i++ {
+		cipher := s[i]
+		if cipher == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ||
+			cipher == TLS_ECDHE_RSA_WITH_RC4_128_SHA ||
+			cipher == TLS_RSA_WITH_RC4_128_SHA {
+			s = append(s[:i], s[i+1:]...)
+			sliceLen--
+			i--
+		}
 	}
-	for i := range s {
-		s[i], s[perm[i]] = s[perm[i]], s[i]
-	}
-	return nil
-}
-
-// so much for generics
-func shuffleSignatures(s []SignatureScheme) error {
-	// shuffles array in place
-	perm, err := getRandPerm(len(s))
-	if err != nil {
-		return err
-	}
-	for i := range s {
-		s[i], s[perm[i]] = s[perm[i]], s[i]
-	}
-	return nil
-}
-
-// so much for generics
-func shuffleUInts16(s []uint16) error {
-	// shuffles array in place
-	perm, err := getRandPerm(len(s))
-	if err != nil {
-		return err
-	}
-	for i := range s {
-		s[i], s[perm[i]] = s[perm[i]], s[i]
-	}
-	return nil
+	return s[:sliceLen]
 }
diff --git a/u_prng.go b/u_prng.go
new file mode 100644
index 0000000..fa31eb3
--- /dev/null
+++ b/u_prng.go
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 2019, Psiphon Inc.
+ * All rights reserved.
+ *
+ * Released under utls licence:
+ * https://github.com/refraction-networking/utls/blob/master/LICENSE
+ */
+
+// This code is a pared down version of:
+// https://github.com/Psiphon-Labs/psiphon-tunnel-core/blob/158caea562287284cc3fa5fcd1b3c97b1addf659/psiphon/common/prng/prng.go
+
+package tls
+
+import (
+	crypto_rand "crypto/rand"
+	"encoding/binary"
+	"math"
+	"math/rand"
+	"sync"
+
+	"github.com/Yawning/chacha20"
+)
+
+const (
+	PRNGSeedLength = 32
+)
+
+// PRNGSeed is a PRNG seed.
+type PRNGSeed [PRNGSeedLength]byte
+
+// NewPRNGSeed creates a new PRNG seed using crypto/rand.Read.
+func NewPRNGSeed() (*PRNGSeed, error) {
+	seed := new(PRNGSeed)
+	_, err := crypto_rand.Read(seed[:])
+	if err != nil {
+		return nil, err
+	}
+	return seed, nil
+}
+
+// prng is a seeded, unbiased PRNG based on chacha20. that is suitable for use
+// cases such as obfuscation.
+//
+// Seeding is based on crypto/rand.Read and the PRNG stream is provided by
+// chacha20.
+//
+// This PRNG is _not_ for security use cases including production cryptographic
+// key generation.
+//
+// Limitations: there is a cycle in the PRNG stream, after roughly 2^64 * 2^38-64
+// bytes.
+//
+// It is safe to make concurrent calls to a PRNG instance.
+//
+// PRNG conforms to io.Reader and math/rand.Source, with additional helper
+// functions.
+type prng struct {
+	rand                   *rand.Rand
+	randomStreamMutex      sync.Mutex
+	randomStreamSeed       *PRNGSeed
+	randomStream           *chacha20.Cipher
+	randomStreamUsed       uint64
+	randomStreamRekeyCount uint64
+}
+
+// newPRNG generates a seed and creates a PRNG with that seed.
+func newPRNG() (*prng, error) {
+	seed, err := NewPRNGSeed()
+	if err != nil {
+		return nil, err
+	}
+	return newPRNGWithSeed(seed), nil
+}
+
+// newPRNGWithSeed initializes a new PRNG using an existing seed.
+func newPRNGWithSeed(seed *PRNGSeed) *prng {
+	p := &prng{
+		randomStreamSeed: seed,
+	}
+	p.rekey()
+	p.rand = rand.New(p)
+	return p
+}
+
+// Read reads random bytes from the PRNG stream into b. Read conforms to
+// io.Reader and always returns len(p), nil.
+func (p *prng) Read(b []byte) (int, error) {
+
+	p.randomStreamMutex.Lock()
+	defer p.randomStreamMutex.Unlock()
+
+	// Re-key before reaching the 2^38-64 chacha20 key stream limit.
+	if p.randomStreamUsed+uint64(len(b)) >= uint64(1<<38-64) {
+		p.rekey()
+	}
+
+	p.randomStream.KeyStream(b)
+
+	p.randomStreamUsed += uint64(len(b))
+
+	return len(b), nil
+}
+
+func (p *prng) rekey() {
+
+	// chacha20 has a stream limit of 2^38-64. Before that limit is reached,
+	// the cipher must be rekeyed. To rekey without changing the seed, we use
+	// a counter for the nonce.
+	//
+	// Limitation: the counter wraps at 2^64, which produces a cycle in the
+	// PRNG after 2^64 * 2^38-64 bytes.
+	//
+	// TODO: this could be extended by using all 2^96 bits of the nonce for
+	// the counter; and even further by using the 24 byte XChaCha20 nonce.
+	var randomKeyNonce [12]byte
+	binary.BigEndian.PutUint64(randomKeyNonce[0:8], p.randomStreamRekeyCount)
+
+	var err error
+	p.randomStream, err = chacha20.NewCipher(
+		p.randomStreamSeed[:], randomKeyNonce[:])
+	if err != nil {
+		// Functions returning random values, which may call rekey, don't
+		// return an error. As of github.com/Yawning/chacha20 rev. e3b1f968,
+		// the only possible errors from chacha20.NewCipher invalid key or
+		// nonce size, and since we use the correct sizes, there should never
+		// be an error here. So panic in this unexpected case.
+		panic(err)
+	}
+
+	p.randomStreamRekeyCount += 1
+	p.randomStreamUsed = 0
+}
+
+// Int63 is equivilent to math/read.Int63.
+func (p *prng) Int63() int64 {
+	i := p.Uint64()
+	return int64(i & (1<<63 - 1))
+}
+
+// Int63 is equivilent to math/read.Uint64.
+func (p *prng) Uint64() uint64 {
+	var b [8]byte
+	p.Read(b[:])
+	return binary.BigEndian.Uint64(b[:])
+}
+
+// Seed must exist in order to use a PRNG as a math/rand.Source. This call is
+// not supported and ignored.
+func (p *prng) Seed(_ int64) {
+}
+
+// FlipWeightedCoin returns the result of a weighted
+// random coin flip. If the weight is 0.5, the outcome
+// is equally likely to be true or false. If the weight
+// is 1.0, the outcome is always true, and if the
+// weight is 0.0, the outcome is always false.
+//
+// Input weights > 1.0 are treated as 1.0.
+func (p *prng) FlipWeightedCoin(weight float64) bool {
+	if weight > 1.0 {
+		weight = 1.0
+	}
+	f := float64(p.Int63()) / float64(math.MaxInt64)
+	return f > 1.0-weight
+}
+
+// Intn is equivilent to math/read.Intn, except it returns 0 if n <= 0
+// instead of panicking.
+func (p *prng) Intn(n int) int {
+	if n <= 0 {
+		return 0
+	}
+	return p.rand.Intn(n)
+}
+
+// Int63n is equivilent to math/read.Int63n, except it returns 0 if n <= 0
+// instead of panicking.
+func (p *prng) Int63n(n int64) int64 {
+	if n <= 0 {
+		return 0
+	}
+	return p.rand.Int63n(n)
+}
+
+// Intn is equivilent to math/read.Perm.
+func (p *prng) Perm(n int) []int {
+	return p.rand.Perm(n)
+}
+
+// Range selects a random integer in [min, max].
+// If min < 0, min is set to 0. If max < min, min is returned.
+func (p *prng) Range(min, max int) int {
+	if min < 0 {
+		min = 0
+	}
+	if max < min {
+		return min
+	}
+	n := p.Intn(max - min + 1)
+	n += min
+	return n
+}
diff --git a/u_public.go b/u_public.go
index 59c12ef..7481d6e 100644
--- a/u_public.go
+++ b/u_public.go
@@ -27,6 +27,8 @@ type ClientHandshakeState struct {
 
 	State12 TLS12OnlyState
 	State13 TLS13OnlyState
+
+	uconn *UConn
 }
 
 // TLS 1.3 only
@@ -69,6 +71,8 @@ func (chs *ClientHandshakeState) toPrivate13() *clientHandshakeStateTLS13 {
 			transcript:    chs.State13.Transcript,
 			masterSecret:  chs.MasterSecret,
 			trafficSecret: chs.State13.TrafficSecret,
+
+			uconn: chs.uconn,
 		}
 	}
 }
@@ -98,6 +102,8 @@ func (chs13 *clientHandshakeStateTLS13) toPublic13() *ClientHandshakeState {
 			MasterSecret: chs13.masterSecret,
 
 			State13: tls13State,
+
+			uconn: chs13.uconn,
 		}
 	}
 }
@@ -116,11 +122,13 @@ func (chs *ClientHandshakeState) toPrivate12() *clientHandshakeState {
 			masterSecret: chs.MasterSecret,
 
 			finishedHash: *chs.State12.FinishedHash.getPrivatePtr(),
+
+			uconn: chs.uconn,
 		}
 	}
 }
 
-func (chs12 *clientHandshakeState) toPublic13() *ClientHandshakeState {
+func (chs12 *clientHandshakeState) toPublic12() *ClientHandshakeState {
 	if chs12 == nil {
 		return nil
 	} else {
@@ -138,6 +146,8 @@ func (chs12 *clientHandshakeState) toPublic13() *ClientHandshakeState {
 			MasterSecret: chs12.masterSecret,
 
 			State12: tls12State,
+
+			uconn: chs12.uconn,
 		}
 	}
 }
diff --git a/u_roller.go b/u_roller.go
index 8bb225e..a1c5291 100644
--- a/u_roller.go
+++ b/u_roller.go
@@ -12,21 +12,21 @@ type Roller struct {
 	WorkingHelloID      *ClientHelloID
 	TcpDialTimeout      time.Duration
 	TlsHandshakeTimeout time.Duration
+	r                   *prng
 }
 
 // NewRoller creates Roller object with default range of HelloIDs to cycle through until a
 // working/unblocked one is found.
 func NewRoller() (*Roller, error) {
-	tcpDialTimeoutInc, err := getRandInt(14)
+	r, err := newPRNG()
 	if err != nil {
 		return nil, err
 	}
+
+	tcpDialTimeoutInc := r.Intn(14)
 	tcpDialTimeoutInc = 7 + tcpDialTimeoutInc
 
-	tlsHandshakeTimeoutInc, err := getRandInt(20)
-	if err != nil {
-		return nil, err
-	}
+	tlsHandshakeTimeoutInc := r.Intn(20)
 	tlsHandshakeTimeoutInc = 11 + tlsHandshakeTimeoutInc
 
 	return &Roller{
@@ -38,6 +38,7 @@ func NewRoller() (*Roller, error) {
 		},
 		TcpDialTimeout:      time.Second * time.Duration(tcpDialTimeoutInc),
 		TlsHandshakeTimeout: time.Second * time.Duration(tlsHandshakeTimeoutInc),
+		r:                   r,
 	}, nil
 }
 
@@ -49,25 +50,32 @@ func NewRoller() (*Roller, error) {
 //    Dial("tcp4", "google.com:443", "google.com")
 //    Dial("tcp", "10.23.144.22:443", "mywebserver.org")
 func (c *Roller) Dial(network, addr, serverName string) (*UConn, error) {
-	helloIDs, err := shuffleClientHelloIDs(c.HelloIDs)
-	if err != nil {
-		return nil, err
-	}
+	helloIDs := make([]ClientHelloID, len(c.HelloIDs))
+	copy(helloIDs, c.HelloIDs)
+	c.r.rand.Shuffle(len(c.HelloIDs), func(i, j int) {
+		helloIDs[i], helloIDs[j] = helloIDs[j], helloIDs[i]
+	})
 
 	c.HelloIDMu.Lock()
 	workingHelloId := c.WorkingHelloID // keep using same helloID, if it works
 	c.HelloIDMu.Unlock()
 	if workingHelloId != nil {
+		helloIDFound := false
 		for i, ID := range helloIDs {
 			if ID == *workingHelloId {
 				helloIDs[i] = helloIDs[0]
 				helloIDs[0] = *workingHelloId // push working hello ID first
+				helloIDFound = true
 				break
 			}
 		}
+		if !helloIDFound {
+			helloIDs = append([]ClientHelloID{*workingHelloId}, helloIDs...)
+		}
 	}
 
 	var tcpConn net.Conn
+	var err error
 	for _, helloID := range helloIDs {
 		tcpConn, err = net.DialTimeout(network, addr, c.TcpDialTimeout)
 		if err != nil {
@@ -84,23 +92,9 @@ func (c *Roller) Dial(network, addr, serverName string) (*UConn, error) {
 		}
 
 		c.HelloIDMu.Lock()
-		c.WorkingHelloID = &helloID
+		c.WorkingHelloID = &client.ClientHelloID
 		c.HelloIDMu.Unlock()
 		return client, err
 	}
 	return nil, err
 }
-
-// returns a shuffled copy of input
-func shuffleClientHelloIDs(helloIDs []ClientHelloID) ([]ClientHelloID, error) {
-	perm, err := getRandPerm(len(helloIDs))
-	if err != nil {
-		return nil, err
-	}
-
-	shuffled := make([]ClientHelloID, len(helloIDs))
-	for i, randI := range perm {
-		shuffled[i] = helloIDs[randI]
-	}
-	return shuffled, nil
-}
diff --git a/u_tls_extensions.go b/u_tls_extensions.go
index 5645178..3ab2543 100644
--- a/u_tls_extensions.go
+++ b/u_tls_extensions.go
@@ -392,32 +392,6 @@ func (e *GenericExtension) Read(b []byte) (int, error) {
 	return e.Len(), io.EOF
 }
 
-/*
-FAKE EXTENSIONS
-*/
-
-type FakeChannelIDExtension struct {
-}
-
-func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
-	return nil
-}
-
-func (e *FakeChannelIDExtension) Len() int {
-	return 4
-}
-
-func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
-	b[0] = byte(fakeExtensionChannelID >> 8)
-	b[1] = byte(fakeExtensionChannelID & 0xff)
-	// The length is 0
-	return e.Len(), io.EOF
-}
-
 type UtlsExtendedMasterSecretExtension struct {
 }
 
@@ -684,5 +658,122 @@ func (e *SupportedVersionsExtension) Read(b []byte) (int, error) {
 	return e.Len(), io.EOF
 }
 
-// TODO: FakeCertificateCompressionAlgorithmsExtension
-// TODO: FakeRecordSizeLimitExtension
+// MUST NOT be part of initial ClientHello
+type CookieExtension struct {
+	Cookie []byte
+}
+
+func (e *CookieExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *CookieExtension) Len() int {
+	return 4 + len(e.Cookie)
+}
+
+func (e *CookieExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+
+	b[0] = byte(extensionCookie >> 8)
+	b[1] = byte(extensionCookie)
+	b[2] = byte(len(e.Cookie) >> 8)
+	b[3] = byte(len(e.Cookie))
+	if len(e.Cookie) > 0 {
+		copy(b[4:], e.Cookie)
+	}
+	return e.Len(), io.EOF
+}
+
+/*
+FAKE EXTENSIONS
+*/
+
+type FakeChannelIDExtension struct {
+}
+
+func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *FakeChannelIDExtension) Len() int {
+	return 4
+}
+
+func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
+	b[0] = byte(fakeExtensionChannelID >> 8)
+	b[1] = byte(fakeExtensionChannelID & 0xff)
+	// The length is 0
+	return e.Len(), io.EOF
+}
+
+type FakeCertCompressionAlgsExtension struct {
+	Methods []CertCompressionAlgo
+}
+
+func (e *FakeCertCompressionAlgsExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *FakeCertCompressionAlgsExtension) Len() int {
+	return 4 + 1 + (2 * len(e.Methods))
+}
+
+func (e *FakeCertCompressionAlgsExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
+	b[0] = byte(fakeCertCompressionAlgs >> 8)
+	b[1] = byte(fakeCertCompressionAlgs & 0xff)
+
+	extLen := 2 * len(e.Methods)
+	if extLen > 255 {
+		return 0, errors.New("too many certificate compression methods")
+	}
+
+	b[2] = byte((extLen + 1) >> 8)
+	b[3] = byte((extLen + 1) & 0xff)
+	b[4] = byte(extLen)
+
+	i := 5
+	for _, compMethod := range e.Methods {
+		b[i] = byte(compMethod >> 8)
+		b[i+1] = byte(compMethod)
+		i += 2
+	}
+	return e.Len(), io.EOF
+}
+
+type FakeRecordSizeLimitExtension struct {
+	Limit uint16
+}
+
+func (e *FakeRecordSizeLimitExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *FakeRecordSizeLimitExtension) Len() int {
+	return 6
+}
+
+func (e *FakeRecordSizeLimitExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
+	b[0] = byte(fakeRecordSizeLimit >> 8)
+	b[1] = byte(fakeRecordSizeLimit & 0xff)
+
+	b[2] = byte(0)
+	b[3] = byte(2)
+
+	b[4] = byte(e.Limit >> 8)
+	b[5] = byte(e.Limit & 0xff)
+	return e.Len(), io.EOF
+}