Skip to Content [alt-c]


In reply to Comment by Reader Jason Stangroome

Andrew Ayer on 2020-07-06 at 14:58:

Thanks, Jason!

SNI is not encrypted in TLS 1.3 and this code works with TLS 1.3.

There is ongoing work to add encrypted SNI to TLS <>. The proposal explicitly supports SNI-based proxying. The proxy server would operate as the "provider", receive the encrypted Client Hello, decrypt it, and forward the connection along to the backend, without seeing the plaintext of the connection. This is the "split mode topology" shown on page 4.


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.