Skip to Content [alt-c]

Comment

In reply to Comment by Reader Jason Stangroome

Andrew Ayer on 2020-07-06 at 14:58:

Thanks, Jason!

SNI is not encrypted in TLS 1.3 and this code works with TLS 1.3.

There is ongoing work to add encrypted SNI to TLS <https://tools.ietf.org/html/draft-ietf-tls-esni-07>. The proposal explicitly supports SNI-based proxying. The proxy server would operate as the "provider", receive the encrypted Client Hello, decrypt it, and forward the connection along to the backend, without seeing the plaintext of the connection. This is the "split mode topology" shown on page 4.

Reply

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.