Hello Firefox-Dev, I hope this the right place to ask this query? I am trying to make ESNI work with a web-proxy, what I am observing is that although the tunnel is TLSv1.3 the SNI is still going in plain text. While looking at logs for the bad case and based on the very limited understanding I could build about the code here is what I was able to conclude.
In nsSocketTransport::ResolveHost() (where we also compute the ESNI keys), the problem is on Line number 1080 where esniHost.Append(SocketHost()); it ends up picking the ProxyAddress instead of the host see[0], ultimately leading to a lookup for _esni.127.0.0.1 or whatever is there in the proxy instead of _esni.some.encryptedsnihost.com in the DNS cache. Looking up ESNI for the proxy is bad for multiple reasons, best case the ESNI keys are not found and the TLS tunnel is "degraded" but in the worst case, the proxy itself has an ESNI key present, where the TLS HELLO packet gets encrypted with the wrong key. Probably, there is more to it. Let me know what you think? TIA, Amritanshu [0] https://dxr.mozilla.org/mozilla-central/source/netwerk/base/nsSocketTransport2.h#308 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
