Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Video presentations Report a bug Mail Etiquette Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Support of Encrypted SNI

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 1 Mar 2019 10:05:57 +0100 (CET)

On Thu, 28 Feb 2019, Anindya Das via curl-library wrote:

> I want to use curl to make https get request with encrypted SNI. I have gone
> through the release logs and found that there is no support yet for this
> feature. Firefox enabled this feature in October, 2018.
>
> Do you have any plan or roadmap to provide support of encrypted SNI?

Hi!

I actually personally reviewed some of the patches that brought ESNI support
[1] to Firefox [3] (since I am the main author of the DoH (DNS-over-HTTPS)
code in Firefox). The ESNI support in Firefox requires that you have DoH
enabled.

The spec [1] clearly says that "It should not be used as a basis for building
production systems." and I know that the authors of the spec are working on
updates that will change it somewhat going further (I tried to find a link to
a previous twitter-conversation with details on that but I couldn't find it so
let's just think of it as a plausible future for now).

curl should definately support ESNI and the sooner the better. SNI is one of
the few remaining protocol details that are still in the clear for passive
evesdroppers to be able to see where clients want to "go" on the Internet.

ESNI basically requires some DNS records to be able to encrypt the SNI field
in the TLS handshake. In order to get to those records, we need to query a
resolver and for that we either need DOH support (just like Firefox) since
then we can fiddle with DNS packet directly and they are encrypted over the
wire - or possibly we need a build using c-ares that also offer the necessary
DNS functions. (I'm not sure if the latter is actually doable according to
spec.)

I have not started the work on writing support for this, and I'm also not
aware of anyone else having done it either. It shouldn't have to be *that*
complicated and at least Cloudflare is already supporting it so there should
be a fairly good interop testing ground. That said, ESNI support is not on my
immediate agenda so I don't think I'll start on it soon. Unless of course
someone joins in and helps with it - or perhaps even sponsor the work.

I do offer commercial curl support. That could include working on new
features! =)

The Chrome team seems to await further spec changes [2] and by the sound of
it, they too intend to do it over DOH.

[1] = https://tools.ietf.org/html/draft-ietf-tls-esni-02
[2] = https://bugs.chromium.org/p/chromium/issues/detail?id=908132
[3] =
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/ 

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-03-01