curl-library
Re: Support of Encrypted SNI
Date: Fri, 1 Mar 2019 10:05:57 +0100 (CET)
On Thu, 28 Feb 2019, Anindya Das via curl-library wrote:
> I want to use curl to make https get request with encrypted SNI. I have gone
> through the release logs and found that there is no support yet for this
> feature. Firefox enabled this feature in October, 2018.
>
> Do you have any plan or roadmap to provide support of encrypted SNI?
Hi!
I actually personally reviewed some of the patches that brought ESNI support
[1] to Firefox [3] (since I am the main author of the DoH (DNS-over-HTTPS)
code in Firefox). The ESNI support in Firefox requires that you have DoH
enabled.
The spec [1] clearly says that "It should not be used as a basis for building
production systems." and I know that the authors of the spec are working on
updates that will change it somewhat going further (I tried to find a link to
a previous twitter-conversation with details on that but I couldn't find it so
let's just think of it as a plausible future for now).
curl should definately support ESNI and the sooner the better. SNI is one of
the few remaining protocol details that are still in the clear for passive
evesdroppers to be able to see where clients want to "go" on the Internet.
ESNI basically requires some DNS records to be able to encrypt the SNI field
in the TLS handshake. In order to get to those records, we need to query a
resolver and for that we either need DOH support (just like Firefox) since
then we can fiddle with DNS packet directly and they are encrypted over the
wire - or possibly we need a build using c-ares that also offer the necessary
DNS functions. (I'm not sure if the latter is actually doable according to
spec.)
I have not started the work on writing support for this, and I'm also not
aware of anyone else having done it either. It shouldn't have to be *that*
complicated and at least Cloudflare is already supporting it so there should
be a fairly good interop testing ground. That said, ESNI support is not on my
immediate agenda so I don't think I'll start on it soon. Unless of course
someone joins in and helps with it - or perhaps even sponsor the work.
I do offer commercial curl support. That could include working on new
features! =)
The Chrome team seems to await further spec changes [2] and by the sound of
it, they too intend to do it over DOH.
[1] = https://tools.ietf.org/html/draft-ietf-tls-esni-02
[2] = https://bugs.chromium.org/p/chromium/issues/detail?id=908132
[3] =
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/
-- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2019-03-01