Re: [TLS] Possible blocking of Encrypted SNI extension in China

David Fifield <> Thu, 13 August 2020 17:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5328F3A0F8D for <>; Thu, 13 Aug 2020 10:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wn4zKgzMKz_x for <>; Thu, 13 Aug 2020 10:30:13 -0700 (PDT)
Received: from ( [IPv6:2600:3c00:e000:128:de39:20ee:9704:752d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 416C03A0FAA for <>; Thu, 13 Aug 2020 10:30:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=mail; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RLBmSR5fn0f8oPqDXydalJubnW8kkFZD5XLvjll46Cw=; b=VkVZ5TaTBizgk4EOrdKgq1Tb7f KIJodnmQ8Qt7A4cXoV/XKJ9mpnWPNexRwabKBbngPejFWNr73KeU5Ih+Msns7gZmJq0tcqTdSjoVb u+Wy64KU+qDqCTyW743Z5+9hFGYW5CELArpcFgCI8AvhAwlqo04KLpEDTbYpHFDyeV8w=;
Date: Thu, 13 Aug 2020 11:30:02 -0600
From: David Fifield <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: NeoMutt/20180716
Archived-At: <>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Aug 2020 17:30:21 -0000

On Fri, Aug 07, 2020 at 05:56:30PM -0600, David Fifield wrote:
> Most of the functions of the Great Firewall work bidirectionally, and
> the ESNI detection and blocking are no exception. Sending an
> ESNI-containing ClientHello from *outside* of China to a server
> *inside* results in temporary blocking, just the same as sending one
> from the inside to the outside. This makes it easy to experiment with,
> even if you don't control a host in China.

Triggering blocking from the outside no longer works. ESNI connections
that originate inside the firewall are still blocked. This was first
observed by GFW report, who were able to isolate the change from
bidirectionality to unidirectional to a five-minute window: between
06:27 and 06:32 UTC on 2020-08-13. I tried it myself, and I confirm that
I am not now able to trigger ESNI blocking from outside the firewall.