Re: [TLS] ESNI interoperability questions

Rob Sayre <> Sun, 27 October 2019 02:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 53AB0120043 for <>; Sat, 26 Oct 2019 19:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LF_mbsz4sBYy for <>; Sat, 26 Oct 2019 19:43:51 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 595B1120013 for <>; Sat, 26 Oct 2019 19:43:51 -0700 (PDT)
Received: by with SMTP id z10so5077040ilo.8 for <>; Sat, 26 Oct 2019 19:43:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=HcSx/JeZsoXRixtz9PgSmv+iGyey/Ua7ohoU7DensVM=; b=M/T8bvwGWgyHW6Ny6PPjZVybYw6eQeS3omsWbfCTldOWVhPIbAfjbCqBj1x8Jzz5fj 2ZccPfa9QpK8hOKdUfkctEzy7/vKp6XpU8LcLVFp00QRglQutWdiVXM+HgRp63/LiQWf guPe/sQXFHimR4fb1rpHzw6hdBWFKMY82FIDBEzmlh8CznpthWE+UEgHZGqgMcY9qhoc GGWhHqX/9lz5WLQu4C//6yr+rHpiviQSPZvg+GOU3PTTsZaj+92XBVsUhcpT28XopDFM zB6S8FHxvUOSJPBnBf/t6B27NOsQsZ8vRBm3RIBIl9+nkbMMsQKPkI7jLVxBQDkgDAIR F8LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=HcSx/JeZsoXRixtz9PgSmv+iGyey/Ua7ohoU7DensVM=; b=IlZ3s+dkNTN8tOnvVZT1YmnFOlubT9MFK6m35IueuEfxQbhYvOItwL/LHXB9wl/E4s 4YEMU6/p+UDdYdRe3NwqeB96ghPcHvKpoJCIrJuOcgnJoM4kkfOtDBcKeJPZ5s1ZATPn DW/IqwexhfW1z+ybYN3JFohWWylzFg2UosxTfIlHo7WIX+nTuP0AclcLAQ1buVPxXtKX B1X23eRORtBp9NgJoWe3OOBYuu5fsdKEv2XYtPHxUJu/6NKifa6IEe5h0gpakwb6Keb2 lw8taT6JFj+why7dIgJPstNQtCeo8pw3i+0zXaSuhsUPxrWzhAbt6fOXiwAaqFF33yGR D0xA==
X-Gm-Message-State: APjAAAW73Dd/RTXYPlTBr9B7HERt4CUXhtPVRys6BWkc8Zw2c4zB7OoQ +Ylpo+xBBP2crSjtvb6RX5QXfGyDd0UUQe94Z5y1FdMrUEcRsw==
X-Google-Smtp-Source: APXvYqx3TJNw+v7TI/rv9aXR6PpTzv6W1JymDn7uoJLJoAXCACihLdooU2/CztqbFj/IMirtO6qG7Cw/65YDzZ8R2NE=
X-Received: by 2002:a92:48cf:: with SMTP id j76mr12824677ilg.189.1572144229135; Sat, 26 Oct 2019 19:43:49 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Rob Sayre <>
Date: Sat, 26 Oct 2019 19:43:38 -0700
Message-ID: <>
To: "" <>
Content-Type: multipart/alternative; boundary="000000000000503b920595db5af5"
Archived-At: <>
Subject: Re: [TLS] ESNI interoperability questions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 27 Oct 2019 02:43:54 -0000

As an update,

I seem to be able to negotiate a handshake with "", but I
must be making a mistake in my ClientHello. Wireshark sees Firefox's
ClientHello as TLS 1.3, but mine only shows up as TLS 1.0, although the "" ServerHello does show up as TLS 1.3. You check out the
details on that host at .

My client fails to read application data after that, although the server
does seem to send it.

You can check out my fork of Rustls here:

If you then do something like:
$ cd rustls/rustls-mio/
$ cargo run --example esniclient

you should see some ESNI traffic. Some of the code in the fork is a little
messy so far, but it's still in the "make it work" phase. :)


On Sat, Oct 26, 2019 at 3:31 PM Rob Sayre <> wrote:

> Hi,
> I think I have a working ESNI client, but I'm encountering a strange error
> testing with Cloudflare.
> I initially tested with "", but found this was a bad idea,
> because that host doesn't seem to require an SNI or ESNI. So, a bogus ESNI
> triggered no errors.
> When my client sends an ESNI to a Cloudfront-fronted domain, I get a
> handshake_failure error (40). According to the -02 draft, this should only
> happen if the server fails to negotiate TLS 1.3. I've got my client
> configured for TLS 1.3 only, so this shouldn't be an issue. When I add an
> unencrypted SNI to an otherwise identical ClientHello, everything works
> over TLS 1.3. If there are problems with my ESNI encryption, I should see
> other errors. Things like "illegal_parameter" or "decrypt_error", right?
> In Wireshark, I can at least see that my encrypted_server_name extension
> matches Firefox's cipher and key share entries, and the lengths of
> record_digest and encrypted_sni are the same. Firefox does send some
> extensions I don't, like ALPN. Does the absence of unencrypted SNI imply
> the presence of other extensions?
> I also wondered about extension order. Since the ClientHello.key_share is
> part of the ESNI calculation, does it need to appear first in the
> extensions list?
> thanks,
> Rob