[ ] Read up on changes in OpenSSL 1.1.1 and TLS 1.3
[ ] Specifically investigate how encrypted SNI is handled by the OpenSSL 1.1.1 API.
[ ] Investigate if any other intercepting proxies already handle encrypted SNI, and if so, what approach has been chosen.
Tasks:
[x] Achieve minimal support for TLS 1.3 by supporting normal build against OpenSSL 1.1.1 and latest BoringSSL
[ ] Adapt all SSL/TLS configuration options (like -r, -R, -s, -g, -G etc) to fully work with new TLS 1.3 concepts, add TLS 1.3 examples to documentation where there are differences vs TLS 1.2 (such as cipher suites); disable TLS 1.3 specific code on LibreSSL and old OpenSSL/BoringSSL
[ ] If necessary, adjust our own ClientHello parser to deal with TLS 1.3, including failing gracefully with encrypted SNI (w/any TLS version)
[ ] Test with different SSL libraries and different clients
Preflight checklist:
Tasks:
Out of scope:
208 Handle encrypted SNI
Useful references: