Add an option to disable SNI in the TLS client

[ravenexp]

Is your feature request related to a problem? Please describe.

Currently, the TLS client leaks the server DNS name in the unencrypted part of the TLS handshake. Not all servers require SNI to be present in TLS Client Hello message to send the correct server certificate to the client. In sych cases, censorship resistance can be improved by not enabling the SNI extension in the client.

Describe the solution you'd like

It is possible to disable sending SNI in rusttls like this:

https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#structfield.enable_sni

--tls-sni-override option could then accept an special argument like none, or a completely new option like --tls-sni-disable could be introduced.

Describe alternatives you've considered

Another option is to use the SNI spoofing, where the user can specify an arbitrary host name to send in the SNI extension field. Currently, this does not work in wstunnel because it immediately breaks the server certificate verification, since the host name passed with --tls-sni-override is also used for the server certificate validation. Ideally, these two host names should be completely decoupled, so that:

wstunnel client --tls-sni-override google.com --tls-verify-certificate wss://other.server.name

will match the server certificate with other.server.name and not with google.com, as it currently does.

[erebe]

Make sense, will check to add the feature.

[erebe]

You have a new flag in release 9.2.4 --tls-sni-disable that does what you want ;)

https://github.com/erebe/wstunnel/releases/tag/v9.2.4

[ravenexp]

Thank you!