Is your feature request related to a problem? Please describe.
Currently, the TLS client leaks the server DNS name in the unencrypted part of the TLS handshake.
Not all servers require SNI to be present in TLS Client Hello message to send the correct server certificate to the client.
In sych cases, censorship resistance can be improved by not enabling the SNI extension in the client.
Describe the solution you'd like
It is possible to disable sending SNI in rusttls like this:
--tls-sni-override option could then accept an special argument like none, or a completely new option like --tls-sni-disable could be introduced.
Describe alternatives you've considered
Another option is to use the SNI spoofing, where the user can specify an arbitrary host name to send in the SNI extension field.
Currently, this does not work in wstunnel because it immediately breaks the server certificate verification, since
the host name passed with --tls-sni-override is also used for the server certificate validation.
Ideally, these two host names should be completely decoupled, so that:
Is your feature request related to a problem? Please describe.
Currently, the TLS client leaks the server DNS name in the unencrypted part of the TLS handshake. Not all servers require SNI to be present in TLS Client Hello message to send the correct server certificate to the client. In sych cases, censorship resistance can be improved by not enabling the SNI extension in the client.
Describe the solution you'd like
It is possible to disable sending SNI in
rusttls
like this:https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#structfield.enable_sni
--tls-sni-override
option could then accept an special argument likenone
, or a completely new option like--tls-sni-disable
could be introduced.Describe alternatives you've considered
Another option is to use the SNI spoofing, where the user can specify an arbitrary host name to send in the SNI extension field. Currently, this does not work in
wstunnel
because it immediately breaks the server certificate verification, since the host name passed with--tls-sni-override
is also used for the server certificate validation. Ideally, these two host names should be completely decoupled, so that:will match the server certificate with
other.server.name
and not withgoogle.com
, as it currently does.