Lekensteyn
commented
1 year ago To get the SNI field in the OuterClientHello, follow the steps in https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni#section-6.1
In particular
- The value of ECHConfig.contents.public_name MUST be placed in the "server_name" extension.
This "ECHConfig" is shared out-of-band. One of the potential mechanisms is indeed DNS, through the HTTPS RR:
3.2. Encrypted ClientHello (ECH)
A client-facing server enables ECH by publishing an ECH configuration, which is an encryption public key and associated metadata. The server must publish this for all the domains it serves via Shared or Split Mode. This document defines the ECH configuration's format, but delegates DNS publication details to [HTTPS-RR]. Other delivery mechanisms are also possible. For example, the client may have the ECH configuration preconfigured.
chris-wood
请问客户端是如何得到OuterClientHello中可见的SNI字段的呢?是通过DNS吗,请问可以详细描述一下吗,非常感谢!
How does the client get the SNI fields visible in OuterClientHello? Is it through DNS? Can you describe it in detail? Thank you very much!