TLS 1.3 secure/encrypted SNI extension support #1942
Comments
|
The reviewer can still obtain the domain through tls credentials. |
Did you mean through tls errors and verbose? I think you can suppress them. |
|
In the TLSv1.3 Server Hello, isn't everything after "Change Cipher Spec" (including the certificate) encrypted? In any case, I believe the GFW started blocking TLSv1.3 ESNI back in 2020. |
ESNI对中国的GFW来说,行为特征明显。可以针对性封杀。
|
|
揭示和规避中国对加密SNI(ESNI)的封锁 SNI 阻断与解决方案 — Steemit |
|
Dears @RPRX @yuhan6665 @hossinasaadi @sambali9 @rrouzbeh, Right now the Fragmentation+MUX feature of Xray-core and ECH+MUX feature of sing-box works great with Cloudflare in Iran. No more SNI blocking plus even with some blocked/throttled CF IPs work too for the time being. |
We have already mentioned that ECH can be easily detected, and once this small trick is widely used, it is no longer effective. Playing cat and mouse games with GFW is not what we want to do. |
|
I have tried to implement it in #3253 |
Hi dear @RPRX ,
Is it possible for you to add secure/encrypted SNI extension support for TLS 1.3? Cloudflare has already supported it. This is the ultimate solution against active prober sub/domain and SNI filtering.
The text was updated successfully, but these errors were encountered: