Make ESNI TLS 1.2 compatible

[kontaxis]

ESNI seems to rely on TLS 1.3 KeyShareEntry which makes it incompatible with TLS 1.2.

That's unfortunate with that "The protocol designed in this document is quite straightforward."

The gist of ESNI comes down to "encrypted_server_name extension, which contains the true extension encrypted under the provider’s public key."

That seems pretty generic and backwards compatible.

[chris-wood]

To prevent cut-and-paste attacks, you need to bind ESNI to the CH. That means we’d need 1.2 clients to send a key share in the CH to use when deriving encryption keying material, and that’s not currently done.

[ghedo]

Since TLS 1.2 sends the server certificate in plaintext it seems like ESNI wouldn't be particularly useful there anyway, no?

[kontaxis]

Indeed. I guess someone could argue about wildcard certificates or when multiple names are present but the names are usually related so I agree there’s no significant benefit from encrypting the SNI.