TLS ESNI and HelloRetryRequest in Firefox 64, Firefox Nightly

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS ESNI and HelloRetryRequest in Firefox 64, Firefox Nightly

Alexander Venedioukhin (lists)
Hello,

I'm implementing ESNI (encrypted SNI, current draft 02) server-side.
It works with Firefox 64.0 and Nightly 66.0a1 as expected, until the
server sends HelloRetryRequest during handshake. In latter case
Firefox responds with plain text SNI extension (same hostname) in
second ClientHello, instead of ESNI. Still, handshake successfully
finishes. Is it intended behavior?

Alexander Venedioukhin
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: TLS ESNI and HelloRetryRequest in Firefox 64, Firefox Nightly

Hubert Kario
On Thursday, 3 January 2019 11:45:25 CET Alexander Venedioukhin (lists) wrote:
> Hello,
>
> I'm implementing ESNI (encrypted SNI, current draft 02) server-side.
> It works with Firefox 64.0 and Nightly 66.0a1 as expected, until the
> server sends HelloRetryRequest during handshake. In latter case
> Firefox responds with plain text SNI extension (same hostname) in
> second ClientHello, instead of ESNI. Still, handshake successfully
> finishes. Is it intended behavior?

that sounds to me like a question to the IETF TLS mailing list

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

signature.asc (849 bytes) Download Attachment
sjw
Reply | Threaded
Open this post in threaded view
|

Re: TLS ESNI and HelloRetryRequest in Firefox 64, Firefox Nightly

sjw
Is this already implemented?
[1] is not yet fixed and [2] does not work for me with current Nightly.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1494901
[2] https://www.cloudflare.com/ssl/encrypted-sni/


Am 04.01.19 um 17:13 schrieb Hubert Kario:

> On Thursday, 3 January 2019 11:45:25 CET Alexander Venedioukhin (lists) wrote:
>> Hello,
>>
>> I'm implementing ESNI (encrypted SNI, current draft 02) server-side.
>> It works with Firefox 64.0 and Nightly 66.0a1 as expected, until the
>> server sends HelloRetryRequest during handshake. In latter case
>> Firefox responds with plain text SNI extension (same hostname) in
>> second ClientHello, instead of ESNI. Still, handshake successfully
>> finishes. Is it intended behavior?
>
> that sounds to me like a question to the IETF TLS mailing list
>
>

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS ESNI and HelloRetryRequest in Firefox 64, Firefox Nightly

Alexander Venedioukhin (lists)
On Fri, Jan 4, 2019 at 7:47 PM <[hidden email]> wrote:
> Is this already implemented?

Yes, it works in current Firefox 64 and Nightly, but you have to
manually activate ESNI and DNS-over-HTTPS in about:config.

> [1] is not yet fixed and [2] does not work for me with current Nightly.
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1494901
> [2] https://www.cloudflare.com/ssl/encrypted-sni/
>

Alexander Venedioukhin
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto