On 07/18/2018 09:12 AM, joseph wrote: > Encrypted SNI completely kills SSL Bump and all will follow that new SNI > Encryption > is there a hoop that start reworking adding this option to squid > > https://appuals.com/apple-cloudflare-fastly-and-mozilla-devise-solution-to-encrypting-sni/ I do not understand your question but hope that the following info may be useful in this context. The pictures in that article do not show encrypted SNI. They seem to show a standard TLS v1.3 exchange where SNI is not encrypted but the server certificate is. The article text is not technical/accurate enough to tell us what exactly is being implemented. The following draft could be a better source for eSNI information, but it is far from its final stages, documenting two alternative implementations, one of which will be eventually removed: https://tools.ietf.org/html/draft-ietf-tls-sni-encryption If you have better sources of information about eSNI, please post them. FWIW, my prediction is that plain SNI will still be available, but it will become useless for avoiding bumping specific services. Both solutions in the above draft rely on a "fronting service" that can be reached using a "generic" bigc.example.com SNI (common to many services offered by the Big Corporation). We have started analyzing TLS v1.3 requirements as they apply to Squid, but I am not aware of any specific work dealing with any of the proposed eSNI techniques. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
