Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI is not being sent #241

Open
conblem opened this issue Apr 13, 2020 · 8 comments
Open

SNI is not being sent #241

conblem opened this issue Apr 13, 2020 · 8 comments
Assignees
@wtoorop

Comments

@conblem
Copy link

conblem commented Apr 13, 2020

I have Stubby configured like this on Windows 10

upstream_recursive_servers:
- address_data: 45.90.28.220
  tls_auth_name: "xxxx.dns.nextdns.io"
- address_data: 45.90.30.220
  tls_auth_name: "xxxx.dns.nextdns.io"

When i inspect the TLS Client hello there is not SNI extension

TLS Payload
Request Overview

Im using nextdns.io which needs the SNI Extension to identify devices.
@DanielSpindler83
Copy link

I too have the same issue - also using NextDNS.
I see that the Stubby webpage references use of openssl version: 1.0.2s in version 0.3.0.6
https://dnsprivacy.org/wiki/display/DP/Windows+installer+for+Stubby

However in the readme of version 0.3.0.6 - it mentions openssl version: 1.1.1.b

Can someone confim openssl version in use?

We see in conblems wireshark that TLS1.2 is in use, if we were using openssl 1.1.1 - TLS 1.3 should be available and used?

NOTE - NextDNS only supports use of openssl 1.1.1 or above

@wtoorop
Copy link
Contributor

wtoorop commented Apr 17, 2020
edited
Loading

Ok, I'll create a SNI switch for upstreams that need it.
For he ones that don't, I'd rather not have that enabled since it leaks Privacy sensitive info and ESNI is not for DoT unfortunately.

@conblem
Copy link
Author

conblem commented Apr 21, 2020

@wtoorop thanks where can we find it? I guess this would be a case for DoH where you can just pass parameters as URL Queryparts because ESNI would not work for DoT

@wtoorop
Copy link
Contributor

wtoorop commented Apr 22, 2020

@conblem Sorry, haven't gotten to this yet, but I intend to implement it coming Friday

@conblem
Copy link
Author

conblem commented Apr 22, 2020

@wtoorop woops my bad

@wtoorop
Copy link
Contributor

wtoorop commented Apr 23, 2020

@conblem Hey, NP! It's nice too get a feel for the interest in a thing and also good to be remembered of something you

@wtoorop wtoorop closed this as completed Apr 23, 2020
@wtoorop wtoorop reopened this Apr 23, 2020
@wtoorop wtoorop self-assigned this Apr 24, 2020
@wtoorop wtoorop pinned this issue Apr 24, 2020
@wtoorop
Copy link
Contributor

wtoorop commented May 1, 2020

@conblem @DanielSpindler83 I could not reproduce with the default build on my system. I see SNI being send with TLS1.3 but also with TLS1.2. This was with OpenSSL 1.1.1c. Could you do a stubby -i for me to see against which version of OpenSSL (or GnuTLS) it is linked? Thanks!

@wtoorop
Copy link
Contributor

wtoorop commented May 1, 2020
edited
Loading

Strangely I do have trouble with builds linked against GNUTLS. It appears authentication is always required, and also for NextDNS I need to restrict the maximum TLS version to 1.2. However, despite these settings, SNI was sent in all occasions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wtoorop wtoorop

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wtoorop @conblem @DanielSpindler83