Firefox 68.0 esni (encrypted sni) error

I use Firefox 68.0 with “network.security.esni.enabled” about:config flag enabled. I pass the tests in “https://www.cloudflare.com/ssl/encrypted-sni/” (except Secure DNS because I use nextdns.io instead of 1.1.1.1 it also supports DoH) and sometimes when I visit sites which supports esni (all TLS 1.3 Cloudflare sites) I see the error “SSL_ERROR_MISSING_ESNI_EXTENSION” and have to refresh to enter the site. Any help or idea why this happens?

1 Like

Google turns up this result (disabling their local anti-virus fixed it):

I don’t use any anti-virus software or Windows Defender etc. I am running GNU/Linux. I am really interested in the root cause of this problem. Is this a problem with Cloudflare not supporting any other DoH DNS with ESNI or a problem in Firefox or a problem with nextdns? :thinking:

I first contacted nextdns about it, thought it was a problem with DNS then I noticed that it has somethinng to do with ESNI because it only happens in sites which uses TLS 1.3 and Cloudflare (AFAIK Cloudflare is still the only ESNI provider)

So I can say it has nothing to do with nextdns. Its either a problem if someone uses another DoH supported DNS other than 1.1.1.1 or a problem in Firefox, not sure. I will switch to 1.1.1.1 and see if I have problems.

Edit: I also see it with 1.1.1.1

Hello,

I do have the same issue, I also reported it to Mozilla in order to check from their side.
I have Firefox version 68.0 and I activated DoH and ESNI from “about:config” in Firefox.

Here are the changes that I did:

network.trr.mode;3
network.trr.bootstrapAddress;1.1.1.1
network.trr.uri;https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled;true

With those settings, some websites are working fine no problem at all, but some others are issuing this errir message: SSL_ERROR_MISSING_ESNI_EXTENSION
And in order for me to get access to this website I have to set the value of “network.security.esni.enabled” to “false”.

Can you please investigate if that is a problem from your side (Cloudflare) or maybe Mozilla?
I do have this error occuring when visiting this site for example: https://www.frandroid.com/

Thanks in advance for your help!

1 Like

Great, after some thinking :thinking: I realized that I started to see if after I have upgraded to Firefox 68.0. I also created a new Firefox Profile and same happened. Looks like a problem in Firefox. Will also play with Firefox Nightly and see if I have this problem over there. @Snoobz can you share the link where you have to reported Mozilla?

Hello,

Here is the link to the BugZilla website where I reported that issue @firefoxesni
Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1566175

I hope that I reported it in the correct section…

1 Like

Go figure…this just bit me. Rocket Loader from ajax.Cloudflare.com wouldn’t load due to this.

Update: And if that isn’t confusing enough, I don’t get this error on a different site using Rocket Loader.

Some more info:

I was wrong about nextdns. It mostly happens when I use nextdns, rarely happens when I use 1.1.1.1 currently I am using blahdns.com and never saw it again. So it is probably a DNS provider problem. I had not these errors before Firefox 68.0 maybe also a change was made to the browser. I really don’t know. Since we are on Cloudflare forum I would like some information about 1.1.1.1 if it has some problem or not. Else there is no need to discuss other services or Firefox here. @Snoobz can you also try to use blahdns and report back?

network.trr.mode;3
network.trr.bootstrapAddress;159.69.198.101
network.trr.uri;https://doh-de.blahdns.com/dns-query
network.security.esni.enabled;true

2 Likes

@firefoxesni Hello,

So I tried your settings and it does the same exact error.

There were some mistake in your example

network.trr.mode;3
network.trr.bootstrapAddress; 9.9.9.9 or 1.0.0.1 or 8.8.8.8
network.trr.uri;https://doh-de.blahdns.com/dns-query
network.security.esni.enabled;true

Cuz network.trr.bootstrapAddress will use this DNS IP to do first time resolve https://doh-de.blahdns.com and get to know this DoH is pointing to IP:159.69.198.101
Second is blahdns.com wont support plain text UDP 53 DNS, so it doesnt make sense put IP:159.69.198.101 as network.trr.bootstrapAddress.

Reference

  1. https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/ ( network.trr.bootstrapAddress)

This topic was automatically closed after 30 days. New replies are no longer allowed.