How to enable encrypted sni from cloudflare cdn to source server

username123 · February 8, 2025, 5:09am

What is the name of the domain?

api.crackme.net

What is the issue you’re encountering

cloudflare cdn to source server not enabled encryption sni

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

As shown in the figure, 172.69.33.170 is the cdn server of cloudflare, when requesting the source server sni is transmitted in plaintext, how to enable encrypted sni

Screenshot of the error

sjr · February 8, 2025, 6:01pm

I don’t know if Cloudflare does ESNI to the origin, I guess not - there’s no specific option to require it. It would likely need TLSv1.3 and support at your origin.

Instead use a Cloudflare tunnel to pass all the data between Cloudflare and your origin.

mikegmcd · February 10, 2025, 2:46pm

I wonder if Encrypted Client Hello would do the trick. (Good-bye ESNI, hello ECH!).

It is available under SSL/TLS → Edge Settings → Encrypted Client Hello.

sjr · February 10, 2025, 4:00pm

ECH works between the client and the Cloudflare edge (in place of ESNI which seems to have some issues), the OP wants to hide the SNI between Cloudflare and the origin which I don’t think is yet available (other than using a tunnel).

system · February 25, 2025, 4:01pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ECH test site crypto.cloudflare.com is not ECH-enabled Security	1	862	October 16, 2024
Enable SNI breaks the connection between cloudflare and my server Security	4	3652	December 3, 2020
Does cloudflared support TLS1.3 and encrypted SNI? Security dns	3	2681	December 26, 2018
Encrypted SNI / ECHConfig over HTTPS RR not working DNS & Network	7	3038	March 11, 2022
ECH (Encrypted Client Hello) Support Security	5	2966	February 21, 2022