Is there any way to support ESNI from server?

Hi! I’m new to Cloudflare DNS. I saw that Cloudflare dns supports ESNI record so I moved my nameserver to Cloudflare. I first saw the settings on Cloudflare homepage but I couldn’t see any settings about ESNI. How can I use ESNI in Cloudflare?
And is there any maintain server support ESNI? ESNI is still draft so I saw that web servers that commonly used like apache and nginx uses openssl which doesn’t support ESNI so can’t setup ESNI. There are several servers support ESNI already how can they support ESNI?

By having implemented it?!
I am not sure about the question. How you can make sure Cloudflare uses ESNI on the edge/origin connection?

I somewhat doubt Cloudflare would be using ESNI for that at all right now. Heck, they probably cant even use DoH/T for now. Both protocols are for the time being very much limited to the user connection.

Your question seems to be pretty well addressed at ssl - How can I set up Encrypted SNI on my own servers? - Server Fault

2 Likes

I saw that article before but it didn’t help me to support ESNI. I found additional information that PicoTLS and BoringSSL supports ESNI and with Nginx server can use BoringSSL. Now, there is one problem that how to set DNS server to distribute my public key. Is that possible with Cloudflare?

That is a question best asked at StackExchange, as that is not really Cloudflare related but specific to some third party software.

But again, your question is not clear. What is it you want to know? How to use ESNI on aforementioned connection? I already answered that earlier.

My question is that I know that cloudflare’s DoH service distributes server public key for ESNI connection. How can I upload my public key(Maybe my X.509 certificate) to cloudflare? There’s option to upload custom certificate in Cloudflare’s DNS setting. If I upload my certificate to Cloudflare does Cloudflare distribute my public key when user ask my server’s IP address through DoH with ESNI extension to Cloudflare?

So your question is not which software supports ESNI, but how to get Cloudflare to connect to your origin using ESNI?

I somehow doubt that is supported at all right now, not only because it is just a draft for now but also because of the lack of mainstream support. It probably is best to clarify this via support, just open a ticket.

My question is that correctly. I thought there are several server already supports ESNI connection so I was wondering how can they support ESNI connection. I used Firefox when I connected with ESNI and I used DoH(https://mozilla.cloudflare-dns.com/dns-query) so I was wondering how could I add my public key to cloudflare dns

As mentioned before, it is best to clarify this via a support ticket at https://support.cloudflare.com/requests/new. Post back here when you got an answer :slight_smile:

Thank you for your feedback. You are really nice :smile:

I finally apply support ESNI in my server! If someone want to support ESNI in server they don’t need to do anything to their server. I asked cloudflare several times they answered me to change nameserver to cloudflare(They answered me to change another nameserver ns3 ~ ns7.cloudflare.com but the basic nameserver for authorization worked well) and use proxy. Client request to cloudflare’s proxy with ESNI and cloudflare proxy relay that request with non-ESNI. Thank you for helping me so much :smile:

But that is not ESNI related, you always need to change nameservers.

Not sure about this. You need your account specific nameservers. AFAIK the “ns” ones might be just internal ones.

The proxies do support ESNI, but that was not your question, was it? You wanted ESNI to be used between Cloudflare and the origin, right? Is this what is happening now? Did Cloudflare confirm they are using ESNI if the origin supports it?

I was wondering how servers support ESNI connection even ESNI is only a draft yet. I didn’t know they were using cloudflare’s proxy and I wanted to support ESNI like other servers. So you understood my question correctly. But before I support ESNI from my origin server I found that cloudflare’s proxy supports ESNI without any settings. My server support ESNI now but I’m keep finding how to upload my public key to DNS server and support ESNI from my origin server not cloudflare’s DNS. I don’t know how to upload my public key(used for ESNI record) but now I know that PicoTLS(Cloudflare) and BoringSSL supports TLS1.3 and ESNI. And Nginx can use BoringSSL to make HTTPS connection. When I find how to upload my own ESNI record(or public key?) to DNS I will comment here.

As I mentioned before I highly doubt this is currently possible but this is what I meant you need to clarify with support.

Yes I’m not sure it is possible currently but if I find info about this I will let you know

2019년 9월 23일 (월) 오전 1:05, sandro via Cloudflare Community [email protected]님이 작성:

This topic was automatically closed after 30 days. New replies are no longer allowed.