Great Firewall Report announced the recent blocking of TLS connections with the ESNI. Encrypted SNI (ESNI), introduced in TLS 1.3, encrypts the SNI to protect it against intermediaries. Great Firewall Report states that they have found out that China blocks ESNI connections by dropping packets from client to server and the blocking can be triggered bidirectionally. The organization also states that the 0xffce extension is necessary to trigger the blocking and the blocking can happen on all ports. When the Chinese Great Firewall blocks a connection, it will continue blocking all traffic associated with the 3-tuples of (srcIP, dstIP, dstPort) for 120 or 180 seconds.
Blocking by dropping packets
Great Firewall Report also stated that they made a Python program to test the blocking. It completes a TCP handshake with a specified server and then sends a TLS ClientHello message both inside-out and outside-in with an ESNI extension. The organization found out that The servers complete the TCP handshake, but they do not send any data packets back to the client, nor do they are first to close the connection. They also noticed that the Chinese Great Firewall blocks ESNI connections by dropping packets from clients to servers.
See more Policy/Legislation News