Comment by ignoramous
12 hours ago
> Such tricks, called "domain fronting"
GP said "not setting SNI"... doing TLS handshake with IP certs don't (need to) set SNI?
12 hours ago
> Such tricks, called "domain fronting"
GP said "not setting SNI"... doing TLS handshake with IP certs don't (need to) set SNI?
That's true, usually with domain fronting you provide the (wrong) SNI. But the same strategy is happening here, you were supposed to provide SNI and you didn't to avoid some potential censorship but it's a headache for the provider
They won't have received a certificate for the IP as a name, it's relatively unusual to have those, the main users are things like DoH and DoT servers since their clients may not know the name of the server... historically if you connect to a TLS server without SNI it just picks a name and presents a certificate for that name - if there's a single name for the machine that definitely works, and if not well - domain fronting.
TLS 1.3 even specifies that you must always do SNI and shouldn't expect such tricks to work, because it's such a headache.
An example for the hub:
``` echo -e "GET / HTTP/1.1\r\nHost: www.pornhub.com\r\nConnection: close\r\n\r\n" | openssl s_client -connect 66.254.114.41:443 -quiet ```
This works for most ISPs in India, but if you set the SNI it'll get a TCP reset