>The SNI and the host header often have to match (or at least have a known >mapping), because the origin server might want to prevent domain fronting.
More likely the CDN. Amazon and Google used to do this but stopped (https://www.theverge.com/2018/4/30/17304782/amazon-domain-fronting-google-discontinued). I don’t see how the origin is involved. > My goal is to keep the SNI encrypted on the wire from CDN to Origin (I > understand that the SNI is visible to the CDN). Use DNS entries for the origin then ESNI works. If you follow your “IPv6 uniquely identifies the origin” assumption, then ESNI is pointless.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
