TLSv1.3 ESNI coverage

Hi guys,

Been hearing a lot about TLSv1.3 being slowly implemented in more ‘areas’ of the internet due to its more secured and faster handshakes. However, we’re may still be in the dark where one may use ESNI (for whether reason). Typically the default way is to use it without ESNI.

So my team is wondering if ExtraHop has the ability to identify TLSv1.3 that comes with ESNI.

Some very useful articles that i have used to assist me in my research and ‘digging’ - Reference

Hi, @bryanteocw.

If you navigate to the System Settings menu and then Metric Catalog on one of your appliances, you can search for “Encrypted Server Name” or “ESNI”. There you’ll see a few built-in metrics that can help you understand where encrypted server names are in use.

You might also find the SSL trigger methods relating to extensions helpful.

Please note that ESNI is being phased out in favor of Encrypted Client Hello (ECH). There are metrics for ECH sessions as well.