DEfO project Logo Developing ESNI for OpenSSL (DEfO)

Encrypted server name indication (ESNI) is a way to plug a privacy-hole that remains in the Transport Layer Security (TLS) protocol that's used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project is developing an implementation of ESNI for OpenSSL, and an ESNI-enabled web server as a demonstration and for interoperability testing. Over time, DEfO will demonstrate integration of ESNI with other tools that use TLS. DEfO is funded by the Open Technology Fund. Tolerant Networks Ltd. and people from the Guardian Project will be doing the work in DEfO.

This site is for ESNI interoperability testing. There are a number of web origins hosted at this IP address:

The first two sites above are ESNI-enabled. The last two are not.

This is not a highly-scalable hugely-tested thing - let us know if you find any issues, but do expect to find issues - that's what this site is for after all!

Our OpenSSL fork supporting ESNI is on github.

The ESNI-enabled sites above support all of draft-02 and draft-03 and draft-04 of the ESNI specification. As far as we know others only support draft-02 for now.

Note that to support both drafts 03 and 04 we publish two ESNIKeys RRs using the experimental RRCODE from the specification, so clients need to support multi-valued RRs at some level for those versions. There is only one key published for each version at any given moment. For draft-02 we only publish one key (in a TXT RR) at a time, as Firefox doesn't support more than one RR as far as we can tell. All keys are changed hourly but remain valid for 3 hours from the time they are first published. (At least that's the case when everything works, which it mostly seems to:-)

To try out ESNI, follow these instructions from Cloudflare and check if ESNI is working here. Once that's working, come back and visit one of the ESNI-enabled URLs above.

If you'd like to build and play with our OpenSSL fork that does ESNI, and/or with a curl fork has initial support for using that, then see the HOWTO.

This server now runs on our fork of lighttpd See the notes for how we did that. (Turned out to be much easier than expected actually!)

We also have an nginx deployment on port 5443 of this server running on our fork of nginx See the notes for how we did that. (Turned out to be even easier than lighttpd!)

We just added an apache deployment on port 9443 of this server running on our fork of apache See the notes for how we did that. (Turned out to be a little harder than nginx.)

Contact us at

Tolerant Networks Logo
This fine domain brought to you by My-Own.Net a Tolerant Networks Limited production.
Last modified: 2019-10-05, but who cares?
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.