Why is TLS1.2 wrapped in TLS1.3?

Question

I was just curious about TLS1.3 which Cloudflare is one of the companies leading the implementation. I then visited blog.cloudflare.com and turned on my Wireshark. I am not 100% clear about all technical details of TLS1.3, but one of the new features that I was particularly interested in is Encrypted-SNI, which aims to hide the intended visiting domain name.

I check the pcap, saw both Client Hello and Server Hello as follow:

I was surprised to see TLS1.2 was wrapped in the TLS1.3 packet, and the SNI part of TLS1.2 is still there, exposing the server name.

So I wonder whether this is the implementation error or I have been downgraded, or am I missing something? Note that I already configure my Firefox browser to force TLS1.3 only, thus it's not the issue of my browser as you can see in the supported_versions extension.

Answer 1

Your question about the version numbers in TLS 1.3 ClientHello -- note the record version is 1.0 (wire 0301) and message version is 1.2 (wire 0303), and as you note only the supported_versions extension says 1.3 (0304) -- is a crossdupe of https://serverfault.com/questions/907347/tls-1-3-client-server-hello-version-1-2 and now that RFC8446 is official is explained there.

It appears your actual concern might be that your connection attempt -- which is in fact 1.3 -- is not using ESNI. If so, the obvious answer is that the domain blog.cloudflare.com does not support ESNI, at least as defined in the draft; specifically it does not publish any TXT RR(s) at _esni.blog.cloudflare.com as required. The only domain I know cloudflare has announced to support ESNI is encryptedsni.com, and _esni.encrypted.com does have TXT RR containing ESNIKeys, although I didn't go to the trouble of installing Firefox nightly to test if it actually works. You might try that.