0
I want to make a SNI proxy which will modify the SNI info. I'm not very sure whether the handshake message would be authenticated by client. If it doesn't, the proxy maybe could be implemented easily.
0
I want to make a SNI proxy which will modify the SNI info. I'm not very sure whether the handshake message would be authenticated by client. If it doesn't, the proxy maybe could be implemented easily.
0
Yes, the Finished message sent in both directions authenticates every byte of the previous handshake messages; both peers remember the messages they've sent, and compare them against a hash received from the other peer.
Additionally, even if the SNI extension was not protected against modification, the server would still have to provide a certificate that's valid for the original domain, because even though you can modify network traffic, you cannot modify what the client already knows internally (and will validate received certificates against).