[gluegadget]

A bit unrelated but I wrote https://github.com/amir/hepccn to list TCP connections by domains rather than just IPs. It filters connections to port 443 and 8443, downloads the peer certificate and then extracts the subject name (pretty sure I learned this trick from an article on Julia Evans' website but can't find it now). I wanted to add more functionalities to it but I stumbled upon an issue and that's for when SNI is enabled. I guess there's no way for me to recover the hostname the client has sent at the start of the handshaking process without introducing MITM, right?

[tialaramex]

You won't be able to recover it after the fact, but the SNI is cleartext on the wire as part of ClientHello even in TLS 1.3. Work to encrypt this is an ongoing effort (called eSNI).

[nneonneo]

You can recover SNI if you sniff from the very beginning, but not thereafter. It’s only sent once as part of the initial TLS handshake.