https://ntc.party/t/12837 says “Блокировка осуществляется, если в пакете ClientHello установлен SNI = cloudflare-ech.com и есть ECH extension” – “Blocking is done if, in the ClientHello packet, the SNI is set to cloudflare-ech.com and there is an ECH extension”.
I assume that an ECH extension means, at least, ExtensionType 0xfe0d from draft-ietf-tls-esni-22. Do you know if any other ExtensionTypes are affected?
| encrypted_client_hello ExtensionType | version | date |
|---|---|---|
| 0xfe0d | draft-ietf-tls-esni-13 | 2021-08-12 |
| 0xfe0c | draft-ietf-tls-esni-12 | 2021-07-07 |
| 0xfe0b | draft-ietf-tls-esni-11 | 2021-06-14 |
| 0xfe0a | draft-ietf-tls-esni-10 | 2021-03-08 |
| 0xfe09 | draft-ietf-tls-esni-09 | 2020-12-16 |
| 0xfe08 | draft-ietf-tls-esni-08 | 2020-10-16 |
| 0xfe02 | draft-ietf-tls-esni-07 | 2020-06-01 |
The older ExtensionTypes may not interoperate with the current Cloudflare ECH deployment – but by checking for packet dropping it still should be possible to see whether they are being specifically blocked.
With the blocking of ESNI in China back in 2020, only the specific ExtensionType 0xffce was blocked, not others like 0xff02, 0xff03, and 0xff04. (However, I consider the tests that were done back then inconclusive, because Client Hellos containing the other ExtensionTypes were not well-formed.)