4 files changed, 12 insertions, 2 deletions

diff --git a/python/ndpi.py b/python/ndpi.py
index 227db5bb5..85378f526 100644
--- a/python/ndpi.py
+++ b/python/ndpi.py
@@ -312,6 +312,7 @@ typedef enum {
   NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
   NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
   NDPI_SMB_INSECURE_VERSION,
+  NDPI_TLS_SUSPICIOUS_ESNI_USAGE,
   /* Leave this as last member */
   NDPI_MAX_RISK
 } ndpi_risk_enum;
@@ -1446,4 +1447,4 @@ class NDPI():
     def ndpi_exit_detection_module(self):
         """ Exit function for nDPI module """
         self._ndpi.ndpi_exit_detection_module(self._mod)
-        self._ffi.dlclose(self._ndpi)
\ No newline at end of file
+        self._ffi.dlclose(self._ndpi)
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 66fac35af..53d143327 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -79,6 +79,7 @@ typedef enum {
   NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
   NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
   NDPI_SMB_INSECURE_VERSION,
+  NDPI_TLS_SUSPICIOUS_ESNI_USAGE,
   
   /* Leave this as last member */
   NDPI_MAX_RISK
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 347e65d52..9fc5d2d7f 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1532,7 +1532,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     
   case NDPI_SMB_INSECURE_VERSION:
     return("SMB Insecure Version");
-    
+
+  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
+    return("TLS Suspicious ESNI Usage");
+
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ec267ba5e..5cf2cac19 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1432,6 +1432,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
 	    }
 
+	    if(flow->protos.stun_ssl.ssl.encrypted_sni.esni &&
+	       flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
+	      NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+	    }
+
 	    return(2 /* Client Certificate */);
 	  } else {
 #ifdef DEBUG_TLS