4 files changed, 12 insertions, 14 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 5b09effe4..0a80da57c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -130,7 +130,7 @@ typedef enum {
   NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
   NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
   NDPI_SMB_INSECURE_VERSION, /* 20 */
-  NDPI_TLS_SUSPICIOUS_ESNI_USAGE,
+  NDPI_FREE_21,                                          /* FREE */
   NDPI_UNSAFE_PROTOCOL,
   NDPI_DNS_SUSPICIOUS_TRAFFIC,
   NDPI_TLS_MISSING_SNI,
@@ -168,6 +168,7 @@ typedef enum {
   NDPI_BINARY_DATA_TRANSFER,   /* Attempt to transfer something in binary format */
   NDPI_PROBING_ATTEMPT,        /* Probing attempt (e.g. TCP connection with no data exchanged or unidirection traffic for bidirectional flows such as SSH) */
   NDPI_OBFUSCATED_TRAFFIC,
+  /* Before allocating a new risk here, check if there are FREE entries above */
 
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 96610affc..5df5f36ae 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -171,7 +171,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE,  NDPI_SERVER_ACCOUNTABLE },
   { NDPI_SMB_INSECURE_VERSION,                  NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
-  { NDPI_TLS_SUSPICIOUS_ESNI_USAGE,             NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+  { NDPI_FREE_21,                               NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_UNSAFE_PROTOCOL,                       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE   },
   { NDPI_DNS_SUSPICIOUS_TRAFFIC,                NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_TLS_MISSING_SNI,                       NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 2c215feef..ef179246a 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2209,8 +2209,8 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_SMB_INSECURE_VERSION:
     return("SMB Insecure Vers");
 
-  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
-    return("TLS Susp ESNI Usage");
+  case NDPI_FREE_21:
+    return("FREE21");
 
   case NDPI_UNSAFE_PROTOCOL:
     return("Unsafe Protocol");
@@ -2371,8 +2371,8 @@ const char* ndpi_risk2code(ndpi_risk_enum risk) {
     return STRINGIFY(NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER);
   case NDPI_SMB_INSECURE_VERSION:
     return STRINGIFY(NDPI_SMB_INSECURE_VERSION);
-  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
-    return STRINGIFY(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+  case NDPI_FREE_21:
+    return STRINGIFY(NDPI_FREE_21);
   case NDPI_UNSAFE_PROTOCOL:
     return STRINGIFY(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
   case NDPI_DNS_SUSPICIOUS_TRAFFIC:
@@ -2494,10 +2494,10 @@ ndpi_risk_enum ndpi_code2risk(const char* risk) {
     return(NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER);
   else if(strcmp(STRINGIFY(NDPI_SMB_INSECURE_VERSION), risk) == 0)
     return(NDPI_SMB_INSECURE_VERSION);
-  else if(strcmp(STRINGIFY(NDPI_TLS_SUSPICIOUS_ESNI_USAGE), risk) == 0)
-    return(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+  else if(strcmp(STRINGIFY(NDPI_FREE_21), risk) == 0)
+    return(NDPI_FREE_21);
   else if(strcmp(STRINGIFY(NDPI_UNSAFE_PROTOCOL), risk) == 0)
-    return(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+    return(NDPI_UNSAFE_PROTOCOL);
   else if(strcmp(STRINGIFY(NDPI_DNS_SUSPICIOUS_TRAFFIC), risk) == 0)
     return(NDPI_DNS_SUSPICIOUS_TRAFFIC);
   else if(strcmp(STRINGIFY(NDPI_TLS_MISSING_SNI), risk) == 0)
@@ -2673,7 +2673,7 @@ const char *ndpi_risk_shortnames[NDPI_MAX_RISK] = {
   "ssh_obsolete_client",
   "ssh_obsolete_server",
   "smb_insecure_ver",           /* NDPI_SMB_INSECURE_VERSION */
-  "tls_esni",
+  "free21",
   "unsafe_proto",
   "dns_susp",
   "tls_no_sni",
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index c45d42de1..6e010ef62 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -2007,7 +2007,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
 
   /* see: https://www.wireshark.org/docs/wsar_html/packet-tls-utils_8h_source.html */
   static u_int16_t const allowed_non_iana_extensions[] = {
-    65486 /* ESNI */, 13172 /* NPN - Next Proto Neg */, 17513 /* ALPS */,
+      /* 65486 ESNI is suspicious nowadays */ 13172 /* NPN - Next Proto Neg */, 17513 /* ALPS */,
       30032 /* Channel ID */, 65445 /* QUIC transport params */,
       /* GREASE extensions */
       2570, 6682, 10794, 14906, 19018, 23130, 27242,
@@ -3220,9 +3220,6 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		     ndpi_struct->cfg.tls_versions_supported_enabled)
 		    flow->protos.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
 		}
-	      } else if(extension_id == 65486 /* encrypted server name */) {
-		/* ESNI has been superseded by ECH */
-	        ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NULL);
 	      } else if(extension_id == 65037 /* ECH: latest drafts */) {
 #ifdef DEBUG_TLS
 		printf("Client TLS: ECH version 0x%x\n", extension_id);