<p>By Jay Govibe R&amp;D Log</p> <p>Introduction</p> <p>In the past weeks, I&rsquo;ve been experimenting with a concept that sits between cryptography, reverse proxies, and deep network engineering. The idea was simple on paper but extremely complex in practice: to isolate ECH (Encrypted Client Hello) and SNI (Server Name Indication) by using a TLS-in-TLS triple-handshake encrypted tunnel acting as a web server reverse proxy.</p> <p>This project is not production-ready and not meant to compete with full-scale proxies like Nginx or Caddy.<br>It&rsquo;s a pure R&amp;D experiment, built to explore what happens when you place a custom encrypted layer before ECH/SNI on port 443.</p> <p>And the results were fascinating.</p> <p>Why ECH and SNI Matter</p> <p>ECH and SNI are both part of the HTTPS/TLS handshake. Normally:</p> <p>SNI reveals the requested domain name in plaintext</p> <p>ECH encrypts that domain name so intermediaries cannot see it</p> <p>But the challenge is this:<br>ECH happens extremely early in the TLS negotiation.</p> <p>To intercept or modify anything before SNI/ECH, a system must sit before the server handshake and must be able to handle the encrypted layers without breaking the flow.</p> <p>That&rsquo;s where the idea of a TLS-in-TLS tunnel came from.</p> <p>The Concept: A TLS-in-TLS Triple-Handshake Tunnel</p> <p>The architecture I built is essentially:</p> <p>Client (Your Web Browser)<br>&nbsp; &darr; TLS1.3 (outer tunnel)<br>Proxy &nbsp;<br>&nbsp; &darr; TLS1.3 (inner handshake)<br>Backend Web Server Reverse Proxy</p> <p>A triple-handshake occurs:</p> <p>Outer TLS handshake between client &rarr; tunnel</p> <p>Inner TLS handshake between tunnel &rarr; backend</p> <p>A control-handshake used internally to synchronize metadata (experimental)</p> <p>This structure forms an encrypted &ldquo;tunnel web server&rdquo; that doubles as a reverse proxy.</p> <p>Its goal:</p> <p>✔ Protect ECH/SNI<br>✔ Wrap all traffic in another encryption layer<br>✔ Explore behavior of early handshake interception<br>✔ Push low-level TLS research forward</p> <p>Early Results</p> <p>My prototype currently handles about 40 elements loading simultaneously &mdash; images, scripts, thumbnails, small videos.</p> <p>After ~40 network requests, the system begins to display:</p> <p>latency spikes</p> <p>buffer stalls</p> <p>freeze conditions</p> <p>load limits on the event loop</p> <p>This was expected, because the initial code is not optimized for concurrency.<br>It&rsquo;s written in C with a simple blocking model, and TLS handshakes are extremely expensive at scale.</p> <p>But for a first experiment, the results are solid.</p> <p>Where It Breaks</p> <p>Once the load becomes heavy, the proxy struggles with:</p> <p>handshake synchronization</p> <p>multi-stream concurrency</p> <p>buffer reuse</p> <p>socket exhaustion</p> <p>slow round-trip loops inside the tunnel</p> <p>The proxy was not designed for mass parallelism.<br>And that&rsquo;s the entire point of R&amp;D:</p> <p>Find what breaks.<br>Break it harder.<br>Then rebuild it better.</p> <p>Why Move to QUIC</p> <p>After experimenting with TLS-only tunnels, the next step is clear:</p> <p>QUIC.</p> <p>QUIC has:</p> <p>multiplexed streams</p> <p>no head-of-line blocking</p> <p>integrated TLS 1.3</p> <p>cleaner parallelism</p> <p>Caddy already uses it extremely well</p> <p>Rewriting the proxy with QUIC-based architecture inspired by Caddy&rsquo;s internal design should:</p> <p>✔ eliminate freezes<br>✔ handle load better<br>✔ allow parallel asset loading<br>✔ reduce handshake bottlenecks<br>✔ improve latency under stress</p> <p>This is not a simple rewrite &mdash; it&rsquo;s a full redesign of the event model.<br>But it&rsquo;s the right direction.</p> <p>Why This Experiment Matters</p> <p>Most people don&rsquo;t build reverse proxies.<br>Even fewer build encrypted tunnels.<br>And very, very few experiment with handshake-layer manipulation.</p> <p>This type of work belongs to the R&amp;D side of networking &mdash; the same territory occupied by:</p> <p>CDN engineers</p> <p>cryptography researchers</p> <p>protocol developers</p> <p>enterprise proxy architects</p> <p>QUIC implementers</p> <p>This project is simply my contribution to exploring these ideas.</p> <p>What&rsquo;s Next</p> <p>Here&rsquo;s the plan moving forward:</p> <p>Rewrite the event loop using QUIC-like patterns</p> <p>Replace blocking sockets with async multiplexed streams</p> <p>Reduce handshake overhead</p> <p>Test concurrent asset loading at scale</p> <p>Benchmark vs Caddy (just for fun)</p> <p>Document the internal architecture</p> <p>Release diagrams and simplified PoC code later</p> <p>This is not about shipping a product.<br>It&rsquo;s about pushing the limits of what one person can build in C with enough curiosity, patience, and stubbornness.</p> <p>Conclusion</p> <p>This TLS-in-TLS triple-handshake tunnel experiment has already taught me more than I expected about handshake flows, encrypted layers, and the behavior of ECH/SNI under custom proxy conditions. It&rsquo;s far from perfect, but it&rsquo;s progressing steadily.</p> <p>If my next tests with QUIC work out, this could evolve into a fast, lightweight, encrypted reverse proxy unlike anything that exists today.</p> <p>For now it remains experimental. It&rsquo;s not officially standardized&nbsp;it&rsquo;s a project currently built within the R&amp;D lab.</p>