It's sent un-encrypted in the very first handshake setup so the server knows which public key to return. Details here[0].
There is, as you can see from Wikipedia[0], an encrypted version(esni), but that only sort of solves the problem. See [1] for more details on those.
The high level overview is, perfect secrecy of who you are talking to is a very hard problem on the Internet, and while some of these new features might help, there are a LOT of leaks to plug, so if someone is able to watch your traffic go by, chances are they can tell who you are talking to, but they maybe can't figure out what you are saying. Which may or may not matter, depending on your security threat(s).
> is it the certificate handshake where host header is leaked?
Yes, because of SNI [0].
In short, the ClientHello message sent by your browser as the first step of TLS negotiation (After the TCP connection is made, obviously) includes the hostname of the server you are trying to connect to unencrypted so that the server knows which certificate to present in the case of multiple sites being served on one IP/port combo.
No. The SNI is transmitted in plain text as part of the ClientHello but TLS does not care about application implementation details. The HTTP Host header is encrypted along with the rest of the request.
