New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECH experimental #11922
ECH experimental #11922
Conversation
Some of the CI test failures happen because |
I'll push a version with the mostly trivial changes indicated above. (I hit the "resolve" button on those that seem most trivial:-) I'll then rebase to try make the CI situation better and push another. Thanks for all the good comments meanwhile! |
e67d6f0
to
5d501ed
Compare
So now that I'm clearing up some of the CI chaff, an interesting question arises - if we're not doing ECH, then when, if ever, should we make a DNS query for an HTTTPS RR? Probably, for now, never, but that'll likely change if/as support for other uses for HTTPS RRs is added. |
The current DoH code seems to setup a new TLS session with the DoH-server for each DoH query. That probably makes no difference if the client is only making one request for one A record, but if we're now sometimes requesting A, AAAA and HTTPS RRs, it may be worth refactoring that code to use just one TLS session. Could do that but probably better as a separate PR sometime. Would need to understand though if it were possible/desirable to preserve the TLS session with the DoH-server across the runtime of an application using the library, which'd be more complex, but sometimes much more efficient. |
On 29/09/2023 17:13, Daniel Stenberg wrote:
While you were working on this, we changed how these references should be formatted and they are now verified to follow this format by test 1173. Now they should be:
~~~
.BR CURLOPT_ECH_CONFIG (3),
.BR CURLOPT_ECH_STATUS (3)
Aha! Thanks for that - it was doing my head in trying to
figure why the local tests differed from the CI builds:-)
I'll process the your other comments shortly, but mostly
they look like good things to do.
Cheers,
S.
|
This is out dated, see further down for latest.
I think that's along the lines suggested above.
|
Given there's a preference for fewer options, the latest push reduces the command line to one option only as in:
|
bc70e1d
to
6e04d17
Compare
I hope it's not too late, but I made this patch for CMake earlier: diff --git a/CMakeLists.txt b/CMakeLists.txt
index 96a1aeb21..cf188437e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -732,6 +732,28 @@ if(USE_MSH3)
list(APPEND CURL_LIBS ${MSH3_LIBRARIES})
endif()
+option(USE_HTTPSRR "Enable HTTPS RR support for ECH (experimental)" OFF)
+option(USE_ECH "Enable ECH support" OFF)
+if(USE_ECH)
+ if(USE_OPENSSL OR USE_WOLFSSL)
+ # Be sure that the OpenSSL/wolfSSL library actually supports ECH.
+ if(NOT DEFINED HAVE_OPENSSL_ECH)
+ if(USE_OPENSSL AND HAVE_BORINGSSL)
+ openssl_check_symbol_exists(SSL_set1_ech_config_list "openssl/ssl.h" HAVE_OPENSSL_ECH)
+ elseif(USE_OPENSSL)
+ openssl_check_symbol_exists(SSL_ech_set1_echconfig "openssl/ssl.h" HAVE_OPENSSL_ECH)
+ elseif(USE_WOLFSSL)
+ openssl_check_symbol_exists(wolfSSL_CTX_GenerateEchConfig "wolfssl/options.h;wolfssl/ssl.h" HAVE_OPENSSL_ECH)
+ endif()
+ endif()
+ if(NOT HAVE_OPENSSL_ECH)
+ message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/wolfSSL")
+ endif()
+ else()
+ message(FATAL_ERROR "ECH requires OpenSSL, BoringSSL or wolfSSL")
+ endif()
+endif()
+
if(NOT CURL_DISABLE_SRP AND (HAVE_GNUTLS_SRP OR HAVE_OPENSSL_SRP))
set(USE_TLS_SRP 1)
endif()
@@ -1563,6 +1585,7 @@ _add_if("TLS-SRP" USE_TLS_SRP)
# TODO option --with-nghttp2 tests for nghttp2 lib and nghttp2/nghttp2.h header
_add_if("HTTP2" USE_NGHTTP2)
_add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE)
+_add_if("ECH" USE_ECH)
_add_if("MultiSSL" CURL_WITH_MULTI_SSL)
# TODO wolfSSL only support this from v5.0.0 onwards
_add_if("HTTPS-proxy" SSL_ENABLED AND (USE_OPENSSL OR USE_GNUTLS
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index 0bfb45796..b38a62359 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -814,3 +814,9 @@ ${SIZEOF_TIME_T_CODE}
/* Define to 1 to enable TLS-SRP support. */
#cmakedefine USE_TLS_SRP 1
+
+/* Define to 1 to force HTTPS RR support for ECH. */
+#cmakedefine USE_HTTPSRR 1
+
+/* Define to 1 if ECH support is available. */
+#cmakedefine USE_ECH 1 Short of an ECH-enabled TLS library, it's only lightly tested. |
Oh thanks, I'll compare it with what I just did. BTW - does the cmake build work cleanly with the |
For local test builds, cmake works (for me) with master, just by omitting But, enabling it can be tricky with out of tree builds. To prevent rebuilding the manual I use |
Thanks again @vszakats. Since yours was cleaner than mine, I've now gone more or less with your suggested patch. |
8915143
to
9742dba
Compare
What is the meaning of |
On 18/10/2023 16:47, 南宫雪珊 wrote:
What is the meaning of `--ech false`, why not delete `--ech`?
In my local setup I have "ech=TRUE" in ``$HOME/.curlrc`` so this
provides a way to turn that off from the command line, if needed.
S.
|
Line 10 in 9742dba
What if i want |
To be honest, I'm not sure what "Multi: single" means, I probably just copied from some other
At present supplying
Not sure why that'd be better? Happy to change to something that is better of course but would like to understand why first. Switching |
Thanks for the comments btw - I take it from those that, at minimum, more text is needed in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bunch of comments of mine. Most of them are plain opinions so do take them as proposals, not strict requirements.
I think we can merge this as a first take once these minor nits are fixed. This is still experimental so we do not guarantee functionality or ABI/API compatibility, but getting the first version in git will allow for more and easier tests by a larger community. One thing that needs fixing at some point is the configure/cmake checks: for multissl to work with ech, we need to allow per-TLS ECH ability, not a global boolean. BTW, as do not think
|
Great, will fix the nits above in a sec.
Good point. Happy to do it (now or later) - got an example of some other feature that's "per-TLS"?
Yep, playing with that now - |
Co-authored-by: Daniel Stenberg <daniel@haxx.se>
Co-authored-by: Daniel Stenberg <daniel@haxx.se>
Thanks a lot for your hard and patient work on this @sftcd . We can now continue polishing this in separate PRs. |
Follow-up to a362962 curl#11922 Closes #xxxxx
Follow-up to a362962 curl#11922 Closes #xxxxx
Follow-up to a362962 curl#11922 Follow-up to edc2702 curl#13373 Closes #xxxxx
Excellent! Thanks for being so receptive for experimental stuff like this. Happy to help as useful in future too of course. |
This is an (as-promised, on the mailing list) early pull request for adding HTTPS RR an ECH support to cURL, that has had so far minimal testing when using OpenSSL or wolfSSL as the TLS provider, but does seem to work. (There's a known outstanding issue with the wolfSSL build.) The goal for now is to get some early but detailed review as to whether the direction of the current code changes looks good. It may well be that this PR evolves into something that can be merged, or it may require a chunk more work first, either is OK.