TLS: Provide ESNI support framework for curl and libcurl #4011
Conversation
| if test "x$ESNI_ENABLED" = "x1"; then | ||
| SUPPORT_FEATURES="$SUPPORT_FEATURES ESNI" | ||
| fi | ||
|
|
There was a problem hiding this comment.
You could squash all your configure commits into a single one to reduce the number of commits and make the PR easier to review...
There was a problem hiding this comment.
Do you need me to consolidate this, or is it tolerable as it is just this once?
There was a problem hiding this comment.
Done. I began to feel that the jumble was hurting even my head. I felt it was useful to use two commits (rather than just one) in order to keep handling of the command-line token --enable-esni separate from applying the corresponding configuration.
|
(In the hope that mail via GH gets there...;-)
On 11/06/2019 13:16, Daniel Stenberg wrote:
This check ought to actually check that one of the necessary ESNI
functions are available in OpenSSL. We've often seen users have a
mismatch between headers and library, so just having the header file
present is probably not a good enough signal. Something like this:
AC_CHECK_FUNCS( SSL_ESNI_get_status )
Ah - my fault for a bad comment in esni.h, the one I
think you mean is actually SSL_get_esni_status. It'd
be fine to check for that. (I just fixed that comment
in a commit a second ago:-)
(I don't know what function to actually check for, I just pulled this
out of the air)
I also added a note to esni.h to not change that
function name without checking back with curl.
Cheers,
S.
|
|
(The appveyor build issue is due to #3770 and not your fault) |
|
Appveyor: I was pretty sure I hadn't introduced anything to do with SMB. Thanks for confirming. |
|
I'm waiting to see what Travis reports before making any changes. |
niallor
force-pushed
the
ESNI-build
branch
2 times, most recently
from
e1f6ecc to
bd88ea6
Compare
|
Codacy is reporting a violation of the "no-consecutive-blank-lines" rule. I can't see why. |
I think you can safely ignore that. |
|
Unless I've missed something, components flagged in coverage check seem to be outside scope of this PR. |
|
yeah, ignore coveralls. It goes totally crazy at times with no explanation available. |
niallor
force-pushed
the
ESNI-build
branch
7 times, most recently
from
36a4c90 to
1ae4aba
Compare
|
After taking time to learn how to drive libcurl from the curl tool, and OpenSSL from libcurl, achieved apparently successful interaction with ESNI-aware server today. Much tidying-up remains to be done. |
|
As a fan of ESNI I'm curious, how's this going? |
|
Hiya,
On 16/08/2019 09:59, Daniel Stenberg wrote:
As a fan of ESNI I'm curious, how's this going?
Niall's vacating still so may give a fuller answer when
he's back, but we basically have a build of curl+openssl
that works vs. cloudflare's deployment and the defo.ie
demo site I've put up.
It's not complete nor at all ready for upstreaming of
course, but we plan to write a HOWTO in the next few
weeks so others can play with it and we can get some
feedback before we work to make it more complete.
Cheers,
S.
|
|
Hi.
On 16 Aug 2019, at 10:52, sftcd (Stephen Farrell) wrote:
On 16/08/2019 09:59, Daniel Stenberg wrote:
> As a fan of ESNI I'm curious, how's this going?
Niall's vacating still so may give a fuller answer when
he's back, but we basically have a build of curl+openssl
that works vs. cloudflare's deployment and the defo.ie
demo site I've put up.
So here's the fuller answer.
The state of play as of before my vacation is frozen as
branch 'freeze-20190731' of both niallor/openssl (which
tracks sftcd/openssl) and niallor/curl. Building these
is currently "an exercise for the reader."
We've made it work by implementing options in libcurl
and corresponding CLI options in curl so that we could
push the desired ESNI parameters through to the OpenSSL
backend and demonstrate interoperability in advance of
working out how to construct these parameters from the
target URL and related data published in the DNS.
We're not sure yet whether to leave these options in
place to allow over-riding the constructed values for
testing, as work-arounds for errors in DNS data, or
whatever.
Next steps (in no particular order) include the following.
- Write the HOWTO that sftcd mentions, so that building curl against his
ESNI-supporting OpenSSL is less of an adventure.
- Understand from (or agree with) bagder what is needed before PR 4011
(or a successor) can be pulled into curl/curl.
- Understand from (or agree with) OpenSSL team what is needed to have
sftcd's ESNI code pulled into OpenSSL.
- Work out how to construct (in libcurl, and automatically from the
target URL) the server name which is to be encrypted.
- Work out how to have libcurl retrieve published ESNI data from the
DNS.
- Update code as needed to track IETF work on the ESNI draft.
I think that's enough for now.
/Niall
|
|
Cool, thanks for this write-up. (in my current poll for what users would like to see in our roadmap going forward, ESNI is one of the top rated choices) I think I will get a better understanding of things once your HOWTO becomes real and we can play and see what it entails. Here's some initial comments in the mean time:
|
|
Thanks for the helpful feedback. |
|
I'm (currently) minded to explore DoH first, as this gives privacy in transit. |
|
Makes perfect sense for a start, and for example Firefox still only supports ESNI when using DoH. |
|
@bagder, as you put it, "We need to discuss how to make curl pull the required data off DNS for ESNI." Where is best: here, on curl-library list, offline in P2P email, or somewhere I haven't thought of? |
|
@sftcd is following up on point 1 above. I've dealt with point 2, but will hold off on updating the branch that this PR depends on, likely at least until ESNI data is being fetched from DNS within libcurl. |
|
The curl-library list is the best place for discussions, questions and brain storming. |
|
This PR is just for reserving a code-point and implementing configuration- and build-time support for it. I don't expect to make further changes, unless to correct code-point collisions as in 5265d94. |
|
|
|
Thanks. Okay, I'm game. Let's work on getting this PR merged as a foundation to ease the ongoing work of getting the rest of the ESNI work going. |
bagder
changed the title
|
Great. In docs/libcurl/symbols-in-versions, a release number is needed (instead of DUMMY) for when the symbol CURL_VERSION_ESNI will have been introduced. Should I update the PR with a real number, or is this something you would usually do afterwards? If the former, I'll need you to tell me the number. You've dealt with item 3 (removing the [WIP] prefix. I should look after item 2. |
|
Go with |
|
AppVeyor failures don't look like they have to do with this PR. Trying rebase ... |
…WORK-README.md will likely disappear when merged into here.
|
Yes, the appveyor failure is unrelated. |
|
Thanks. You'll notice that I did some minor edits before merge. |
|
Great. Thanks for your patience with all the learning I had to do to get this far; next PR should be easier as a result. It will have enough function for an enthusiast to demonstrate interoperability against an ESNI-aware server. |
TLS: Provide ESNI support framework for curl and libcurl
The proposed change provides a framework to facilitate work to
implement ESNI support in curl and libcurl. It is not intended
either to provide ESNI functionality or to favour any particular
TLS-providing backend. Specifically, the change reserves a
feature bit for ESNI support (symbol
CURL_VERSION_ESNI),implements setting and reporting of this bit, includes dummy
book-keeping for the symbol, adds a build-time configuration
option (
--enable-esni), provides an extensible check forresources available to provide ESNI support, and defines a
compiler pre-processor symbol (
USE_ESNI) accordingly.Proposed-by: @niallor (Niall O'Reilly)
Encouraged-by: @sftcd (Stephen Farrell)
See-also: this message
Limitations:
to specific work in progress (described here) to implement ESNI for OpenSSL,
as this is the immediate motivation for the proposed change.