-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/tls: support server side Encrypted Client Hello #68500
Comments
I think most server operators who enable ECH will want to continue supporting non-ECH clients. I also think it will be desirable to use a hostname as both an ECH public name and a real SNI hostname. The proposed API makes this awkward by requiring the programmer to write a I'm not sure of the value in aborting a handshake if there is no ECH, since by that point, the private hostname has already been sent in the clear. There might be value in encouraging the user to use an ECH-supporting client for future connections, but that can be handled post-handshake by checking Note that the spec states that servers complete the handshake normally if no ECH extension is present (Section 7) and defines the To simplify configuration of a common case, and be more in line with the spec, I propose that For simplicity, I also propose removing This does mean that
Finally, for some bikeshedding - having both |
I'm not totally sure what the process is here, but wondering if there's anything that can be done to move this forward? |
This proposal has been added to the active column of the proposals project |
After re-reading the spec, I agree. I had confused the mandated client and server behavior. I think it makes sense to just transparently continue with the handshake if ECH fails, but we should probably unilaterally send the retry configs as suggested in the spec.
This seems reasonable. We still need to generate an ECHConfigList in order to send retry configs in the case of failure, but we can plausible just copy the public_name from the ServerName and use that. For multi-name setups, the user can support multiple configs using GetConfigForClient. I think there is still a problem with how to properly set maximum_name_length for multi-name servers, since we can only be aware of one name at a time. Plausibly we could add a new top-level field to Config for this?
Yeah I think |
@HurricanKai this is planned for 1.24, which is the next major feature release. It's tentatively scheduled for February 2025. |
With client support for ECH landing in 1.23, we should now move on to server side support, hopefully for 1.24.
After implementing client-side ECH, server-side seems a little more complicated, mainly from the configuration standpoint.
The more I think about it, the less I think we'll want to reuse the
EncryptedClientHelloConfigList
field we added for server-side support, since we need a mapping between configs and keys, and we'll likely want to provide some more options.Perhaps introducing a new struct
EncryptedClientHelloConfig
with ID, public name, and private key fields, and a newEncryptedClientHelloConfigs
field intls.Config
would be sufficient, hiding the rest of the HPKE cipher suite configuration etc as an internal implementation detail.Additionally we should probably include
func MarshalEncryptedClientHelloConfigList(configs []EncryptedClientHelloConfig) ([]byte, error)
to allow servers to generate the config list necessary for clients.Concretely the new API would be:
An open question for me is how we handle SNI requests for names not included in the
EncryptedClientHelloConfigs
list. I think I'm erring on the side of saying we reject the handshake, and document that if the user wishes to support both ECH and non-ECH handshakes, they should use not configureEncryptedClientHelloConfigs
in their top-levelConfig
and instead useGetConfigForClient
to only setEncryptedClientHelloConfigs
for names they explicitly want ECH for.See #63369 for the client side proposal we implemented.
The text was updated successfully, but these errors were encountered: