proposal: crypto/tls: add configuration for ECH GREASE

[fortuna]

Proposal Details

The existing implementation has no support for GREASE.

I tried to simulate GREASE by setting a fake, but well-formed ECH Config list in tls.TLSConfig.EncryptedClientHelloConfigList, but that doesn't work. According to the draft, if the client offers ECH, and the server doesn't accept it, the client must abort the connection with an "ech_required" alert:

If both authentication and the handshake complete successfully, the client MUST perform the processing described below then abort the connection with an "ech_required" alert before sending any application data to the server.

We need an explicit GREASE option to make the client ignore those as per https://www.ietf.org/archive/id/draft-ietf-tls-esni-25.html#name-client-greasing.

BoringSSL has SSL_set_enable_ech_grease, so the support should be easy to add.
(Edit: it doesn't seem like Go uses BoringSSL)

I propose:

type Config struct {
...
	EncryptedClientHelloGREASEDisable bool
}

That way, the TLS client will always do GREASE if the ECHConfigList is not set, and people can disable it if needed.

ECH GREASE should be enabled by default, because people won't be aware of the need to disable it, and the ECH connections will stick out, leaking traffic information.

[gabyhelp]

Related Issues

• crypto/tls: client should not fail if it sets an ECH config and the server rejects it #75240 (closed)
• crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions #71642 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[sftcd]

ECH GREASE should be enabled by default, because people won't be aware of the need to disable it, and the ECH connections will stick out, leaking traffic information.

I fully agree with the above. Having the ecosystem in general emit GREASEy ECH as a default should help a bit in terms of not sticking out and should make it harder to block real use of ECH, so I support adding the capability and having that as the default if possible. (In tests so far, I've not seen any bad effects when GREASEing ECH.)