ECH Playground

Try using ECH (Encrypted Client Hello) for TLS-based proxies.

Status

• Binary valid
• Dockerfile vaild
• Configure HAProxy
• Configure Certbot
• Publish Image kwaabot/haproxy

HAProxy + NaiveProxy

I compiled ECH-enabled OpenSSL and HAProxy as instructed in esnistuff/haproxy.md, and you can get the x86_64 binaries and Dockerfile from the haproxy folder of this repo.

Once I confirm that it works, I'll make the image available through GitHub Actions.

Meanwhile, the NaiveProxy client does not appear to support ECH at this time. (naiveproxy#314)

HAProxy Config

TODO

NaiveProxy Config

Use the same configuration as HAProxy Setup.

{
  "listen": "http://127.0.0.1:{{port}}",
  "padding": true
}

Docker Compose

TODO

Useful links

• ECH (Encrypted client hello) support · Issue #1924 · haproxy/haproxy
• Will Encrypted client hello be supported at both the client and server side? · Issue #314 · klzgrad/naiveproxy
• Developing ECH for OpenSSL (DEfO)
• Experiences with implementing and deploying ECH
• sftcd/openssl-[ECH-draft-13a]
• sftcd/haproxy-[ECH-experimental]
• esnistuff