ECH-PR

[sftcd]

This PR contains an implementation of Encrypted ClientHello (ECH) as specified in the IETF's TLS working group
Internet-draft. As noted in the minutes of a recent IETF meeting, the spec is on the cusp of working group last call, and should become an RFC in the new year. This PR responds to this issue.

The OpenSSL project's policy of course is to not merge such PRs until the RFC issues, which is entirely reasonable. In this case, unfortunately, the PR is (ahem;-) pretty BIG, so as review will likely take some time, I'm opening the PR now in the hope that the stars roughly align and the PR will be sufficiently reviewed and in a suitable state to be merged at about the time the RFC issues.

Development of this PR has been funded by the OTF in the DEfO project which is currently funded for another ~18 months, so we should be able to respond to reviews and continue development of this code until it's part of an OpenSSL release assuming all goes well. (Even if all doesn't go well and it takes longer, we'll still be about:-)

ECH is currently shipping in browsers and is no longer behind a flag. This code successfully interoperates with current browser releases. As part of the DEfO project, we have developed proof-of-concept integrations for ECH with curl, haproxy, apache2, nginx and lighttpd all of which seem to interoperate. This PR also supports the so-called "split-mode" for ECH and the nginx and haproxy integrations can make use of that. More details can be found on the DEfO web site. As the TLS WG have decided to register the ECH extension code-points that are currently in use in browsers and this code, we don't expect to see protocol changes that would affect interop between now and when the RFC issues.

Given that this is a pretty huge PR, I've tried to make it a little easier to review by grouping the changes into a smallish number of related commits, those are:

• ECH: docs and similar
• ECH: command line changes
• ECH: internals - build artefacts
• ECH: internals - library tweaks
• ECH: extensions/state machine changes
• ECH: new ECH internals
• ECH: test code and related

As posted, this PR passes almost all the CI build tests (there's one cross-compile error I don't understand, and some of the newer ABI diff stuff I'm not sure how to fix). I've not so far done code-coverage testing, as I expect that'll be better done when we're closer to being in a position to merge.

Apologies again that this is so big - we tried and failed to find ways to break it up into meaningful smaller PRs. It's probably just in the nature of the kind of change ECH represents that that's not really doable. I look forward to
responding to any and all review comments as this PR is reviewed.

Checklist

• documentation is added or updated
• tests are added or updated

[t8m]

The libcrypto.num and libssl.num changes looks just wrong. Please reset the libcrypto.num and libssl.num files to pristine from the master branch and run make update.

[sftcd]

The libcrypto.num and libssl.num changes looks just wrong. Please reset the libcrypto.num and libssl.num files to pristine from the master branch and run make update.

Ah! So make update does that? Great, and thanks. (The number of times I've manually edited those while rebasing;-). Will do that. Is it better to do that now or wait and batch up a bunch of changes once I've gotten more feedback? (I'm fine with either.)

[t8m]

Please do that. I want to verify that the ABIDIFF check will detect the changes.

[sftcd]

Please do that. I want to verify that the ABIDIFF check will detect the changes.

Did that, looks like it passed the ABIDIFF one?

[t8m]

It shows that there is an ABI change and that is reflected by the label.
https://github.com/openssl/openssl/actions/runs/7115342092/job/19371275333?pr=22938

[sftcd]

It shows that there is an ABI change and that is reflected by the label. https://github.com/openssl/openssl/actions/runs/7115342092/job/19371275333?pr=22938

Just checking: that's the expected outcome given new APIs are being added isn't it? (If not, I'm confused:-)

[t8m]

Just checking: that's the expected outcome given new APIs are being added isn't it? (If not, I'm confused:-)

Yes. I am just saying that the label is just indication of an ABI change. If that ABI change is OK or not has to be carefully reviewed. Also that the ABIDIFF output in the CI job might give some hints.

[hlandau]

Thanks for your work on this. I'd like to see this.

However, realistically, this is too big to land as one PR.

I think the way forward here is for you to create a subset of this PR implementing only the minimum viable functionality for ECH on the client side only.

If my reading of your design document is correct, this means providing only the following APIs (at most, preferably less):

int SSL_ech_set1_echconfig(SSL *s, const unsigned char *val, size_t len);
int SSL_CTX_ech_set1_echconfig(SSL_CTX *ctx, const unsigned char *val,
                               size_t len);
int SSL_CTX_ech_set_outer_alpn_protos(SSL *s, const unsigned char *protos,
                                      unsigned int protos_len);
int SSL_ech_set_outer_server_name(SSL *s, const char *outer_name, int no_outer);
int SSL_ech_get_retry_config(SSL *s, unsigned char **ec, size_t *eclen);
int SSL_ech_get_status(SSL *s, char **inner_sni, char **outer_sni);

void SSL_ech_set_callback(SSL *s, SSL_ech_cb_func f);
void SSL_CTX_ech_set_callback(SSL_CTX *ctx, SSL_ech_cb_func f);

#define SSL_OP_ECH_IGNORE_CID                           SSL_OP_BIT(36)

Command line tool updates, and convenience functionality (e.g. to allow clients to calculate ECH configs) can also be omitted in this initial PR. The idea is a MVP PR which makes client-side usage feasible, not necessarily easy.

[sftcd]

Hiya,

On 18/12/2023 09:34, Hugo Landau wrote: Realistically, this is too big to land as one PR.

Yep, it's gigantic;-( If there's a way to split it into multiple PRs that makes sense and will help get things done, I'm happy to try take such a route. I'm not sure there is really though, but let's explore the one you've suggested...

I think the way forward here is for you to create a subset of this PR implementing only the minimum viable functionality for ECH on the client side only.

So how'd one test that? (I'm assuming that a PR that can't be shown to work is a non-starter, even if it's part of a series that overall ends up demonstrably working.) I think by the time you had a working client with test code for the server you'd be back at a nearly-as-big PR. Or were you thinking of something else? I'm assuming that merging client code that can only be tested via non-merged application layer code against the CF test server or one of my test servers wouldn't be ok to merge. But maybe that's not a good assumption? (BTW, if splitting into functionally different PRs is the way to go, I think I'd argue to start with the server, that's a bit simpler in terms of the number of existing files touched, could at least be tested from a released browser, and having those APIs more settled would help with trying to upstream changes to e.g. web servers, which I think is more pressing, time-wise, than stability for the equivalent client-side APIs.)

If my reading of your design document is correct, this means providing only the following APIs (at most, preferably less): ```c int SSL_ech_set1_echconfig(SSL *s, const unsigned char *val, size_t len); int SSL_CTX_ech_set1_echconfig(SSL_CTX *ctx, const unsigned char *val, size_t len); int SSL_CTX_ech_set_outer_alpn_protos(SSL *s, const unsigned char *protos, unsigned int protos_len); int SSL_ech_set_outer_server_name(SSL *s, const char *outer_name, int no_outer); int SSL_ech_get_retry_config(SSL *s, unsigned char **ec, size_t *eclen); int SSL_ech_get_status(SSL *s, char **inner_sni, char **outer_sni); void SSL_ech_set_callback(SSL *s, SSL_ech_cb_func f); void SSL_CTX_ech_set_callback(SSL_CTX *ctx, SSL_ech_cb_func f); #define SSL_OP_ECH_IGNORE_CID SSL_OP_BIT(36) ``` Command line tool updates, and convenience functionality (e.g. to allow clients to calculate ECH configs) can also be omitted in this initial PR. The idea is a MVP PR which makes client-side usage feasible, not necessarily easy.

There are some client-side things that could be removed (e.g. ``ossl_ech_find_echconfigs()``) but taking all that and the command line stuff out, doesn't really reduce the size to something that much more manageable. (Not saying we shouldn't, but just not sure how much it'll help by itself.) Cheers, S.

[hlandau]

I think by the time you had a working client with test code
for the server you'd be back at a nearly-as-big PR. Or were you
thinking of something else? I'm assuming that merging client
code that can only be tested via non-merged application layer
code against the CF test server or one of my test servers wouldn't
be ok to merge. But maybe that's not a good assumption?

I don't see the issue here. IMO an existing ECH server is an acceptable test target.

See 95-test_external_cf_quiche.t for an example of how we did this with QUIC.

[sftcd]

I don't see the issue here. IMO an existing ECH server is an acceptable test target.

Hmm. Interesting. Happy to take a look again at what it'd be like splitting into multiple PRs. That said, and while I don't doubt your advice, I'd be a bit happier putting in that chunk of effort if other maintainers also figured this was a good path forward...

[hlandau]

That said, and while I don't doubt your advice, I'd be a bit happier putting in that chunk of effort if other maintainers also figured this was a good path forward...

Absolutely — it would be good to have a second opinion here.

[t8m]

@sftcd given you've already a working implementation and that an interop test would be if not mandatory then very much welcome, I'd say doing what Hugo suggests would definitely make sense to me.

[sftcd]

OK, I'll take a look at splitting into separate PRs with external tooling for tests and get back here. Given the time of year that'll likely take a while (I'm also looking at fuzzing as discussed earlier). Meanwhile, I'd still appreciate any comments if someone wants to delve into the code changes - those won't be much affected by a split into >1 PR.

[sftcd]

So I've taken a look at splitting the PR into 3: server, client and extras (in that order, each building on the earlier) and while I fear it'll feel a bit like treading a treacle torus (in that I'll end up where I started after loadsa trudging;-) I can see that'll make review/landing more tractable, and refactoring generally does improve things, so I'm up for giving it a shot.

Two asks first though:

1. I'd like to get some review of the internal data structures now(ish) if possible, as those are used by both client and server so if maintainers prefer changes to those (I suspect some will be, just on the basis that that's always true:-) then it'd be way better to know that now. Those are basically the typedefs in include/internal/ech_local.h so if it were possible to get eyeballs on those before splitting the PR that'd really help. I figure it should be possible to get good review of those, as they are, from folk who know OpenSSL internals, and have a reasonably good idea of the ECH protocol. (Could be a fine over-the-holidays way to spend an hour:-) My main reason for asking this is that if we stick with using the same typedefs for both server and client, the 1st PR (server), will likely involve at least some housekeeping code that'll only be used by clients in the end.

2. The project policy of only merging after the RFC issues might be more of an issue with multiple, staged PRs - given everything takes a while, that staging could easily add a year, so is there any way the project would be ok with e.g. merging the 1st PR (server, once that's gotten normal approvals) even if the RFC hasn't quite issued (but is clearly on the way)? I guess that'd need an OTC discussion/decision so could we tee that up for an early new year OTC meeting? (Or whatever's the right process.) A hint at a positive answer there would make it easier to keep the wellies on and persist in treacle-trudging:-)

Sound reasonable?

[Kichura]

Makefile:3686: build_sw got an error code 2 in the m68k-linux-gnu workflow, you might wanna check upon this little detail.

EDIT: Makefile:30897: test/ssl_old_test has an error code of 1.

[sftcd]

Makefile:3686: build_sw got an error code 2 in the m68k-linux-gnu workflow, you might wanna check upon this little detail.

EDIT: Makefile:30897: test/ssl_old_test has an error code of 1.

Yeah, I've no idea about that one tbh, so hints welcome!

this links to a build log for that, the meaty part of which says:

libcrypto.a(libcrypto-lib-hpke_util.o): in function `ossl_hpke_labeled_extract':
hpke_util.c:(.text+0x702): relocation truncated to fit: R_68K_GOT16O against `__func__.3'
libcrypto.a(libcrypto-lib-params.o): in function `OSSL_PARAM_set_octet_string':
params.c:(.text+0x2cea): relocation truncated to fit: R_68K_GOT16O against `__func__.[5](https://github.com/sftcd/openssl/actions/runs/7276480816/job/19826437375#step:9:6)'
params.c:(.text+0x2d5c): relocation truncated to fit: R_[6](https://github.com/sftcd/openssl/actions/runs/7276480816/job/19826437375#step:9:7)8K_GOT16O against `__func__.5'
libcrypto.a(libcrypto-lib-passphrase.o): in function `ossl_pw_get_passphrase':
passphrase.c:(.text+0x4e4): relocation truncated to fit: R_68K_GOT16O against `.LC4'
libcrypto.a(libcrypto-lib-t_x509.o): in function `ossl_x509_print_ex_brief':
t_x509.c:(.text+0xe3a): relocation truncated to fit: R_68K_GOT16O against `.LC42'
libcrypto.a(libcrypto-lib-x_pubkey.o): in function `ossl_i2d_DH_PUBKEY':
x_pubkey.c:(.text+0x14fe): relocation truncated to fit: R_68K_GOT16O against `__func__.[7](https://github.com/sftcd/openssl/actions/runs/7276480816/job/19826437375#step:9:8)'
libcrypto.a(libdefault-lib-cipher_aes.o): in function `aes_cbc_cts_set_ctx_params':
cipher_aes.c:(.text+0xd42): relocation truncated to fit: R_6[8](https://github.com/sftcd/openssl/actions/runs/7276480816/job/19826437375#step:9:9)K_GOT16O against `.LC2'
libcrypto.a(libdefault-lib-cipher_aes.o): in function `aes_cbc_cts_get_ctx_params':
cipher_aes.c:(.text+0xe06): relocation truncated to fit: R_68K_GOT16O against `.LC2'
libcrypto.a(libdefault-lib-cipher_aes.o): in function `aes_cbc_cts_dinit':
cipher_aes.c:(.text+0xf6a): relocation truncated to fit: R_68K_GOT16O against `.LC2'
libcrypto.a(libdefault-lib-cipher_aes.o): in function `aes_cbc_cts_einit':
cipher_aes.c:(.text+0x102e): relocation truncated to fit: R_68K_GOT16O against `.LC2'
libcrypto.a(libdefault-lib-encode_key2any.o): in function `ec_to_EncryptedPrivateKeyInfo_pem_encode':
encode_key2any.c:(.text+0x[9](https://github.com/sftcd/openssl/actions/runs/7276480816/job/19826437375#step:9:10)0fc): additional relocation overflows omitted from the output
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:30989: test/ssl_old_test] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:3679: build_sw] Error 2
Error: Process completed with exit code 2.

[sftcd]

@sftcd given you've already a working implementation and that an interop test would be if not mandatory then very much welcome, I'd say doing what Hugo suggests would definitely make sense to me.

So (after holidays:-), I've started on this. So far I've got a basic external test using boringssl that runs it's client vs the openssl server and vice versa. That's here and seems to work - comments are welcome. Next step is to do some kind of split into ECH server, client and extras that could each be a separate PR. That'll take a bit of time maybe as it'll call for some possibly extensive refactoring of code I'm sure. (I've not updated this PR yet with that, will think about whether it'll be better to close this and open new ones or to keep this PR number for the first of those.)

[FdaSilvaYY]

Very short review

[FdaSilvaYY]

32 Octets...

[sftcd]

Actually I think the "32 octet" is correct there, as the "minima" is the plural. But maybe my grammar's wrong too;-)

[FdaSilvaYY]

I remember seeing written "octets" few lines below, no ?

[sftcd]

yep, but I think the grammar in both cases is correct tbh

[sftcd]

I made the above changes to a rebased dev branch that I've pushed to github - will push to this branch in a bit. (Late here now.)

[sftcd]

Huh, I seem to have accidentally closed the PR when pushing to it.... will fix and reopen when I figure out how:-)

[sftcd]

I think I undid that bad push so hopefully the PR is now up to date with those changes from yesterday and rebased..

[FdaSilvaYY]

needs more review, will continue later .

[FdaSilvaYY]

Typo : acccpt

[sftcd]

done

[FdaSilvaYY]

typo: fucntion

[sftcd]

done

[FdaSilvaYY]

const PACKET *newpkt ?

[sftcd]

sure, seems ok

[FdaSilvaYY]

or if ?

[sftcd]

done

[FdaSilvaYY]

form or from ?

[sftcd]

form is right, but string-form is better so did that (same in a few other places)

[FdaSilvaYY]

nit: indentation ?

[sftcd]

sure (though indentation in that file seems all over the place)

[FdaSilvaYY]

ossl_... is the prefix for internals methods, not for public ones.

[sftcd]

yep, I made that change in response to Viktor's review (here)

[FdaSilvaYY]

the ending ```\n ...

[sftcd]

sure

[FdaSilvaYY]

nit: space around !=

[sftcd]

That's all under a #if 0 so I just took it out. (Probably a remnant from the HPKE PR which originated in this code too.)

[FdaSilvaYY]

is early_data dependent of ECH ?
Else the #endif should move up, no ?

[sftcd]

Not dependent, no. I just added that as it made reading logs easier when I was testing and kept it within the ifdef , but sure, moving it out is better so did that.

[FdaSilvaYY]

another few remarks.

[FdaSilvaYY]

nit: space after comma.

[sftcd]

done

[FdaSilvaYY]

I remember some documentation writing guidelines stating that :

• do not write using short forms like `don't' .

[sftcd]

Sure - reworded that. (The curl build actually has a linter that objects to that and other usage they don't like;-)

[FdaSilvaYY]

nit : its modification time.

[sftcd]

done

[FdaSilvaYY]

General remark: you are almost using only POD data type as method arguments types.

If I was you, i will replace all the pairs of (buffer, length) arguments
with a dedicated simple structure like this :

typedef struct binbuf_t {
   size_t len;
   unsigned char* data;
} BINBUF;

This will factorize and reduce the amount of "basic shores" code, imho.
Unless the project already have this kind of datatype, i will not use it publicly.

[sftcd]

Hmm - defining a BINBUF struct like the above seems like either a big change that ought be used in loads of places, or else creating an oddity for ECH. Given many other OpenSSL APIs use pairs of unsigned char * and a size_t to represent buffers, I'd say leaving this as-is is better. (Unless of course I'm misinterpreting your comment:-)

[FdaSilvaYY]

typo : conists

[sftcd]

done

[FdaSilvaYY]

doc : better check each session mention as it seems that a rename/refactoring has occured with QUIC support

[sftcd]

yeah, hopefully I got all those now in the various files

[FdaSilvaYY]

nit : useless #ifndef ... as there is no code inside.

[sftcd]

I think I convinced myself at some stage there may be a crash there and added the comment to remind me to check with some unsupported extension. For the moment, I've added a TODO to make such a test - could be I was wrong in the first place, or something's been fixed since.

[FdaSilvaYY]

nit: one indent far !

[sftcd]

ah, some tab chars, fixed

[FdaSilvaYY]

nit: you may format this block on 80 cols instead of 54 ?
Or there is a reason to keep it narrow ?

[sftcd]

no reason, re-formatted

[FdaSilvaYY]

'uint8' ( or uint8_t ?) is already used in current codebase.

[sftcd]

I think I had that at one stage but changed back for some reason (maybe one of the ports run in the workflows) but I don't recall. I've added a TODO to look again at the types used in ECHConfig and ECHConfigList ('cause as you say other structs do use uint16_t etc now).

[sftcd]

So I checked this out and I think those types are best left as-is. As a test I changed the version field to be a uint16_t but then that generates compile warnings such as the one below due to the PACKET APis dealing with unsigned ints. I'd argue that making such changes would therefore just add lots of casts that could be more error-prone and no real benefit, other than slightly smaller storage for structs which are not expected to be big in real use-cases anyway.

ssl/ech.c: In function 'ECHConfigList_from_binary':
ssl/ech.c:801:40: warning: passing argument 2 of 'PACKET_get_net_2' from incompatible pointer type [-Wincompatible-pointer-types]
  801 |             || !PACKET_get_net_2(&pkt, &ec->version)
      |                                        ^~~~~~~~~~~~
      |                                        |
      |                                        uint16_t * {aka short unsigned int *}
In file included from ssl/ssl_local.h:32,
                 from ssl/ech.c:11:
include/internal/packet.h:150:75: note: expected 'unsigned int *' but argument is of type 'uint16_t *' {aka 'short unsigned int *'}
  150 | __owur static ossl_inline int PACKET_get_net_2(PACKET *pkt, unsigned int *data)

[sftcd]

I replaced the TODO I'd put in for this with a comment reflecting the above. Will push that next time.

[FdaSilvaYY]

Few more comments.
I suggest you extract as separated commits :

• autogenerated files
• fuzzer tests

[FdaSilvaYY]

typo: connecction

[sftcd]

done

[FdaSilvaYY]

nit: static const ?

[sftcd]

yep probably should be so did that

[FdaSilvaYY]

This return will create a leak of hpkt and hpkt_mem .

[sftcd]

good catch, fixed

[FdaSilvaYY]

Do you really need to clear this content ?
And why this free() function don't free the passed object ?

[sftcd]

The memset() isn't really needed no, but did help debugging earlier.
As to why not free the passed object, it's because there can be an array of 'em, so the higher level code does that.

[FdaSilvaYY]

Your free() functions should really free his argument.
Else you are on way to a lot of confusion.

[sftcd]

Same reason as above - there can be an array, so higher level code frees that.

[FdaSilvaYY]

In the current codebase, arrays are managed using the STACK_OF() api.
The STACK_OF(...)_pop_free() method will do the array memory release.

[FdaSilvaYY]

You may add a second parameter to return the readbytes value.

[sftcd]

Could do, but as it returns a string, using strlen() on that seems ok, esp. for test code.

[FdaSilvaYY]

I prefer to avoid calling strlen() when you already know/compute the result.

[sftcd]

Few more comments.

Many thanks for all those - given this code's been under development for quite a while, it's great to get more eyeballs on it to spot things like you've done above.

I suggest you extract as separated commits :

• autogenerated files
• fuzzer tests

I'll look at that later if that's ok and push up the above changes first (shortly), then go over the various TODOs added in response to comments above.

[sftcd]

Commits above include all the obvious fixes from above and the TODOs mentioned. That does seem to have some kind of build problem with curl though so looking at that before the TODOs.

[FdaSilvaYY]

Can you push fixup commits ?

[FdaSilvaYY]

nits: const int ...

[sftcd]

done

[FdaSilvaYY]

If this condition is true, you already have an OOB read on previous line.

[sftcd]

well spotted! actually though that check (on 3259) is redundant as it was checked already on 3255 (just before the snippet quoted) so there's not OOB issue and I've removed the redundant check now.

[FdaSilvaYY]

it is a JavaDoc (or Doxygen ?) syntax to highlight any parameter or variable name.

[FdaSilvaYY]

I prefer to avoid calling strlen() when you already know/compute the result.

[FdaSilvaYY]

a static variable who is unused should be removed, no ?

[sftcd]

That's a pattern in many of the fuzz/*.c files I just copied, e.g. here

[FdaSilvaYY]

In the current codebase, arrays are managed using the STACK_OF() api.
The STACK_OF(...)_pop_free() method will do the array memory release.

[FdaSilvaYY]

Comment is off-topic.

[sftcd]

did s/ev/tbf/ in the function prototype to fix that

[sftcd]

Can you push fixup commits ?

Sorta, but maybe not;-) What I'm current doing is making changes in my "main" local branch (ECH-draft-13c) and then I have a script to update this PR from that. We also have a CI thing (here) that does a nightly merge with upstream and build for openssl and each of the web servers for which we've done PoC ECH integrations that is also fed from the ECH-draft-13c branch (manually, when interesting changes have happened or we need to fix something to handle merge issues with upstream). So it's easier for me, for now, to follow that workflow. When/if we get this PR closer to something that may be merged, then I guess it'll be better to switch to treating this branch as the "main" one, but I guess we're not there yet.

[sftcd]

@FdaSilvaYY said (in connection with how >1 ECHConfig is handled in structs...)

In the current codebase, arrays are managed using the STACK_OF() api.
The STACK_OF(...)_pop_free() method will do the array memory release.

That's a fair point - I've not looked at using STACK_OF() but will do. That'd probably be a medium sized change (in terms of lines of code) so I've added a TODO to ssl/ech_local.h for that for now.

[FdaSilvaYY]

Question about GREASE : Is there any common parts with PR #19646 : Add RFC8701 GREASE Support

[sftcd]

Question about GREASE : Is there any common parts with PR #19646 : Add RFC8701 GREASE Support

Ah - didn't know about that one. GREASEing ECH is a little different (*) but there likely should be some commonality in APIs, especially as GREASEing, being a good idea to counter ossification, is being adopted as a mechanism by other protocols, (e.g. QUIC, MLS) so one could envisage general controls that'd work for more than just TLS or ECH. I'd be happy to collaborate on figuring that out if/when either PR is being handled. One possibility might be to move the ECH GREASEing API code to #19646 perhaps. (Search for GREASE in https://github.com/sftcd/openssl/blob/ECH-PR/doc/designs/ech-api.md for details.)

(*) GREASEing ECH is a little different, as GREASE'd ECH, as well as countering ossification, could be considered to be a partial/potential mitigation against the risk that e.g. nation-state censors would block all ECH - once browsers commonly emit GREASE'd ECH extension values (which they do now), then that should somewhat dis-incent some censors from just blocking all ECH. That difference does justify a more complex API so that non-browser applications have the ability to mimic then-current ECH GREASEing behaviour of e.g. a browser in order to be less likely to have their use of ECH blocked. Note though that in all this we're dealing with risks that are hard-to-impossible to quantify at coding time.

[openssl-machine]

This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago

[openssl-machine]

This PR is in a state where it requires action by @openssl/otc but the last update was 92 days ago