Support ECH/ESNI #546
Comments
|
This draft should be read before implementing it: https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/ Also both of them are drafts so should probably be avoided in production. |
|
@lanodan no, it should not be avoided. This enables GFW circumvention and needs to be rolled out immediately. |
|
Since #228 was implemented, is there still anything blocking this? |
|
On Mon, Oct 19, 2020 at 10:40:52AM -0700, Henning Häcker wrote:
Since #228 was implemented, is there still anything blocking this?
@hacker-h: Thanks for the pointer. We're of course aware of it.
The ECH/ESNI and HPKE drafts are still fast moving targets as can be
seen on GH and on the ietf-tls mailing lists, e.g.:
https://github.com/tlswg/draft-ietf-tls-esni/issues
https://github.com/tlswg/draft-ietf-tls-esni/graphs/commit-activity
This will have to settle down quite a bit before it makes sense to even
think about tackling it. Even if it were top priority, it would be hard
to keep up with the constant stream of changes. In any case, it will
require a non-trivial amount of work.
|
|
BoringSSL supports ECH now as it is able to be used with Nginx in a work in progress fork/patchset. There is already a PR for supporting it in OpenSSL. I am currently stuck with using AWS-LC/BoringSSL for my reverse proxy because LibreSSL does not support ECH. |
|
curl landed ECH support in curl/curl@a362962 via curl/curl#11922. It supports both BoringSSL ( |
Encrypted SNI is on the standards track and is already being deployed by big players.
Draft RFC: https://tools.ietf.org/html/draft-ietf-tls-esni-04
The text was updated successfully, but these errors were encountered: