Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for new feature branch: Encrypted Client Hello (ECH) #730

Closed
sftcd opened this issue Jun 24, 2024 · 4 comments
Closed

Request for new feature branch: Encrypted Client Hello (ECH) #730

sftcd opened this issue Jun 24, 2024 · 4 comments
Assignees
@t8m

Comments

@sftcd
Copy link

sftcd commented Jun 24, 2024

Encrypted Client Hello (ECH) is a privacy enhancing extension to the TLS handshake that has been developed in the IETF TLS WG. The specificcation has undergone WG last call and should subsequently become an RFC in the not too distant future. ECH is currently implemented in browsers and is enabled by default. The boringssl and NSS impementations of TLS now include ECH and some other TLS libraries also have implementations. ECH for OpenSSL was previously discussed in openssl/openssl#7482 and #892

Over the last few years, we have developed an ECH implementation that interoperates with browsers and other servers implementing ECH. The "development" branch for that is here. That implementation is fully-featured and includes test code but has not been reviewed by project members.

We also prepared a PR openssl/openssl#22938 but that has not so far been reviewed, perhaps primarily due to it's size. Unfortunately, ECH is a complex protocol change and affects many parts of the TLS implementation, leading to a PR that is likely too large to review within the 6 monthly release cadence. Hence the request for a feature branch.

We have some funding (from OTF) that covers my work to further develop this ECH implementation and to work with the project team, e.g. in response to reviews. (See https://defo.ie for details.) ECH code from that project has been added to curl as an experimental feature. We have proof-of-concept integrations of our ECH implementation with haproxy, apache, nginx and lighttpd. We also maintain a CI setup for our ECH code at https://github.com/defo-project/ that does a daily merge of our ECH enabled code with relevant upstreams and alerts us whenever merge issues arise. (So rebasing the proposed feature branch will be almost no cost.)

Reviewing this feature branch will require a commitment of time and effort from project team members.

If it makes sense to not name the feature branch "ECH" then fwiw we've used "ECH-experimental" as the name of the branches in other cases.
@arapov
Copy link
Member

arapov commented Jun 26, 2024

+1

1 similar comment
@levitte
Copy link
Member

levitte commented Jun 26, 2024

+1

@mattcaswell
Copy link
Member

This has been approved.

@t8m - please could you create the branch?

@t8m
Copy link
Member

t8m commented Jun 26, 2024

https://github.com/openssl/openssl/tree/feature/ech branch created

@t8m t8m closed this as completed Jun 26, 2024
@github-project-automation github-project-automation bot moved this from New to Done in Project Board Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t8m t8m

Labels
None yet
Projects
Project Board
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@levitte @arapov @sftcd @t8m @mattcaswell