encrypted client hello (ECH) question

Mathew Heard mat999 at gmail.com
Thu Jun 1 12:14:36 UTC 2023


Pretty cool.

I'm still reading up on each but can this also be done for https
termination? Is the SSL pre-read limitation the main issue there?


On Thu, 1 Jun 2023, 9:31 pm Stephen Farrell, <stephen.farrell at cs.tcd.ie>
wrote:

>
> Hi all,
>
> I've been working on implementing TLS encrypted client hello
> (ECH, [1]) in the OpenSSL library (current branch at [2]).
> Apologies that this mail requires a bit of knowledge of
> what ECH does - I'd guess some folks on here will know that
> already but I'm happy to explain as needed.
>
> I have various proof of concept integrations for my code
> including with nginx (branch at [3]). Adding support for
> ECH when nginx terminates TLS was pretty straightforward
> but I have a question about whether the direction I've
> taken for ECH in "split-mode" is sensible or not.
>
> ECH "split-mode" is where nginx will do the ECH decryption
> but the TLS session is negotiated between the client and
> the upstream. I added some code [4] to the ssl preread
> stream module that does the ECH decryption of the initial
> ClientHello, then forwards on the decrypted ClientHello to
> the upstream. Again that was pretty easy and seems to work
> fine.
>
> The question that I have relates to when the TLS handshake
> between client and upstream hits a HelloRetryRequest. In
> that case the client will ECH encrypt it's second ClientHello
> but the ssl preread module doesn't get to see that 2nd
> ClientHello to attempt ECH decryption.
>
> So I ended up adding code [5] to the stream proxy module that
> checks if we're in that ECH split-mode + "pending" HRR state
> and attempts the ECH decryption if so. After (a lot:-) of
> trying to figure out where to put that code, it now also
> seems to work ok.
>
> But, I'm wondering if that's the right way to handle doing
> things with the 2nd ClientHello when we hit HRR and are
> using the stream module(s) but nginx is not terminating
> the TLS session?
>
> Any comments or advice most welcome!
>
> Thanks,
> Stephen.
>
> PS: It'll be a while before ECH is part of the OpenSSL
> library but once that's happening I do plan to follow up
> submitting these changes as they are at that time.
>
> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
> [2] https://github.com/sftcd/openssl/tree/ECH-draft-13c
> [3] https://github.com/sftcd/nginx/tree/ECH-experimental
> [4]
>
> https://github.com/sftcd/nginx/blob/ECH-experimental/src/stream/ngx_stream_ssl_preread_module.c#L129
> [5]
>
> https://github.com/sftcd/nginx/blob/ECH-experimental/src/stream/ngx_stream_proxy_module.c#L1719
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20230601/185799ea/attachment.htm>


More information about the nginx-devel mailing list