Welcome! Log In Create A New Profile

Advanced

encrypted client hello (ECH) question

Previous Message Next Message
Forum List Message List New Topic Print View
Stephen Farrell
June 01, 2023 07:32AM
Hi all,

I've been working on implementing TLS encrypted client hello
(ECH, [1]) in the OpenSSL library (current branch at [2]).
Apologies that this mail requires a bit of knowledge of
what ECH does - I'd guess some folks on here will know that
already but I'm happy to explain as needed.

I have various proof of concept integrations for my code
including with nginx (branch at [3]). Adding support for
ECH when nginx terminates TLS was pretty straightforward
but I have a question about whether the direction I've
taken for ECH in "split-mode" is sensible or not.

ECH "split-mode" is where nginx will do the ECH decryption
but the TLS session is negotiated between the client and
the upstream. I added some code [4] to the ssl preread
stream module that does the ECH decryption of the initial
ClientHello, then forwards on the decrypted ClientHello to
the upstream. Again that was pretty easy and seems to work
fine.

The question that I have relates to when the TLS handshake
between client and upstream hits a HelloRetryRequest. In
that case the client will ECH encrypt it's second ClientHello
but the ssl preread module doesn't get to see that 2nd
ClientHello to attempt ECH decryption.

So I ended up adding code [5] to the stream proxy module that
checks if we're in that ECH split-mode + "pending" HRR state
and attempts the ECH decryption if so. After (a lot:-) of
trying to figure out where to put that code, it now also
seems to work ok.

But, I'm wondering if that's the right way to handle doing
things with the 2nd ClientHello when we hit HRR and are
using the stream module(s) but nginx is not terminating
the TLS session?

Any comments or advice most welcome!

Thanks,
Stephen.

PS: It'll be a while before ECH is part of the OpenSSL
library but once that's happening I do plan to follow up
submitting these changes as they are at that time.

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
[2] https://github.com/sftcd/openssl/tree/ECH-draft-13c
[3] https://github.com/sftcd/nginx/tree/ECH-experimental
[4]
https://github.com/sftcd/nginx/blob/ECH-experimental/src/stream/ngx_stream_ssl_preread_module.c#L129
[5]
https://github.com/sftcd/nginx/blob/ECH-experimental/src/stream/ngx_stream_proxy_module.c#L1719
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

encrypted client hello (ECH) question

Stephen Farrell 315 June 01, 2023 07:32AM

Re: encrypted client hello (ECH) question

splitice 178 June 01, 2023 08:16AM

Re: encrypted client hello (ECH) question

Stephen Farrell 238 June 01, 2023 08:50AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 231
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready