Developing ECH for OpenSSL (DEfO)

The encrypted ClientHello (ECH) mechanism (draft-spec) is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that's used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project has developed an implementation of ECH for OpenSSL, and proof-of-concept implementations of various clients and servers that use OpenSSL as a demonstration and for interoperability testing. DEfO was initially funded by the Open Technology Fund (OTF), and subsequently by the National Democratic Initiative. In mid-2023 OTF extended our funding to help with upstreaming the relevant ECH code to the various projects involved. Tolerant Networks Ltd. and people from the Guardian Project are doing the work in DEfO.

This site is for ECH interoperability testing. The table below indicates the various combinations of server technology supported here.

This is not a highly-scalable hugely-tested thing - let us know if you find any issues, but do expect to find issues - that's what this site is for after all!

As of 20220824 we've done some good interop testing with our draft-13 code. That's the latest interop target. We seem to work fine with the boringssl, and NSS libraries, with the Cloudflare server, and with the Firefox, Chromium and Brave browsers.

Servers

2023-08-14: we've refreshed all the builds here so things may still be unstable for a bit. Do let us know if that's the case. (We have had some reports of oddities that may be related to in-browser caching, and with firefox when not using port 443 - we plan to investigate all those soon.)

So what's deployed here is:

Server Technology	URL/host:port details
nginx	https://defo.ie/ech-check.php a web page that tells you if ECH was used
OpenSSL s_server	https://draft-13.esni.defo.ie:8413/stats for "normal ECH" or https://draft-13.esni.defo.ie:8414/stats for one that forces HRR to P-384
lighttpd 1.4	https://draft-13.esni.defo.ie:9413/
nginx	https://draft-13.esni.defo.ie:10413/
apache2	https://draft-13.esni.defo.ie:11413/
haproxy	https://draft-13.esni.defo.ie:12413/ - haproxy shared mode (haproxy terminates TLS) https://draft-13.esni.defo.ie:12414/ - haproxy split mode (haproxy only decrypts ECH)

ECH public keys for those servers are published in the DNS and are rotated hourly (at :42 currently, with a 1800 second TTL). We currently publish one HTTPS RR for each service containing an ECH configuration list with up to 3 public keys. (The three public keys thing is arguably not useful for clients, but it's useful for us for now, to test our provisioning scripts.)

To view the HTTPS RR for defo.ie use: "$ dig https defo.ie" but for services on other ports you have to use "$ dig https _10413._https.draft-13.esni.defo.ie" or similar.

It's not one of ours, but Cloudflare also have a test server at https://crypto.cloudflare.com/cdn-cgi/trace.

Clients

Firefox supports ECH draft-13. To enable ECH for Firefox, you first need to turn on DNS-over-HTTPS (DoH, set TRR mode=2) and then also manually enable the "network.dns.echconfig.enabled" setting via "about:config".

Chromium (version 105+), and derived browsers, now also support ECH, but again behind a flag and you may also need DoH turned on. To turn on DoH, you need to go to "chrome://settings/security" scroll down some and then enable "Use Secure DNS." To then enable ECH, goto "chrome://flags/", search for "encrypted clienthello" and enable that.

With our "openssl s_client" build, for each of the servers running on draft-13.esni.defo.ie you can test using e.g: "$HOME/code/openssl/esnistuff/echcli.sh -p 8413 -H draft-13.esni.defo.ie" That script will also work against Cloudflare as it's default. Add a "-d" to the command line for (lots of) tracing, use "-h" for usage instructions.

For curl, we now (2023-09-18) have some support for HTTPS resource records and ECH, for both OpenSSL and WolfSSL, so you can follow our build and test instructions to get a working (though not really tested) ECH-enabled curl.

2023-08-14: Note that the text below on other clients is outdated. We'll do a refresh of those and then update the instructions shortly.

To do other tests you need to build from source for either our openssl s_client or curl, or use one of the Java clients we've developed that run on top of Conscrypt/boringssl.

We have demo fork of F-Droid to serve as an example app built on the development fork of Conscrypt. We hope to make that really usable as the server side of F-droid runs on Cloudflare.
ECHInteropTest is a simple example app built on our Conscrypt fork to test TLS Encrypted ClientHello (ECH) interoperability between various implementations, platforms, and networks. This runs as standard Android unit tests on the emulator.
We also have test scripts allowing tests with NSS' tstclnt and boringssl's s_client. Apoloigies that those aren't documented, if you need to use them, just send us email.

Contact

Anyone who is interested in implementing #TLS Encrypted ClientHello, please reach out and we will help where we can. We can certainly answer questions, and will try to help with code when possible.

IRC: #ech-dev on OFTC
matrix: #ech-dev:matrix.org
email (list): https://lists.mayfirst.org/mailman/listinfo/ech-dev/
email (direct): info@tolerantnetworks.com

More implementations

The TLS WG maintain a page with information about our and other implementations.

This fine domain brought to you by Tolerant Networks Limited.
Last modified: 2023-1-21, but who cares?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.