Experiences with implementing and deploying ECH

DEfO project (defo.ie), 2021-12-03 contact: info@defo.ie

Abstract

The DEfO project implemented Encrypted ClientHello (ECH) support for OpenSSL and Conscrypt, caried out interoperability testing of those implementations, and also used those libraries to ECH-enable various web servers and clients. We deployed services using these web servers and the DNS infrastructure required to supoort automated key upated for the HTTPS RRs asociated with those services. Here we provide a short overview of that work in order to help with larger scale experiments and with further development of the ECH specification.

Libraries

As part of the DEfO project, we ECH-enabled two important TLS libraries:

• OpenSSL is a long-lived library providing cryptographic and TLS services that is used by many applications, including many web servers and hence is an attractive target for ECH-enabling, especially for server-side functionality. Our ECH-enabled fork of OpenSSL is here.
• Conscrypt is a Java Security Provide (a library) that provides a Java "wrapper" for the C++ language boringssl library. Conscrypt is commonly used as the TLS provider for applications running on android devices and is thus an attractive target to allow many clients to be ECH-enabled. (We do not target browser clients in DEfO as work on ECH-enabling those is being done by browser-makers.) The authors of boringssl (Google) have added ECH support to a version of their code, and we used that to enhance Conscrypt to call the new borinssl APIs required to use ECH and to provide mechanisms for applications to default to, or signal use of, ECH.
• HappyKey is a standalone OpenSSL-based implementation of HPKE which is used within ECH for encryption. This implementation could be used by applications as a shim-layer for HPKE until HPKE is part of an official OpenSSL release. (There are other specifications planning to use HPKE to it may be useful for them to have an shim-layer implementation like this.)

Clients

We ECH-enabled implemented the following TLS client applications:

• OpenSSL s_client - this client application comes as part of the OpenSSL build but is commonly used for testing and as an extremely simple scriptable TLS client.
• curl is a widely-used command line web client that can use OpenSSL for TLS support, so we ECH-enabled that - our build is here
• f-droid is an android client application that provides an installable catalogue of FOSS applcations and that uses conscrypt. Our ECH-enabled build of that is here.

Servers

We ECH-enabled implemented the following web servers:

• The apache web server is one of the two most commonly used web servers today. Our ECH-enabled build is described here.
• nginx is the other web server in the "top two." Our ECH-enabled build is described here
• lighttpd is a web server that is commonly used on smaller devices such as home routers. Our ECH-enabled build is described here.
• haproxy is widely used as an HTTP ingress proxy and so is a good target for exploring ECH split-mode. Our ECH-enabled haproxy build is described here.
• OpenSSL s_server - this example server application is part of the OpenSSL build and is commonly used for testing and experimentation.

Test tools

Amongst the test tooling we developed are:

• OpenSSL make test targets for HPKE round-tripping, ECH key pair reading and use of ECH between clients and servers.
• ECHInteropTest is a Java client for interoperability testing on android.
• tvtest.sh allows one to validate our HPKE implementation against the 96 test vectors that are part of the HPKE specification.
• alltest.sh allows one to run round-trip and error-handling tests for all existing cipher-suite combinations for HPKE (there are 45 such combinations and 480 tests overall).
• agiletest.sh allows one to test all 45 HPKE cipher-suite combinations with ECH and also includes error handling tests.
• echdnsfuzz is a catalogue of "interesting" ECHConfigList values that could cause issues for clients combined with a service to randomly select one of those for publication in the public DNS every 30 minutes. This is a useful part of fuzz-testing an ECH-enabled client application.

DNS infrastructure

We deployed the non-trivial DNS infrastructure required to support ECH and hourly key rotation for the defo.ie domain. Other than for ECH key rotation that only required our standard DNS services (incl. DNSSEC).

For ECH key rotation we documented our implementation in an Internet-draft that we have proposed be standardised. (We also documented a PEM file format in another Internet-draft.)

Issues Arising

We saw the following issues that could benefit from further work to ease deployment of ECH:

• For haproxy, it makes sense to handle split-mode ECH using "tcp" mode (as opposed to "http" mode which is suitable when haproxy is acting as the TLS server endpoint); it appears that haproxy in tcp mode can only examine or change the first message in a connection (presumably for performance reasons, but that's still TBC) - the result may be that HRR can't easily work in one setup where it might be most relevant.

• There can sometimes be a lack of clarity as to which software component should be responsible for choosing to attempt real (i.e. non-GREASEd) ECH, and hence to be responsible for the additional DNS queries required to acquire an ECHConfig. For libraries like OpenSSl and boringssl it clearly only makes sense for that decision (and hence any new DNS handling code) to be outside the library. For a browser, it as clearly makes sense for that code to be in the browser application layer. With "middleware" though, such as OkHTTP or Conscrypt it can be hard to know which is the correct decision.

• The new DNS code required for handling HTTPS RRs is not too complex but the full generality of SVCB is exteremely complex. Adding such complexity (and associated caching) is a major change for clients like curl that have to date only had to have a very simple model for DNS - essentially only querying A/AAAA and having almost trivial caching in the application itself.

• The client implementation of ECH is relatively complex in that it "touches" the TLS state machine in many ways, and hence requires changes in a lot of places. As well as increasing the cost of implementing this also increases the costs associated with testing and upstreaming.

Conclusions

ECH is demonstrably implementable and can be deployed. We don't yet know if new issues will become apparent as large-scale experiments are carried out, but we should know that in the next few months.