plabayo
Tls extension: Encrypted client hello full implementation
Encrypted client hello (ECH) works by doing a dns RR query for https. Those records contain svcParams, if one of those params is ECH, then we should use the config it contains (ECHConfigList) to configure boringssl connector.
Chrome only does this normally when using dns over https or when using the buildin dns resolver.
On first sight it seems everything is already there to start using it in boring code (I did see some comments in c++ that it only implements basic ECH, not sure how far that goes or what that means exactly now).
Currently we already have this extension enabled in our client hello but it contains grease data. Chrome also does the same.
cfg.set_enable_ech_grease(true);
We also do the exact same for firefox, but "grease" there might be generated differently, so also something to check.
Also once we have this working and we also get fingerprint data of it (eg make sure rama echo enables this) we should probably start seeing the need to implement ECH_OUTER_EXTENSIONS
Can you open a PR to already enable this at least in case the extension is found in the client config for boring? Similar how we do it for other opt-in extensions.
Can you open a PR to already enable this at least in case the extension is found in the client config for boring? Similar how we do it for other opt-in extensions.
Have draft PR for this already just finishing some stuff first
Example website that shows if you have this enabled:
https://defo.ie/ech-check.php
Dns record with google that shows this: (ech= part in data response)
https://dns.google/query?name=defo.ie&rr_type=HTTPS&ecs=