File Manager

003 File Manager

Current Path: /usr/local/share/doc/curl

📁 ..
📄 ALTSVC.md(1.08 KB)
📄 BINDINGS.md(5.44 KB)
📄 BUFREF.md(2.21 KB)
📄 BUG-BOUNTY.md(3.26 KB)
📄 BUGS.md(11.65 KB)
📄 CHECKSRC.md(6.41 KB)
📄 CIPHERS.md(10.93 KB)
📄 CODE_OF_CONDUCT.md(1.57 KB)
📄 CODE_REVIEW.md(5.76 KB)
📄 CODE_STYLE.md(7.53 KB)
📄 CONTRIBUTE.md(13.25 KB)
📄 CURL-DISABLE.md(2.15 KB)
📄 DEPRECATE.md(399 B)
📄 DYNBUF.md(2.5 KB)
📄 ECH.md(4.63 KB)
📄 EXPERIMENTAL.md(912 B)
📄 FAQ(65.37 KB)
📄 FEATURES.md(5.69 KB)
📄 GOVERNANCE.md(6.77 KB)
📄 HELP-US.md(3.88 KB)
📄 HISTORY.md(11.51 KB)
📄 HSTS.md(1.4 KB)
📄 HTTP-COOKIES.md(5.09 KB)
📄 HTTP2.md(4.47 KB)
📄 HTTP3.md(3.65 KB)
📄 HYPER.md(1.84 KB)
📄 INSTALL(315 B)
📄 INSTALL.md(21.26 KB)
📄 INTERNALS.md(42.85 KB)
📄 KNOWN_BUGS(43.34 KB)
📄 MAIL-ETIQUETTE(11.7 KB)
📄 MQTT.md(630 B)
📄 NEW-PROTOCOL.md(4.46 KB)
📄 PARALLEL-TRANSFERS.md(2.04 KB)
📄 README.md(495 B)
📄 RELEASE-PROCEDURE.md(3.24 KB)
📄 ROADMAP.md(854 B)
📄 RUSTLS.md(806 B)
📄 SECURITY-PROCESS.md(5.63 KB)
📄 SSL-PROBLEMS.md(3.96 KB)
📄 SSLCERTS.md(8.15 KB)
📄 THANKS(36.43 KB)
📄 TODO(46.71 KB)
📄 TheArtOfHttpScripting.md(27.56 KB)
📄 URL-SYNTAX.md(13.23 KB)
📄 VERSIONS.md(2.22 KB)
📁 libcurl
📄 options-in-versions(10.69 KB)

Editing: ECH.md

# TLS: ECH support in curl and libcurl

## Summary

**ECH** means **Encrypted Client Hello**, a TLS 1.3 extension which is
currently the subject of an [IETF Draft][tlsesni]. (ECH was formerly known as
ESNI).

This file is intended to show the latest current state of ECH support
in **curl** and **libcurl**.

At end of August 2019, an [experimental fork of curl][niallorcurl], built
using an [experimental fork of OpenSSL][sftcdopenssl], which in turn provided
an implementation of ECH, was demonstrated interoperating with a server
belonging to the [DEfO Project][defoproj].

Further sections here describe

-   resources needed for building and demonstrating **curl** support
    for ECH,

-   progress to date,

-   TODO items, and

-   additional details of specific stages of the progress.

## Resources needed

To build and demonstrate ECH support in **curl** and/or **libcurl**,
you will need

-   a TLS library, supported by **libcurl**, which implements ECH;

-   an edition of **curl** and/or **libcurl** which supports the ECH
    implementation of the chosen TLS library;

-   an environment for building and running **curl**, and at least
    building **OpenSSL**;

-   a server, supporting ECH, against which to run a demonstration
    and perhaps a specific target URL;

-   some instructions.

The following set of resources is currently known to be available.

| Set  | Component    | Location                      | Remarks                                    |
|:-----|:-------------|:------------------------------|:-------------------------------------------|
| DEfO | TLS library  | [sftcd/openssl][sftcdopenssl] | Tag *esni-2019-08-30* avoids bleeding edge |
|      | curl fork    | [niallor/curl][niallorcurl]   | Tag *esni-2019-08-30* likewise             |
|      | instructions | [ESNI-README][niallorreadme]  |                                            |

## Progress

### PR 4011 (Jun 2019) expected in curl release 7.67.0 (Oct 2019)

-   Details [below](#pr-4011);

-   New configuration option: `--enable-ech`;

-   Build-time check for availability of resources needed for ECH
    support;

-   Pre-processor symbol `USE_ECH` for conditional compilation of
    ECH support code, subject to configuration option and
    availability of needed resources.

## TODO

-   (next PR) Add libcurl options to set ECH parameters.

-   (next PR) Add curl tool command line options to set ECH parameters.

-   (WIP) Extend DoH functions so that published ECH parameters can be
    retrieved from DNS instead of being required as options.

-   (WIP) Work with OpenSSL community to finalize ECH API.

-   Track OpenSSL ECH API in libcurl

-   Identify and implement any changes needed for CMake.

-   Optimize build-time checking of available resources.

-   Encourage ECH support work on other TLS/SSL backends.

## Additional detail

### PR 4011

**TLS: Provide ECH support framework for curl and libcurl**

The proposed change provides a framework to facilitate work to implement ECH
support in curl and libcurl. It is not intended either to provide ECH
functionality or to favour any particular TLS-providing backend. Specifically,
the change reserves a feature bit for ECH support (symbol
`CURL_VERSION_ECH`), implements setting and reporting of this bit, includes
dummy book-keeping for the symbol, adds a build-time configuration option
(`--enable-ech`), provides an extensible check for resources available to
provide ECH support, and defines a compiler pre-processor symbol (`USE_ECH`)
accordingly.

Proposed-by: @niallor (Niall O'Reilly)\
Encouraged-by: @sftcd (Stephen Farrell)\
See-also: [this message](https://curl.se/mail/lib-2019-05/0108.html)

Limitations:
-   Book-keeping (symbols-in-versions) needs real release number, not 'DUMMY'.

-   Framework is incomplete, as it covers autoconf, but not CMake.

-   Check for available resources, although extensible, refers only to
    specific work in progress ([described
    here](https://github.com/sftcd/openssl/tree/master/esnistuff)) to
    implement ECH for OpenSSL, as this is the immediate motivation
    for the proposed change.

## References

Cloudflare blog: [Encrypting SNI: Fixing One of the Core Internet Bugs][corebug]

Cloudflare blog: [Encrypt it or lose it: how encrypted SNI works][esniworks]

IETF Draft: [Encrypted Server Name Indication for TLS 1.3][tlsesni]

---

[tlsesni]:		https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
[esniworks]:	https://blog.cloudflare.com/encrypted-sni/
[corebug]:		https://blog.cloudflare.com/esni/
[defoproj]:		https://defo.ie/
[sftcdopenssl]: https://github.com/sftcd/openssl/
[niallorcurl]:	https://github.com/niallor/curl/
[niallorreadme]: https://github.com/niallor/curl/blob/master/ESNI-README.md

003 File Manager

Editing: ECH.md

Upload File

Create Folder