New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: support Encrypted Client Hello in clients #63369
Comments
I should add that Cloudflare's fork of crypto/tls has ECH support in case that's of interest to the official Golang maintainers. |
CC @golang/security |
We were just talking about this today. It seems like a reasonable thing to implement given the direction the ecosystem is going. I think we're likely to prioritize client support first, but given the existence of stuff like Caddy, server support also seems reasonable. I think we'll want to design the API such that we can internally wire up the net/http client to automatically populate the necessary information via e.g. the DNS discovery mechanism (or manually configure it by passing a tls.Config). |
Thank you Roland 😁 Thousands of users appreciate that! |
This comment was marked as spam.
This comment was marked as spam.
Is there work being done somewhere on this proposal or will start working on this proposal after ECH has been fully standardized to RFC? |
I think ideally we'd like to get at least the client half of this in for 1.23, but we still need to decide on what the API will look like. To just throw something out there, perhaps a very simple first option, which would support clients and leave the door open for sever support, would be to just add a field to tls.Config containing an already serialized ECHConfigList. e.g.
A client that populates this would then populate Config.ServerName as usual, and the internals would take care of the rest. One open question is how it would handle ECH failures, i.e. do we want to offer a knob to control whether we allow fallback or not (I would default to just failing closed, but others might have strong opinions on this). This would hide away most of the internals of the ECH configuration, allowing direct passthrough for supported discovery mechanisms, and allow us to be as opinionated as we want in terms of picking HPKE cipher suites and such (which is generally a goal of crypto/tls). For server support we'd then either reuse the EncryptedClientHelloConfigList field with an additional field for private keys, or a map between ECHConfig and private keys. |
I have some questions that I don't know about:
|
|
Let's make this proposal about the client side, which the discussion has focused on, and we can revisit the server part in a separate proposal when we have ideas about what the API looks like. |
Actually, I saw on Wikipedia's article about Server Name Indication that cloudflare/go implemented ECH support in this commit from July, last year. This was merged on Feb 9th '24. You asked specifically about HPKE; I'm no expert, but there's a hpke.go file and a separate folder called hpke as well. In the commit note, it does mention an external dependency requirement, to cloudflare/circl. That hpke folder looks like it is duplicated in the circl repository in fact.
Maybe cloudflare's licenses are compatible with golang's and their library could be merged into the standard library? It looks like a lot of work was put into that initial commit (38 changed files with 7,335 additions and 35 deletions)! |
FWIW, license compatibility is not enough; we require a CLA so that all code can be distributed under the simple Go license, not an amalgamation of many licenses. |
This proposal has been added to the active column of the proposals project |
Based on the discussion above, this proposal seems like a likely accept. The proposal details are in #63369 (comment). |
No change in consensus, so accepted. 🎉 The proposal details are in #63369 (comment). |
Change https://go.dev/cl/578575 mentions this issue: |
Encrypted Client Hello is a new privacy feature that is finishing standardization at the IETF. ECH is a big step forward for the internet, because it removes one of the last places where the websites users visit is leaked to the network in plaintext.
ECH has already been implemented in NSS and BoringSSL, and an experimental fork is available for OpenSSL.
Firefox has launched support for ECH, Chrome is expected to launch support imminently and Cloudflare have rolled out server-side support globally.
Support in crypto/tls would need to be both for servers and clients. Lack of support is currently blocking Caddy from shipping ECH.
cc @FiloSottile
The text was updated successfully, but these errors were encountered: