Encrypted Client Hello (ECH) now supported in wolfSSL

ECH (Encrypted Client Hello) is a draft extension for TLS 1.3 that enables a client to encrypt its client_hello in the TLS handshake to prevent leaking sensitive metadata that is sent in the clear during the normal TLS handshake. ECH was originally proposed as ESNI (Encrypted Server Name Indication), since the server name indication is one of the sensitive fields that is visible to a passive observer during the handshake, but was later renamed since it covers the entire Client Hello. ECH uses HPKE (Hybrid Public Key Encryption) to derive a shared secret and encrypt the client_hello.

ECH works by making an inner Client Hello and an outer Client Hello. The outer hello has all sensitive metadata removed and includes a new TLS extension called ECH. The inner hello contains all the sensitive information and is encrypted using HPKE and then placed into the outer hello as the ECH extension. The client sends the outer hello and the server picks up on the use of ECH and decrypts the inner hello using its HPKE key.

Here is an example of how ECH is used:


In this example we connect to the Cloudflare server that has been setup to test different TLS and security settings and then call `wolfSSL_GetEchConfigs` to get the `retry_configs`. We then make a new SSL object, call `wolfSSL_SetEchConfigs` to apply the retry configs and then connect using ECH. We do this connect and reconnect process to get the `retry_configs` by sending what's called a GREASE ECH or a dummy ECH which is sent out in the absence of a set ECH. We can skip this step if we retrieve the ECH configs from a website's DNS records, but DNS is out of the scope of this example. Once we have the ECH configs set we can connect to and use the ssl connection like normal, here we send an http request to `/cdn-cgi/trace/ HTTP/1.1\r\n`, which will send us back information about our TLS connection. In the response that prints we will see `sni=encrypted`, which means that ECH is working.

Support for ECH was added in PR https://github.com/wolfSSL/wolfssl/pull/5623

For questions please email facts@wolfssl.com