Hello,
I want to add Encrypted Client Hello support to sslh (https://github.com/yrutschle/sslh/), which is a client-facing proxy that would decrypt the ClientHelloOuter, extract the SNI, and forward to a backend server according to the SNI. This is already supported for unencrypted SNI.

I found the ECH functions in `src/ssl.c` from the examples, in particular `server-ech-local.c`, but the API does not seem to be currently documented (or I didn't find the documentation). My understanding is that I can have sslh generate ECH configs with `wolfSSL_CTX_GenerateEchConfig()` then export it to the DNS server using `wolfSSL_CTX_GetEchConfigs()` (and base64 encoding), or alternatively set up with a configuration coming from outside using `wolfSSL_CTX_SetEchConfigsBase64()`. I think I have this part working.

Now the part I am missing is how to retrieve an unencrypted ClientHelloInner, or extract the encrypted SNI from the ClientHelloOuter. Really I would expect something equivalent to `wolfSSL_SNI_GetFromBuffer()`, fed with the ECH private key, or a WOLFSSL_CTX that only has EchConfigs attached, but no server certificates. Does this function exist somewhere, or how would I go about creating it? (from functions in hpke.c?)

Thanks in advance,
Y.