1- # TLS: ESNI support in curl and libcurl
1+ # TLS: ECH support in curl and libcurl
22
33## Summary
44
5- ** ESNI ** means ** Encrypted Server Name Indication ** , a TLS 1.3
6- extension which is currently the subject of an
7- [ IETF Draft ] [ tlsesni ] .
5+ ** ECH ** means ** Encrypted Client Hello ** , a TLS 1.3 extension which is
6+ currently the subject of an [ IETF Draft ] [ tlsesni ] . (ECH was formerly known as
7+ ESNI) .
88
9- This file is intended to show the latest current state of ESNI support
9+ This file is intended to show the latest current state of ECH support
1010in ** curl** and ** libcurl** .
1111
12- At end of August 2019, an [ experimental fork of curl] [ niallorcurl ] ,
13- built using an [ experimental fork of OpenSSL] [ sftcdopenssl ] , which in
14- turn provided an implementation of ESNI, was demonstrated
15- interoperating with a server belonging to the [ DEfO
16- Project] [ defoproj ] .
12+ At end of August 2019, an [ experimental fork of curl] [ niallorcurl ] , built
13+ using an [ experimental fork of OpenSSL] [ sftcdopenssl ] , which in turn provided
14+ an implementation of ECH, was demonstrated interoperating with a server
15+ belonging to the [ DEfO Project] [ defoproj ] .
1716
1817Further sections here describe
1918
2019- resources needed for building and demonstrating ** curl** support
21- for ESNI ,
20+ for ECH ,
2221
2322- progress to date,
2423
@@ -28,18 +27,18 @@ Further sections here describe
2827
2928## Resources needed
3029
31- To build and demonstrate ESNI support in ** curl** and/or ** libcurl** ,
30+ To build and demonstrate ECH support in ** curl** and/or ** libcurl** ,
3231you will need
3332
34- - a TLS library, supported by ** libcurl** , which implements ESNI ;
33+ - a TLS library, supported by ** libcurl** , which implements ECH ;
3534
36- - an edition of ** curl** and/or ** libcurl** which supports the ESNI
35+ - an edition of ** curl** and/or ** libcurl** which supports the ECH
3736 implementation of the chosen TLS library;
3837
3938- an environment for building and running ** curl** , and at least
4039 building ** OpenSSL** ;
4140
42- - a server, supporting ESNI , against which to run a demonstration
41+ - a server, supporting ECH , against which to run a demonstration
4342 and perhaps a specific target URL;
4443
4544- some instructions.
@@ -58,52 +57,49 @@ The following set of resources is currently known to be available.
5857
5958- Details [ below] ( #pr4011 ) ;
6059
61- - New ** curl ** feature : ` CURL_VERSION_ESNI ` ;
60+ - New configuration option : ` --enable-ech ` ;
6261
63- - New configuration option: ` --enable-esni ` ;
64-
65- - Build-time check for availability of resources needed for ESNI
62+ - Build-time check for availability of resources needed for ECH
6663 support;
6764
68- - Pre-processor symbol ` USE_ESNI ` for conditional compilation of
69- ESNI support code, subject to configuration option and
65+ - Pre-processor symbol ` USE_ECH ` for conditional compilation of
66+ ECH support code, subject to configuration option and
7067 availability of needed resources.
7168
7269## TODO
7370
74- - (next PR) Add libcurl options to set ESNI parameters.
71+ - (next PR) Add libcurl options to set ECH parameters.
7572
76- - (next PR) Add curl tool command line options to set ESNI parameters.
73+ - (next PR) Add curl tool command line options to set ECH parameters.
7774
78- - (WIP) Extend DoH functions so that published ESNI parameters can be
75+ - (WIP) Extend DoH functions so that published ECH parameters can be
7976 retrieved from DNS instead of being required as options.
8077
81- - (WIP) Work with OpenSSL community to finalize ESNI API.
78+ - (WIP) Work with OpenSSL community to finalize ECH API.
8279
83- - Track OpenSSL ESNI API in libcurl
80+ - Track OpenSSL ECH API in libcurl
8481
8582- Identify and implement any changes needed for CMake.
8683
8784- Optimize build-time checking of available resources.
8885
89- - Encourage ESNI support work on other TLS/SSL backends.
86+ - Encourage ECH support work on other TLS/SSL backends.
9087
9188## Additional detail
9289
9390### PR 4011
9491
95- ** TLS: Provide ESNI support framework for curl and libcurl**
92+ ** TLS: Provide ECH support framework for curl and libcurl**
9693
97- The proposed change provides a framework to facilitate work to
98- implement ESNI support in curl and libcurl. It is not intended
99- either to provide ESNI functionality or to favour any particular
100- TLS-providing backend. Specifically, the change reserves a
101- feature bit for ESNI support (symbol ` CURL_VERSION_ESNI ` ),
102- implements setting and reporting of this bit, includes dummy
103- book-keeping for the symbol, adds a build-time configuration
104- option (` --enable-esni ` ), provides an extensible check for
105- resources available to provide ESNI support, and defines a
106- compiler pre-processor symbol (` USE_ESNI ` ) accordingly.
94+ The proposed change provides a framework to facilitate work to implement ECH
95+ support in curl and libcurl. It is not intended either to provide ECH
96+ functionality or to favour any particular TLS-providing backend. Specifically,
97+ the change reserves a feature bit for ECH support (symbol
98+ ` CURL_VERSION_ECH ` ), implements setting and reporting of this bit, includes
99+ dummy book-keeping for the symbol, adds a build-time configuration option
100+ (` --enable-ech ` ), provides an extensible check for resources available to
101+ provide ECH support, and defines a compiler pre-processor symbol (` USE_ECH ` )
102+ accordingly.
107103
108104Proposed-by: @niallor (Niall O'Reilly)\
109105Encouraged-by: @sftcd (Stephen Farrell)\
@@ -117,7 +113,7 @@ Limitations:
117113- Check for available resources, although extensible, refers only to
118114 specific work in progress ([ described
119115 here] ( https://github.com/sftcd/openssl/tree/master/esnistuff ) ) to
120- implement ESNI for OpenSSL, as this is the immediate motivation
116+ implement ECH for OpenSSL, as this is the immediate motivation
121117 for the proposed change.
122118
123119## References
0 commit comments