The OpenSSL Library now supports Encrypted Client Hello (ECH)

Previous posts about the upcoming OpenSSL 4.0 release:

  1. removing ENGINE code
  2. removing deprecated functions for creating or modifying custom METHODS
  3. no longer registering a function via atexit function

Summary

The OpenSSL Library now supports Encrypted Client Hello (ECH) specified in RFC 9849, which was published this month. Applications that implement this standard will be able to encrypt sensitive information that is currently transmitted in plaintext in the TLS 1.3 handshake. In particular, ECH can protect the client’s target server name from being revealed to third parties.

For details about how to use the ECH API, please see design notes:

This ECH implementation was prototyped via integrations with curl, apache2, lighttpd, nginx, freenginx and HAProxy. The implementation interoperates with all other known ECH implementations, including browsers, the libraries they use (NSS/BoringSSL), a closed-source server implementation (Cloudflare’s test server) and with wolfSSL and Rustls.

Note: ECH split-mode has not been implemented. Only ECH shared-mode is supported.

Details

The Transport Layer Security (TLS) 1.3 protocol, which secures internet connections, encrypts almost all of the messages passed between a client and a server. It does not, however, encrypt the very first message sent by a client to a server which is called the ClientHello. In order to get the correct certificate, the client may include a Server Name Indication (SNI) which indicates the domain the person using the client software wants to connect to.

Initially the solution was called Encrypted SNI (ESNI) and it simply encrypted the hostname. But further analysis revealed that other data fields in the ClientHello message could be used to identify the target domain. Rather than encrypt each field individually, the ECH standard provides a general mechanism for encrypting most of the data in that initial message. Implementing ECH represents significant progress for the OpenSSL Mission to provide security and privacy tools to everyone.

For details about how to configure an NGINX server to use ECH, see this post on their blog.

Stephen Farrell, a research fellow in the School of Computer Science and Statistics at Trinity College Dublin, was the driving force behind implementing ECH as a part of the Developing ECH for OpenSSL (DEfO) project. Previously he’d implemented Hybrid Public Key Encryption, which was a prerequisite for ECH. Last October, he spoke about the process at the OpenSSL Conference.