ECH.md - OpenGrok cross reference for /external/curl/docs/ECH.md

Lines Matching +full:- +full:- +full:enable +full:- +full:ares
1 <!--
4 SPDX-License-Identifier: curl
5 -->
7 # Building curl with HTTPS-RR and ECH support
11 from the command line. This works with OpenSSL, wolfSSL, BoringSSL or AWS-LC as
16 This should however provide enough of a proof-of-concept to prompt an informed
21 To build our ECH-enabled OpenSSL fork:
25     git clone https://github.com/defo-project/openssl
27     ./config --libdir=lib --prefix=$HOME/code/openssl-local-inst
29     make -j8
35 To build curl ECH-enabled, making use of the above:
41     autoreconf -fi
42 …LDFLAGS="-Wl,-rpath,$HOME/code/openssl-local-inst/lib/" ./configure --with-ssl=$HOME/code/openssl-…
50 ECH is not enabled, so go back some steps and re-do whatever needs re-doing:-)
51 If you want to debug curl then you should add ``--enable-debug`` to the
54 In a recent (2024-05-20) build on one machine, configure failed to find the
55 ECH-enabled SSL library, apparently due to the existence of
56 ``$HOME/code/openssl-local-inst/lib/pkgconfig`` as a directory containing
67 …ARY_PATH=$HOME/code/openssl ./src/curl --ech true --doh-url https://one.one.one.one/dns-query http…
69     SSL_ECH_STATUS: success <img src="greentick-small.png" alt="good" /> <br/>
78     https://defo.ie/ech-check.php
79     https://draft-13.esni.defo.ie:8413/stats
80     https://draft-13.esni.defo.ie:8414/stats
81     https://crypto.cloudflare.com/cdn-cgi/trace
82     https://tls-ech.dev
91 - ``--ech <config>`` - the ``config`` value can be one of:
92     - ``false`` says to not attempt ECH
93     - ``true`` says to attempt ECH, if possible
94     - ``grease`` if attempting ECH is not possible, then send a GREASE ECH extension
95     - ``hard`` hard-fail the connection if ECH cannot be attempted
96     - ``ecl:<b64value>`` a base64 encoded ECHConfigList, rather than one accessed from the DNS
97     - ``pn:<name>`` override the ``public_name`` from an ECHConfigList
107 cut-and-paste, e.g.:
117 …enssl ./src/curl --ech ecl:AED+DQA8PAAgACD8WhlS7VwEt5bf3lekhHvXrQBGDrZh03n/LsNtAodbUAAEAAEAAQANY29…
119     SSL_ECH_STATUS: success <img src="greentick-small.png" alt="good" /> <br/>
129 …sl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY…
135 There is a reason to want this command line option - for use before publishing
136 an ECHConfigList in the DNS as per the Internet-draft [A well-known URI for
137 publishing ECHConfigList values](https://datatracker.ietf.org/doc/draft-ietf-tls-wkech/).
144 …sl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY…
152 For now, this only works for the OpenSSL and BoringSSL/AWS-LC builds.
157 so one can set the DoH URL and enable ECH that way:
161     doh-url=https://one.one.one.one/dns-query
166 Note that when you use the system's curl command (rather than our ECH-enabled
168 issue (e.g. if some script re-directs stdout and stderr somewhere) then adding
170 course, yet another script could depend on non-silent behavior, so you may have
195     ./src/curl https://defo.ie/ech-check.php
197     SSL_ECH_STATUS: success <img src="greentick-small.png" alt="good" /> <br/>
201 The ``--ech true`` option is opportunistic, so tries to do ECH but does not fail if
202 the client for example cannot find any ECHConfig values. The ``--ech hard``
203 option hard-fails if there is no ECHConfig found in DNS, so for now, that is not
211 - ``USE_HTTPSRR`` is used for HTTPS RR retrieval code that could be generically
212   used should non-ECH uses for HTTPS RRs be identified, e.g. use of ALPN values
215 - ``USE_ECH`` protects ECH specific code.
224 determined :-)
229 purpose. This code also implements the opportunistic (``--ech true``) or hard-fail
230 (``--ech hard``) logic.
250 - We could easily add code to make use of an ``alpn=`` value found in an HTTPS
256 - Only the first HTTPS RR value retrieved is actually processed as described
258 could be non-trivial if multiple RRs are published - matching IP address hints
261 needs re-checking as it has been a while.
263 - It is unclear how one should handle any IP address hints found in an HTTPS RR.
264   It may be that a bit of consideration of how "multi-CDN" deployments might
268 - The SVCB/HTTPS RR specification supports a new "CNAME at apex" indirection
269   ("aliasMode") - the current code takes no account of that at all. One could
275 - We have not investigated what related changes or additions might be needed
279 - We have not yet implemented tests as part of the usual curl test harness as
280 doing so would seem to require re-implementing an ECH-enabled server as part
291 To build with cmake, assuming our ECH-enabled OpenSSL is as before:
299     cmake -DOPENSSL_ROOT_DIR=$HOME/code/openssl -DUSE_ECH=1 ..
306 The binary produced by the cmake build does not need any ECH-specific
312 with that, instead of our ECH-enabled OpenSSL:
318     cmake -DCMAKE_INSTALL_PREFIX:PATH=$HOME/code/boringssl/inst -DBUILD_SHARED_LIBS=1
330     autoreconf -fi
331 …LDFLAGS="-Wl,-rpath,$HOME/code/boringssl/inst/lib" ./configure --with-ssl=$HOME/code/boringssl/ins…
337 The BoringSSL/AWS-LC APIs are fairly similar to those in our ECH-enabled
341 The BoringSSL/AWS-LC APIs however do not support the ``--ech pn:`` command
353     ./configure --prefix=$HOME/code/wolfssl/inst --enable-ech --enable-debug --enable-opensslextra
360 ``--enable-opensslextra`` turns out (after much faffing about;-) to be
367     autoreconf -fi
368     ./configure --with-wolfssl=$HOME/code/wolfssl/inst --enable-ech
374 - The main issue is that the client currently handles HelloRetryRequest
377   [this ECH test web site](https://tls-ech.dev) and any other similarly configured
379 - There is also an issue related to so-called middlebox compatibility mode.
386 - The DoH URL in``$HOME/.curlrc`` can use `1.1.1.1` for OpenSSL but has to be
388 - There seems to be some difference in CA databases too - the wolfSSL version
390   ignore that for our purposes via ``--insecure``/``-k`` but would need to fix
395 - tweak to ``configure.ac`` to check if wolfSSL has ECH or not
396 - added code to ``lib/vtls/wolfssl.c`` mirroring what's done in the
398 - wolfSSL does not support ``--ech false`` or the ``--ech pn:`` command line
401 The lack of support for ``--ech false`` is because wolfSSL has decided to
404 BoringSSL/AWS-LC. (Both are reasonable.)
410 All of the above only applies if DoH is being used. There should be a use-case
411 for ECH when DoH is not used by curl - if a system stub resolver supports DoT
415 on localhost:53, so would fit this use-case. That said, it is unclear if
417 let curl use DoH to talk to the same public recursive that stubby might use:-)
419 Assuming for the moment this is a use-case we would like to support, then if
421 support for ECH. One option would seem to be to extend the ``c-ares`` library
423 changes would be attractive to the ``c-ares`` maintainers, nor whether the
425 match for the ``c-ares`` approach of defining structures specific to decoded
427 curl deployments actually make use of the ``c-ares`` library, which would
449 [localhost tests](https://github.com/defo-project/ech-dev-utils/blob/main/howtos/localhost-tests.md)
454     cd $HOME/code/ech-dev-utils
455     ./scripts/echsvr.sh -d
459 The ``echsvr.sh`` script supports many ECH-related options. Use ``echsvr.sh -h``
466 …./src/curl -vvv --insecure  --connect-to foo.example.com:8443:localhost:8443  --ech ecl:AD7+DQA6uw…
472 application - for a command line tool, one can just use ``dig`` (or ``kdig``)
477 Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE