Skip to content

Commit 9afdb06

Browse files
dgarskedgarske
authored
Merge pull request #556 from sebastian-carpenter/client-ech-fix
fixing up ech examples
2 parents 52e4449 + 0e45f2f commit 9afdb06

File tree

6 files changed

+548
-188
lines changed

6 files changed

+548
-188
lines changed

certs/ech-client-cert.pem

Lines changed: 59 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -1,75 +1,59 @@
1-
-----BEGIN CERTIFICATE-----
2-
MIIFTDCCBPKgAwIBAgIQA5JQzuqRJy3ljWStInKQTjAKBggqhkjOPQQDAjBKMQsw
3-
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
4-
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjMwMzA0MDAwMDAwWhcNMjQwMzAz
5-
MjM1OTU5WjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
6-
A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEe
7-
MBwGA1UEAxMVc25pLmNsb3VkZmxhcmVzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZI
8-
zj0DAQcDQgAE1RXa9mRvotUaWVPtrpuTGJGAawyYYNRRkK2czd3xEadvstkDYygE
9-
vE+xcpZFPPZQDkBlAAfvv8j2PNJ6f1nRN6OCA40wggOJMB8GA1UdIwQYMBaAFKXO
10-
N+rrsHUOlGeItEX62SQQh5YfMB0GA1UdDgQWBBRekDZj95YFBGStBKQhAaqPvUhb
11-
AzBQBgNVHREESTBHghVzbmkuY2xvdWRmbGFyZXNzbC5jb22CFWNyeXB0by5jbG91
12-
ZGZsYXJlLmNvbYIXKi5jcnlwdG8uY2xvdWRmbGFyZS5jb20wDgYDVR0PAQH/BAQD
13-
AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMDeg
14-
NaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NB
15-
LTMuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vQ2xvdWRmbGFy
16-
ZUluY0VDQ0NBLTMuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUH
17-
AgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB2BggrBgEFBQcBAQRqMGgw
18-
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcw
19-
AoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0ND
20-
QS0zLmNydDAMBgNVHRMBAf8EAjAAMIIBgQYKKwYBBAHWeQIEAgSCAXEEggFtAWsA
21-
dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYaqF9guAAAEAwBI
22-
MEYCIQCiv+PHjCl3yCBIN1geIV6nM8JVsdMDz+bi3fC0c5iSAAIhAN1bPyq66wKn
23-
kXI9P85jRI++sCieQ8zS4KBN/yL19DsfAHcAc9meiRtMlnigIH1HneayxhzQUV5x
24-
GSqMa4AQesF3crUAAAGGqhfYmwAABAMASDBGAiEA/rhcMmQfwxP2VpbyYpFPu5Sx
25-
n/0Jc+/PMDSRqpst6QYCIQCuaV7aGhmR/PbE0SyQ5Y81IUPew23t5cWgQZIDLddU
26-
GgB3AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABhqoX2GoAAAQD
27-
AEgwRgIhAI58QAtsPkKun97n+4/gpHNqUQrC9GIyxzTTeu1quBvSAiEA1t0uZKdn
28-
6KO27mCPHjtR8DUkhE27U2vhUICyuJGgVokwCgYIKoZIzj0EAwIDSAAwRQIhAPdp
29-
FGP8NBnFfOe0w0vRmNwRxujz2eXnMk2LrPKqUavGAiANK5eY+3XClhMvDTTJkhzh
30-
PEAwQeEKtlCRDESaSxItJw==
31-
-----END CERTIFICATE-----
32-
-----BEGIN CERTIFICATE-----
33-
MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
34-
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
35-
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
36-
MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
37-
BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
38-
QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
39-
nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
40-
16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
41-
GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
42-
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
43-
KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
44-
b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
45-
bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
46-
BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
47-
CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
48-
AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
49-
+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
50-
lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
51-
goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
52-
CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
53-
6DEdfgkfCv4+3ao8XnTSrLE=
54-
-----END CERTIFICATE-----
55-
-----BEGIN CERTIFICATE-----
56-
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
57-
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
58-
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
59-
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
60-
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
61-
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
62-
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
63-
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
64-
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
65-
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
66-
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
67-
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
68-
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
69-
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
70-
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
71-
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
72-
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
73-
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
74-
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
75-
-----END CERTIFICATE-----
1+
-----BEGIN CERTIFICATE-----
2+
MIICnzCCAiWgAwIBAgIQf/MZd5csIkp2FV0TttaF4zAKBggqhkjOPQQDAzBHMQsw
3+
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
4+
MBIGA1UEAxMLR1RTIFJvb3QgUjQwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIwMTQw
5+
MDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZp
6+
Y2VzMQwwCgYDVQQDEwNXRTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARvzTr+
7+
Z1dHTCEDhUDCR127WEcPQMFcF4XGGTfn1XzthkubgdnXGhOlCgP4mMTG6J7/EFmP
8+
LCaY9eYmJbsPAvpWo4H+MIH7MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggr
9+
BgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU
10+
kHeSNWfE/6jMqeZ72YB5e8yT+TgwHwYDVR0jBBgwFoAUgEzW63T/STaj1dj8tT7F
11+
avCUHYwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAChhhodHRwOi8vaS5wa2ku
12+
Z29vZy9yNC5jcnQwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2MucGtpLmdvb2cv
13+
ci9yNC5jcmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwCgYIKoZIzj0EAwMDaAAwZQIx
14+
AOcCq1HW90OVznX+0RGU1cxAQXomvtgM8zItPZCuFQ8jSBJSjz5keROv9aYsAm5V
15+
sQIwJonMaAFi54mrfhfoFNZEfuNMSQ6/bIBiNLiyoX46FohQvKeIoJ99cx7sUkFN
16+
7uJW
17+
-----END CERTIFICATE-----
18+
-----BEGIN CERTIFICATE-----
19+
MIIDejCCAmKgAwIBAgIQf+UwvzMTQ77dghYQST2KGzANBgkqhkiG9w0BAQsFADBX
20+
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
21+
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIzMTEx
22+
NTAzNDMyMVoXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
23+
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0
24+
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8Fhzube
25+
Rr1r1WEYNa5A3XP3iZEwWus87oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019e
26+
WIZlD6GEZQbR3IvJx3PIjGov5cSr0R2Ko4H/MIH8MA4GA1UdDwEB/wQEAwIBhjAd
27+
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAd
28+
BgNVHQ4EFgQUgEzW63T/STaj1dj8tT7FavCUHYwwHwYDVR0jBBgwFoAUYHtmGkUN
29+
l8qJUC99BM00qP/8/UswNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRw
30+
Oi8vaS5wa2kuZ29vZy9nc3IxLmNydDAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8v
31+
Yy5wa2kuZ29vZy9yL2dzcjEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqG
32+
SIb3DQEBCwUAA4IBAQAYQrsPBtYDh5bjP2OBDwmkoWhIDDkic574y04tfzHpn+cJ
33+
odI2D4SseesQ6bDrarZ7C30ddLibZatoKiws3UL9xnELz4ct92vID24FfVbiI1hY
34+
+SW6FoVHkNeWIP0GCbaM4C6uVdF5dTUsMVs/ZbzNnIdCp5Gxmx5ejvEau8otR/Cs
35+
kGN+hr/W5GvT1tMBjgWKZ1i4//emhA1JG1BbPzoLJQvyEotc03lXjTaCzv8mEbep
36+
8RqZ7a2CPsgRbuvTPBwcOMBBmuFeU88+FSBX6+7iP0il8b4Z0QFqIwwMHfs/L6K1
37+
vepuoxtGzi4CZ68zJpiq1UvSqTbFJjtbD4seiMHl
38+
-----END CERTIFICATE-----
39+
-----BEGIN CERTIFICATE-----
40+
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
41+
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
42+
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
43+
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
44+
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
45+
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
46+
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
47+
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
48+
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
49+
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
50+
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
51+
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
52+
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
53+
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
54+
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
55+
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
56+
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
57+
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
58+
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
59+
-----END CERTIFICATE-----

tls/README.md

Lines changed: 126 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1339,45 +1339,155 @@ To generate your own cert text, see the [DER to C script](https://github.com/wol
13391339

13401340
## <a name="ech">Encrypted Client Hello</a>
13411341

1342-
Encrypted Client Hello (ECH) encrypts sensitive fields in the client hello step of the TLS handshake. The client-ech example connects to a cloudflare server that is setup to test different TLS options including ECH. To build wolfSSL for this ech example run `./configure --enable-ech && make && sudo make install`.
1342+
Encrypted Client Hello (ECH) encrypts sensitive fields in the TLS ClientHello
1343+
message. Doing so provides a means for hiding the Server Name Indication (SNI),
1344+
among other things, from passive observers.
13431345

1344-
This test is successful if the cloudflare http response shows that `sni=encrypted`.
1346+
To run these examples build wolfSSL with ECH support:
13451347

13461348
```sh
1347-
make
1348-
./client-ech
1349+
./configure --enable-ech && make && sudo make install
1350+
```
1351+
1352+
There are four ECH example programs in this directory:
1353+
1354+
| Program | Description |
1355+
|---|---|
1356+
| `client-ech` | Connects to Cloudflare to demonstrate real-world ECH |
1357+
| `server-ech-local` | Local ECH server; generates its own ECH config at startup |
1358+
| `client-ech-local` | Local ECH client; accepts a base64 ECH config as an argument |
1359+
| `client-ech-grease` | GREASE ECH probe; retrieves retry configs from a local server |
1360+
1361+
### client-ech — Real-World ECH with Cloudflare
1362+
1363+
`client-ech` demonstrates ECH against `crypto.cloudflare.com` in two phases:
1364+
1365+
1. **GREASE phase**: Connects to Cloudflare's ECH endpoint
1366+
(`cloudflare-ech.com`) without ECH configs set, which causes the library to
1367+
send GREASE ECH. The server responds with its actual ECH configs as retry
1368+
configs, which are collected via `wolfSSL_GetEchConfigs()`.
1369+
2. **ECH phase**: Reconnects using the retrieved configs. The retrieved configs
1370+
are set with `wolfSSL_SetEchConfigs()` which will set the public SNI to
1371+
(`cloudflare-ech.com`) in addition to enabling encryption of the client
1372+
hello. The private SNI is set via `wolfSSL_UseSNI()` to
1373+
(`crypto.cloudflare.com`).
1374+
1375+
The test succeeds when Cloudflare's `/cdn-cgi/trace` response shows
1376+
`sni=encrypted`.
1377+
1378+
```sh
1379+
make client-ech
1380+
./client-ech
13491381
HTTP/1.1 200 OK
1350-
Access-Control-Allow-Origin: *
1351-
Cache-Control: no-cache
1352-
Cf-Ray: 77c3e3e937c6b08e-ATL
1382+
Date: Tue, 24 Feb 2026 17:42:20 GMT
13531383
Content-Type: text/plain
1354-
Expires: Thu, 01 Jan 1970 00:00:01 GMT
1384+
Transfer-Encoding: chunked
1385+
Connection: keep-alive
1386+
Access-Control-Allow-Origin: *
13551387
Server: cloudflare
1356-
X-Content-Type-Options: nosniff
1388+
CF-RAY: 9d30c24adad5e17a-SEA
13571389
X-Frame-Options: DENY
1358-
Date: Mon, 19 Dec 2022 23:24:11 GMT
1359-
Transfer-Encoding: chunked
1390+
X-Content-Type-Options: nosniff
1391+
Expires: Thu, 01 Jan 1970 00:00:01 GMT
1392+
Cache-Control: no-cache
13601393

1361-
106
1362-
fl=507f46
1394+
10f
1395+
fl=542f337
13631396
h=crypto.cloudflare.com
13641397
ip=173.93.184.37
1365-
ts=1671492251.082
1398+
ts=1771954940.618
13661399
visit_scheme=https
13671400
uag=Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
1368-
colo=ATL
1401+
colo=SEA
13691402
sliver=none
13701403
http=http/1.1
13711404
loc=US
13721405
tls=TLSv1.3
13731406
sni=encrypted
13741407
warp=off
13751408
gateway=off
1376-
kex=P-256
1409+
rbi=off
1410+
kex=X25519
13771411

13781412
0
13791413
```
13801414

1415+
### Local ECH pair — server-ech-local and client-ech-local
1416+
1417+
`server-ech-local` and `client-ech-local` demonstrate ECH between two local
1418+
processes without requiring internet access or DNS.
1419+
1420+
`server-ech-local` generates its own ECH config at startup using
1421+
`wolfSSL_CTX_GenerateEchConfig()`, then encodes and prints it in base64. It
1422+
listens on port 11111 and sets its private SNI to `ech-private-name.com`. The
1423+
server loops accepting clients until it receives the message `shutdown`.
1424+
1425+
`client-ech-local` takes the server's base64 ECH config as a command-line
1426+
argument, loads it with `wolfSSL_SetEchConfigsBase64()`, and sets its private
1427+
SNI to `ech-private-name.com` before connecting on port 11111. It then reads a
1428+
message from stdin and sends it to the server.
1429+
1430+
Build:
1431+
1432+
```sh
1433+
make server-ech-local client-ech-local
1434+
```
1435+
1436+
Run the server in one terminal; it will print its ECH config:
1437+
1438+
```sh
1439+
./server-ech-local
1440+
ECH config: <base64-encoded-config>
1441+
Waiting for a connection...
1442+
```
1443+
1444+
Run the client in a second terminal, passing the base64 config the server printed:
1445+
1446+
```sh
1447+
./client-ech-local <base64-encoded-config>
1448+
Message for server: hello
1449+
Server: I hear ya fa shizzle!
1450+
Shutdown complete
1451+
```
1452+
1453+
Send `shutdown` as the message to stop the server.
1454+
1455+
### client-ech-grease — GREASE Probe to Retrieve Server ECH Configs
1456+
1457+
GREASE (Generate Random Extensions And Sustain Extensibility) provides several
1458+
benefits to a user:
1459+
1. Determines if a server supports ECH based on the response it gives.
1460+
2. Retrieves ECH configs from the server if the client does not know any. It is
1461+
an alternative to fetching them from DNS HTTPS records.
1462+
3. Reduces the extent to which GREASE vs ECH connections stick out.
1463+
1464+
`client-ech-grease` connects to a local server (such as `server-ech-local`) on
1465+
port 11111 without valid ECH configs, which causes the library to send GREASE
1466+
ECH. The server responds with its actual ECH configs as retry configs.
1467+
`client-ech-grease` retrieves these via `wolfSSL_GetEchConfigs()` and prints
1468+
them in base64. It takes the public SNI as a command-line argument.
1469+
1470+
Build:
1471+
1472+
```sh
1473+
make client-ech-grease
1474+
```
1475+
1476+
With `server-ech-local` already running in another terminal, probe for configs:
1477+
1478+
```sh
1479+
./client-ech-grease ech-public-name.com
1480+
ECH config: <base64-encoded-config>
1481+
1482+
Shutdown complete
1483+
```
1484+
1485+
The printed base64 config can then be passed directly to `client-ech-local`:
1486+
1487+
```sh
1488+
./client-ech-local <base64-encoded-config>
1489+
```
1490+
13811491
## TLS Example with Post-Handshake Authentication
13821492

13831493
See `client-tls-posthsauth.c` and `server-tls-posthsauth.c`. These server and client applications show how to do a handshake without the server authenticating the client. Then after the handshake is complete, the server requests authentication and the client authenticates itself to the server. This is mutual authentication with a faster handshake because the client authentication is done later. This can lead to a better user experience if there are conditions where the client need not be authenticated.

0 commit comments

Comments
 (0)