Skip to content

TLS ECH confirmation fix and OuterExtension addition#9737

Draft
sebastian-carpenter wants to merge 5 commits intowolfSSL:masterfrom
sebastian-carpenter:tls-ech-confirmation-fix
Draft

TLS ECH confirmation fix and OuterExtension addition#9737
sebastian-carpenter wants to merge 5 commits intowolfSSL:masterfrom
sebastian-carpenter:tls-ech-confirmation-fix

Conversation

@sebastian-carpenter
Copy link

@sebastian-carpenter sebastian-carpenter commented Feb 4, 2026

Description

Original issue stems from wolfssl-examples/tls/client-ech not working. This issue was a confirmation value mismatch between Cloudflare and our ECH client implementation. The confirmation value is present in the HelloRetryRequest's encrypted_client_hello extension.

  • Confirmation mismatch was resolved by refactoring most of the transcript code for ECH.
    • Managed to remove a transcript hash that seemed unecessary. (hsHashesEchInner)
    • Merged most of the client and server calculation for ECH transcript into similar functions.
    • Random value only copied into client hello inner once now
  • Fixed segfault when server does not respond with a confirmation value
  • Added OuterExtensions extension support to the server to allow testing against openssl s_client (second confirmation that transcript hash is now correct)
    • OuterExtensions will copy extensions from the outer hello into the inner hello

Issues fixed when writing tests:

  • ssl->options.useEch got out of sync with whether echConfigs is actually a NULL pointer. Removed it.
    • This option was not always combined with echDisabled too, so updated relevant areas.
  • When generating a config the item is appended to the end of the LL of ech Configs. Seems inefficient so changed it to insert at the beginning.
  • Private SNI was never verified and, in fact, the server's private SNI was replaced by the public SNI. Added field in WOLFSSL_ECH struct to store the private SNI and a counter to keep track of when to verify the public vs the private SNI.
  • A wolfssl server with ECH enabled and echConfigs generated would expect ECH connections. Therefore, a client connecting without ECH would fail.
  • Some tests were not checking all return values or did not test for distinct problems.

Based fixes off of esni draft 25 (https://www.ietf.org/archive/id/draft-ietf-tls-esni-25.html)

Addresses github issue #6925

Testing

With ECH enabled OpenSSL:

openssl s_client -connect 127.0.0.1:11111 -servername ech-private-name.com -CAfile ../wolfssl-examples/certs/ca-cert.pem -tls1_3 -ech_config_list AEb+DQBCKwAgACARYidanwtcQUp0EfBd0qll0hpqgXpDlNj+iVAIUO5tDAAEAAEAAQATZWNoLXB1YmxpYy1uYW1lLmNvbQAA

This is run against the wolfssl-examples repo ./tls/server-ech-local example.

Also ran ./tls/client-ech-local against the example server and the updated ./tls/client-ech part of a wolfssl-example PR (wolfSSL/wolfssl-examples#556)

Added extra tests to more strenuously test ECH:

  • test_wolfSSL_SubTls13_ECH
    • Verify that ECH does not work below TLS 1.3
  • test_wolfSSL_Tls13_ECH_bad_configs
    • Make sure neither server nor client will connect when ech configs are incorrect. Mainly a check that SNI's match.
  • test_wolfSSL_Tls13_ECH_new_config
    • Check that the server tries more than just the first config.
  • test_wolfSSL_Tls13_ECH_GREASE
    • End to end test of GREASE ECH: checks that a server supports ECH / retrieves ECH configs from a server
  • test_wolfSSL_Tls13_ECH_disable_conn
    • Test if a mismatch in ECH support between server / client does not cause failures. Additionally, that ECH can even be turned off. It also tests public/private SNI verification through a callback.
  • test_wolfSSL_Tls13_ECH_enable_disable
    • Stress the enable/disable API for ECH

Checklist

  • [X ] added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@sebastian-carpenter sebastian-carpenter self-assigned this Feb 4, 2026
@sebastian-carpenter sebastian-carpenter force-pushed the tls-ech-confirmation-fix branch 3 times, most recently from dee5c47 to 740c55f Compare February 5, 2026 00:00
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good. I'd like this PR to include testing as well. I don't see any. Thanks

@sebastian-carpenter sebastian-carpenter linked an issue Feb 10, 2026 that may be closed by this pull request
@sebastian-carpenter
Copy link
Author

Code looks good. I'd like this PR to include testing as well. I don't see any. Thanks

I've added testing in api.c. Let me know if there's any tests you disagree with or which I should add.

I'll be making the github workflow to test against ECH enabled openssl s_client in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Can't build ECH example on M1 Mac

2 participants