Version
HEAD
Description
I am having issues with the API to manipulate ECH configurations -- possibly because I can't seem to find appropriate documentation, so I am working from the source in src/ssl_ech.c.
I want to build a client-facing proxy (in so-called hybrid mode; this will end up integrated into sslh), so I need to create key pairs, export the public key to the DNS, create new key pairs and expire older ones.
My current understanding is:
-
wolfSSL_CTX_GenerateEchConfig() creates a new keypair, and adds it to a list of existing keypairs.
-
wolfSSL_CXT_GetEchConfigs[Base64]() extract a list (public_name + public_key), which a server can then export to a DNS
-
wolfSSL_CXT_SetEchConfigs[Base64]() sets a (public_name + public_key), which clients can use to encrypt their SNI.
Which means, for a server, that:
-
I can generate new keypairs, but only from the server itself, as I cannot export the private keys (I think this is an architecture problem: it means my client-facing server is responsible for generating the keys, and that there must exist a path from that exposed server to the DNS; I would prefer to have an independant process that is exposed to nothing and generates keypairs, and sends the public configuration to the DNS on one side, and the private key to the client-facing server)
-
I can extract the public configuration with the wolfSSL_CTS_GetEchConfigBase64() to export to the DNS
-
.... there is no way to remove older keys? IIRC ECH specification suggests changing keys every hour, surely we can't keep keys on the server forever?
Additionally, my current understanding of the RFC is that an intermediate proxy should transmit the ClientHelloInner towards the end server, rather than the ClientHelloOuter. This implies two more APIs: the proxy needs to retrieve the ClientHelloInner (to forward it), and know the size of the ClientHelloOuter, to know how much to skip before sending the rest of the TLS connection.
Am I missing something, or are these APIs missing? I am happy to collaborate on the definition of the API, and even create PRs. I am also happy with splitting this as several issues if you prefer to track them independantly.
Version
HEAD
Description
I am having issues with the API to manipulate ECH configurations -- possibly because I can't seem to find appropriate documentation, so I am working from the source in
src/ssl_ech.c.I want to build a client-facing proxy (in so-called hybrid mode; this will end up integrated into sslh), so I need to create key pairs, export the public key to the DNS, create new key pairs and expire older ones.
My current understanding is:
wolfSSL_CTX_GenerateEchConfig()creates a new keypair, and adds it to a list of existing keypairs.wolfSSL_CXT_GetEchConfigs[Base64]()extract a list (public_name + public_key), which a server can then export to a DNSwolfSSL_CXT_SetEchConfigs[Base64]()sets a (public_name + public_key), which clients can use to encrypt their SNI.Which means, for a server, that:
I can generate new keypairs, but only from the server itself, as I cannot export the private keys (I think this is an architecture problem: it means my client-facing server is responsible for generating the keys, and that there must exist a path from that exposed server to the DNS; I would prefer to have an independant process that is exposed to nothing and generates keypairs, and sends the public configuration to the DNS on one side, and the private key to the client-facing server)
I can extract the public configuration with the
wolfSSL_CTS_GetEchConfigBase64()to export to the DNS.... there is no way to remove older keys? IIRC ECH specification suggests changing keys every hour, surely we can't keep keys on the server forever?
Additionally, my current understanding of the RFC is that an intermediate proxy should transmit the ClientHelloInner towards the end server, rather than the ClientHelloOuter. This implies two more APIs: the proxy needs to retrieve the ClientHelloInner (to forward it), and know the size of the ClientHelloOuter, to know how much to skip before sending the rest of the TLS connection.
Am I missing something, or are these APIs missing? I am happy to collaborate on the definition of the API, and even create PRs. I am also happy with splitting this as several issues if you prefer to track them independantly.