ECH with multiple tenants#10913
Open
sebastian-carpenter wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds and refines support for TLS 1.3 Encrypted ClientHello (ECH) in multi-tenant server scenarios (multiple private SNI values), including CTX swapping during SNI callback handling, updated examples/interop tooling, and expanded ECH test coverage with new demo certificates.
Changes:
- Enable multi-tenant ECH by ensuring ECH config material remains available when swapping server
WOLFSSL_CTXduring SNI callbacks (and by ensuring SNI is properly acknowledged). - Refactor/guard ECH handling in core TLS 1.3 codepaths and extension parsing/writing logic.
- Update tests, examples, and OpenSSL interop scripts to use “public” vs “private” certificates and add new multi-SNI/multi-CTX test cases.
Reviewed changes
Copilot reviewed 20 out of 24 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/test.h | Adds ECH cert/key file macros and a helper to print ECH status in examples. |
| wolfssl/internal.h | Updates internal ECH struct flags and exposes internal helper prototypes used by new logic. |
| wolfssl/certs_test.h | Adds embedded DER buffers for the ECH public cert/key (no-filesystem builds). |
| tests/api.c | Expands/refactors ECH tests, adding multi-tenant scenarios and more SNI/ECH parsing vectors. |
| src/tls13.c | Adjusts TLS 1.3 ClientHello and ServerHello ECH handling (state/guards and inner CH header handling). |
| src/tls.c | Exposes TLSX_SNI_GetRequest for tests, tightens ECH parsing, and updates ECH response behavior. |
| src/ssl.c | Ensures ECH config public material is preserved across server CTX swaps (wolfSSL_set_SSL_CTX). |
| src/ssl_ech.c | Implements copying of public ECH config fields into ssl-owned memory for CTX swapping scenarios. |
| src/internal.c | Ensures SNI is properly acknowledged after SNI callback acceptance by setting the extension response. |
| gencertbuf.pl | Adds ECH public cert/key to generated cert buffers list. |
| examples/server/server.c | Adds --ech-cert/--ech-key, SNI callback logic to swap to private cert after ECH acceptance, and improved logging. |
| examples/client/client.c | Prints ECH status after connect attempt to aid debugging/interop. |
| .github/scripts/openssl-ech.sh | Reworks OpenSSL interop to use new public/private certs and runtime reject config corruption. |
| certs/ech-public-cert.pem | Adds public-name demo certificate used for outer/rejected handshakes. |
| certs/ech-public-key.pem | Adds corresponding private key for the public-name demo certificate. |
| certs/tenant-a-cert.pem | Adds tenant A demo certificate for multi-tenant ECH tests/examples. |
| certs/tenant-b-cert.pem | Adds tenant B demo certificate for multi-tenant ECH tests/examples. |
| certs/renewcerts/wolfssl.cnf | Adds OpenSSL config sections for generating the new ECH/tenant certs. |
| certs/renewcerts.sh | Extends cert renewal script to generate new ECH/tenant certs/keys. |
| certs/include.am | Adds new ECH/tenant cert/key files to distribution lists. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
e94ffa1 to
19dcdb3
Compare
Contributor
Author
|
Jenkins retest this please. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add support for ECH with multiple tenants (i.e., multiple private SNI's).
Ran into some issues with the SNI_Callback function when running the new callback tests:
*_multi_sniand*_multi_ctx. The server never ack's an SNI that was accepted. This was fixed by addingTLSX_SetResponse(ssl, TLSX_SERVER_NAME)to the default case. Not sure if a new case would be preferred (ack_return?) or if this should be placed in the default since it could affect many users.ECH testing:
ECH code:
client/server examples:
openssl interop:
Added certs/keys:
Updated certs scripts:
Checklist