RFC 9849. TLS Encrypted Client Hello
5 hours ago
- #Encrypted Client Hello
- #Server Configuration
- #TLS
- The server determines if it will accept ECH (Encrypted Client Hello) before negotiating other TLS parameters.
- Candidate ECHConfig values are collected either by matching config_id or through trial decryption.
- Local discovery mode may randomize ECHClientHello.config_id to prevent tracking, requiring trial decryption.
- The server verifies cipher suite and version compatibility before attempting decryption.
- Decryption involves using the server's private key and specific parameters to reconstruct ClientHelloInner.
- Optional checks include matching the 'server_name' extension with ECHConfig's public_name.
- If decryption fails, the server proceeds with ClientHelloOuter, possibly including retry_configs in EncryptedExtensions.
- After a HelloRetryRequest, the server checks for consistency in the second ClientHelloOuter's ECH extension.
- Decryption failure does not necessarily indicate misconfiguration, as it could be a GREASE ECH extension.
- The server must handle state or coordinate with backend servers when forwarding ClientHello messages.