curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: ECH support when curl is using DoH

From: Daniel Stenberg via curl-library <>
Date: Wed, 13 Sep 2023 13:56:40 +0200 (CEST)

On Wed, 13 Sep 2023, Stephen Farrell via curl-library wrote:

Lovely to see the progress!

> - Only the first HTTPS RR value retrieved is actually processed as described
> at [2]. That could be extended in future, though picking the "right" HTTPS
> RR could be non- trivial if multiple RRs are published - matching IP address
> hints versus A/AAAA values might be a good basis for that. Last I checked
> though, browsers supporting ECH didn't handle multiple HTTPS RRs well,
> though that needs re-checking as it's been a while.

This is a very specific problem that I suspect we can only get the answer to
by looking how others do it and see how things work in real life when we try
to use the feature. I think picking and documenting the solution is enough,
and then we adapt and adjust as we go forward. Like with everything.

I also want to mention that we have also discussed adding support for HTTPS
records for other purposes than ECH. More specificaly for selecting HTTP/3.
There has also been voices "out there" talking about an updated take to
alt-svc that would use (rely on) it so maybe this record will become a
slightly more important piece in our infra going forward.

I'm just saying this so that you keep that in mind when working on this, so
that you don't think "too" ECH-specific here. We have not otherwise come
around yet to actually try any code for this for anything else, so your work
here is the first in this area as far as I know.

In addition to several of your other thoughts: one of the benfits with us
adding new features such as this as EXPERIMENTAL is that we do not carve the
API or options in stone until we remove that tag. That means that for such
feeatures it is fine to start with the basic approach that we can think of,
and then polish and improve that as we go forward and get feedback and
experience from real user and their use cases. We don't have to figure out the
best possible solution ahead of time, we can allow ourselves to evolve from
"something that works" to "awesome controls" in the actual code repo.

TLS wise: I know wolfSSL already has ECH support in their API and possibly a
few of the others libs have too. We need to think a bit there so that we do a
proper internal API to allow other TLS backends to get the same functionality
with causing too much pain.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2023-09-13