curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

ECH PR - time to make it an experimental feature?

From: Stephen Farrell <>
Date: Tue, 2 Apr 2024 21:47:23 +0100


A few months back I posted a PR [1] for ECH.

The ECH spec has now finished working group last
call in the IETF TLS WG [2] so will likely become
an RFC with no substantive change in a few months.

My PR [1] has support for use of OpenSSL (via my
ECH-enabled fork), and for boringssl and wolfssl.

If there's an appetite for moving this along to be
an experimental feature, I'd be able to devote some
tome to that in the next while. (Not that I've figured
out curl release cycles, so "next while" is fairly

The main missing things before this could be said
to be fully done would be:

- tests - there's currently a separate bash script
for doing tests as I'm not sure how to create real
ECH tests without implementing an ECH-enabled server
just for the test harness

- the handling of HTTPS RRs is relatively basic for
now, but improving on that would likely be better as
a separate PR anyway, so that's probably not a biggie

- to the extent that boringssl even has "releases,"
ECH support for curl builds that use boringssl seems
to work just fine

- I have a similar PR for ECH-enabling OpenSSL [3]
but as that's a whopper of a PR, it'll likely be some
time before OpenSSL releases include ECH

- last time I tested there was a bug in wolfssl's
ECH handling (only in the exceptional case when one
hits HRR) - I'm not sure if that's been fixed since or

I'm not sure if any of the above would be considered
a blocker for merging as an experimental feature.

Anyway, I'm available to respond to reviews and do
bits of work if it's now timely to move this along.
OTOH, if now's not the time, that's ok too.



Received on 2024-04-02