Excellent work. ECH would be very useful in nginx.

My biggest concern with proposed approach is that this integration makes it virtually impossible to use nginx ECH with other TLS libraries such as BoringSSL or AWS-LC. They have no notion of ECHCONFIG PEM format. I would strongly recommend to have a simple configuration similar to ssl_ech *public_name* *config_id* *[key=file]* [noretry] proposed in yaroslavros@99fbe14 and manage these parameters inside nginx configuration instead of a dedicated directory with base-64 packaged file. I believe this would be more inline with the rest of nginx configuration approach.

Thanks for taking a look!

Excellent work. ECH would be very useful in nginx.

My biggest concern with proposed approach is that this integration makes it virtually impossible to use nginx ECH with other TLS libraries such as BoringSSL or AWS-LC.

That's not correct. Lighttpd supports both OpenSSL and boring with this format. That's s simple enough shim to handle the file format at the application layer. See here for the code. I'd be happy to do similarly for nginx should boring support be considered a requirement for this PR. (Which'd not be unreasonable.)

They have no notion of ECHCONFIG PEM format. I would strongly recommend to have a simple configuration similar to ssl_ech *public_name* *config_id* *[key=file]* [noretry] proposed in yaroslavros@99fbe14 and manage these parameters inside nginx configuration instead of a dedicated directory with base-64 packaged file. I believe this would be more inline with the rest of nginx configuration approach.

I really don't think we want an ECH config_id inside an nginx config file - cloudflare rotate their ECH keys hourly (as do I for my servers) so it's quite likely other deployments will do similarly.

Lastly, the apache2 maintainers seemed fine with this aspect in the comments they've made on the almost equivalent PR to this one.

Thanks for taking a look!

Excellent work. ECH would be very useful in nginx.
My biggest concern with proposed approach is that this integration makes it virtually impossible to use nginx ECH with other TLS libraries such as BoringSSL or AWS-LC.

That's not correct. Lighttpd supports both OpenSSL and boring with this format. That's s simple enough shim to handle the file format at the application layer. See here for the code. I'd be happy to do similarly for nginx should boring support be considered a requirement for this PR. (Which'd not be unreasonable.)

They have no notion of ECHCONFIG PEM format. I would strongly recommend to have a simple configuration similar to ssl_ech *public_name* *config_id* *[key=file]* [noretry] proposed in yaroslavros@99fbe14 and manage these parameters inside nginx configuration instead of a dedicated directory with base-64 packaged file. I believe this would be more inline with the rest of nginx configuration approach.

I really don't think we want an ECH config_id inside an nginx config file - cloudflare rotate their ECH keys hourly (as do I for my servers) so it's quite likely other deployments will do similarly.

Lastly, the apache2 maintainers seemed fine with this aspect in the comments they've made on the almost equivalent PR to this one.

Thanks for the correction! Indeed, not hardcoding config_id into configuration is very beneficial and having a history of making a compatibility shim for other libraries completely mitigates my key concern :-)

push above includes the obvious things from @yaroslavros comments today

As an FYI, the corresponding apache httpd functionality has been committed there: apache/httpd@0c9cd09

I'd be happy to do similarly for nginx should boring support be considered a requirement for this PR. (Which'd not be unreasonable.)

Indeed we do need BoringSSL support.

Also, reading a PEM file in nginx is only a half of the problem. The other half is how to create those files with BoringSSL?

Regarding the code, @sftcd could you please follow the nginx code style, see https://github.com/nginx/nginx/blob/master/CONTRIBUTING.md for details.

@arut: happy to make changes along the above lines (maybe tomorrow before I get time to start that), but I've a question first: over the last week or so, the freenginx project has added ECH support taking a slightly different approach to what I did with this PR, the main difference is that they chose to configure file names for the ECH PEM files rather than a directory name (from which those ECH PEM files are read) as is done here. I don't know how or if nginx and freenginx try to maintain config file or other compatibility, but probably good if you tell me that you prefer following the file name or directory name approach before we go much further.

Some details can be seen here

I'd be happy to do similarly for nginx should boring support be considered a requirement for this PR. (Which'd not be unreasonable.)

Indeed we do need BoringSSL support.

Totally reasonable. If it's ok I'd suggest trying to agree how to use the OpenSSL ECH APIs first, then add a shim to make the same thing work with boring (or AWS-LC). That'd be simpler for me at least:-) Anyway, I'd be happy to follow such a plan.

Also, reading a PEM file in nginx is only a half of the problem. The other half is how to create those files with BoringSSL?

That's easy enough. I knocked up a small bash script that shows how.

Regarding the code, @sftcd could you please follow the nginx code style, see https://github.com/nginx/nginx/blob/master/CONTRIBUTING.md for details.

Had tried to, and now have tried again (seeing that I'd missed some). Might take a few goes to be quite right, but happy to get there. Next push will include that.

push above tries to address @arut comments above, modulo when to do what about boring etc. (and of course my mistakes in trying to do the right thing:-)

Those all look sensible, thanks. Will get at 'em shortly but travelling today.

Those all look sensible, thanks. Will get at 'em shortly but travelling today.

Also please rebase the code to the recent master. We had some SNI-related changes there recently.

✅ All required contributors have signed the F5 CLA for this PR. Thank you!
_{Posted by the CLA Assistant Lite bot.}

I have hereby read the F5 CLA and agree to its terms

recheck

The push above fixes the things requested this week except:

1. yet to look at the stream module
2. didn't make the change away from configuring a directory name
3. kept the variable as ssl_ech_outer_sni
4. configured ECH PEM files are still server wide, rather than per virtual server

I'll take a look at 1 above and we can discuss 2/3/4. First though, I'm gonna do a bit of playing with boringssl to see if the work the lighttpd maintainer did translates over as easily as I think it should.

The push above is a version that seems to work (with limited localhost tests) with BoringSSL. Likely would need more work, but passes those localhost tests ok (with real or GREASEd ECH and an HRR case).

The push above tries to add ECH to the stream module. Not that sure I've done that correctly, but it works in local testing.

@arut just checking where we're at (I have to do some project-internal reporting for month end:-) - do you need me to do anything to progress things?

@arut just checking where we're at (I have to do some project-internal reporting for month end:-) - do you need me to do anything to progress things?

I'm getting back to this now. I've been busy with the release.

@sftcd, any news about split mode? Feels like split mode is a bigger feature than shared mode.

@sftcd, any news about split mode? Feels like split mode is a bigger feature than shared mode.

Interesting! A lot of people have said to me that they don't find split-mode so interesting due to how they terminate TLS, but OTOH, we did a small trial with the Wikimedia foundation and they'd have loved to use split-mode if they had someone to be the client-facing server for them. (Finding such a someone turns out not that easy.)

Anyway, yes, I have a split-mode implementation for nginx, (and also for haproxy) using the stream module, but that needs an API that hasn't yet been agreed with the OpenSSL maintainers and that isn't in the OpenSSL feature branch. You'd have to build against a personal (or DEfO-project-specific) fork of OpenSSL rather than the OpenSSL project's ECH feature branch.

The split-mode API required is an oddball thing from the POV of the OpenSSL library - you need to use an SSL_CTX (as you don't have an SSL * connection), and the outerClientHello to get back the innerClientHello (with a bit more stuff for handling HRR to make it harder) and none of those are the sort of thing current APIs do.

You can see the DEfO-project fork's split-mode API here and the core of how we use that in nginx here. I'd not be surprised if the latter needed changes btw:-)

IIUC split-mode is also not yet supported by other TLS libraries.

So I think the way forward would be to handle ECH shared-mode first, then later to add split-mode in a separate PR once we've agreed a split-mode API with OpenSSL maintainers. (Once I've gotten that API agreed with OpenSSL maintainers I do plan to raise corresponding PRs with TLS server projects.)

@sftcd apparently there's a conflict with the latest changes in nginx, probably because of $ssl_sigalg. I'm pretty sure it's something trivial. Please rebase onto the latest master branch again.

@sftcd, any news about split mode? Feels like split mode is a bigger feature than shared mode.

Interesting! A lot of people have said to me that they don't find split-mode so interesting due to how they terminate TLS, but OTOH, we did a small trial with the Wikimedia foundation and they'd have loved to use split-mode if they had someone to be the client-facing server for them. (Finding such a someone turns out not that easy.)

Anyway, yes, I have a split-mode implementation for nginx, (and also for haproxy) using the stream module, but that needs an API that hasn't yet been agreed with the OpenSSL maintainers and that isn't in the OpenSSL feature branch. You'd have to build against a personal (or DEfO-project-specific) fork of OpenSSL rather than the OpenSSL project's ECH feature branch.

The split-mode API required is an oddball thing from the POV of the OpenSSL library - you need to use an SSL_CTX (as you don't have an SSL * connection), and the outerClientHello to get back the innerClientHello (with a bit more stuff for handling HRR to make it harder) and none of those are the sort of thing current APIs do.

You can see the DEfO-project fork's split-mode API here and the core of how we use that in nginx here. I'd not be surprised if the latter needed changes btw:-)

IIUC split-mode is also not yet supported by other TLS libraries.

So I think the way forward would be to handle ECH shared-mode first, then later to add split-mode in a separate PR once we've agreed a split-mode API with OpenSSL maintainers. (Once I've gotten that API agreed with OpenSSL maintainers I do plan to raise corresponding PRs with TLS server projects.)

Thanks for details. Please keep us updated regarding the progress in OpenSSL.

@sftcd apparently there's a conflict with the latest changes in nginx, probably because of $ssl_sigalg. I'm pretty sure it's something trivial. Please rebase onto the latest master branch again.

Just rebased, no other changes yet.

Ok pushed a version that tries to address all yesterday's comments unless I missed some;-( I'd say there's likely still more to be done too. Given there's a lot of changes (moving chunks of code about) if you'd like me to squash the commits, just say. (I'll be travelling tomorrow to the IETF meeting so might be slower responding for the next week.)

@sftcd, any news about split mode? Feels like split mode is a bigger feature than shared mode.

Interesting! A lot of people have said to me that they don't find split-mode so interesting due to how they terminate TLS, but OTOH, we did a small trial with the Wikimedia foundation and they'd have loved to use split-mode if they had someone to be the client-facing server for them. (Finding such a someone turns out not that easy.)

Anyway, yes, I have a split-mode implementation for nginx, (and also for haproxy) using the stream module, but that needs an API that hasn't yet been agreed with the OpenSSL maintainers and that isn't in the OpenSSL feature branch. You'd have to build against a personal (or DEfO-project-specific) fork of OpenSSL rather than the OpenSSL project's ECH feature branch.

The split-mode API required is an oddball thing from the POV of the OpenSSL library - you need to use an SSL_CTX (as you don't have an SSL * connection), and the outerClientHello to get back the innerClientHello (with a bit more stuff for handling HRR to make it harder) and none of those are the sort of thing current APIs do.

You can see the DEfO-project fork's split-mode API here and the core of how we use that in nginx here. I'd not be surprised if the latter needed changes btw:-)

IIUC split-mode is also not yet supported by other TLS libraries.

So I think the way forward would be to handle ECH shared-mode first, then later to add split-mode in a separate PR once we've agreed a split-mode API with OpenSSL maintainers. (Once I've gotten that API agreed with OpenSSL maintainers I do plan to raise corresponding PRs with TLS server projects.)

I looked at the split ech nginx implementation and I have one question. Obviously it's too early, but maybe discussing this now will help to come up with the right API.

The question is, how is config retry supposed to work? I only see one function SSL_CTX_ech_raw_decrypt() which extracts inner CH from outer CH. But what if this is not possible and nginx needs to send the current ech config? Obviously we need an SSL connection for this. But at the same time we need to feed the (already read) outer SNI to that connection and that's not something that can be easily done. So probably it's easier to start with an SSL connection anyway.

The question is, how is config retry supposed to work? I only see one function SSL_CTX_ech_raw_decrypt() which extracts inner CH from outer CH. But what if this is not possible and nginx needs to send the current ech config? Obviously we need an SSL connection for this. But at the same time we need to feed the (already read) outer SNI to that connection and that's not something that can be easily done. So probably it's easier to start with an SSL connection anyway.

What I've done for split-mode is setup a virtual host for the public_name (or backend in haproxy terms) where connections will land if SSL_CTX_ech_raw_decrypt() fails and if the client's error was to use the wrong ECHConfig then that virtual host will handle sending back the retry_configs.

I looked at the split ech nginx implementation and I have one question. Obviously it's too early, but maybe discussing this now will help to come up with the right API.

Forgot to say: thanks for taking a look, and if it turns out that the current API looks good to you, or we fix it to make that true, then that may well help when discussing split-mode with the OpenSSL maintainers... so thanks again:-)

The question is, how is config retry supposed to work? I only see one function SSL_CTX_ech_raw_decrypt() which extracts inner CH from outer CH. But what if this is not possible and nginx needs to send the current ech config? Obviously we need an SSL connection for this. But at the same time we need to feed the (already read) outer SNI to that connection and that's not something that can be easily done. So probably it's easier to start with an SSL connection anyway.

What I've done for split-mode is setup a virtual host for the public_name (or backend in haproxy terms) where connections will land if SSL_CTX_ech_raw_decrypt() fails and if the client's error was to use the wrong ECHConfig then that virtual host will handle sending back the retry_configs.

But to do this, you need to shove the outer CH back into the socket, don't you? Or you do it on a remote server after proxying?

But to do this, you need to shove the outer CH back into the socket, don't you? Or you do it on a remote server after proxying?

Ah, no - if the split-mode decrypt fails, the original (outer) CH is just processed as normal, so the connection will go to the server for the public_name however that's usually handled.

Not sure if it'll help or be more confusing but this config is our test case - after ECH decryption is attempted, if it worked, we'll route based on the inner SNI to foo.example.com, if ECH decryption failed, we route to example.com's server. (Note that that config doesn't take into account changes resulting from this PR as we've not updated that build for those changes yet.)

But to do this, you need to shove the outer CH back into the socket, don't you? Or you do it on a remote server after proxying?

Ah, no - if the split-mode decrypt fails, the original (outer) CH is just processed as normal, so the connection will go to the server for the public_name however that's usually handled.

OK, so the outer CH is proxied in this case and then the backend will do the retry config. My point is, it would be more efficient to handle it at the proxy though. Otherwise the backend needs the public certificate/key to do the retry config, which looks completely unnecessary.

Ok pushed a version that tries to address all yesterday's comments unless I missed some;-( I'd say there's likely still more to be done too. Given there's a lot of changes (moving chunks of code about) if you'd like me to squash the commits, just say. (I'll be travelling tomorrow to the IETF meeting so might be slower responding for the next week.)

In no particular order:

• As we discussed before, let's move the BoringSSL part to a separate PR. I'm still a little confused here, since BoringSSL cannot generate such PEM files, how much value is in reading them with BoringSSL. The main thing is it's possible to do in a consistent way with the current BoringSSL API.
• ssl_echfile - I'm not sure about the "file" part, but anyway I think we need a _ there: ssl_ech_file, a good example is ssl_ecdh_curve. Regaring the "file", sounds too general to me, but there seems to be no good term for this (echconfig+private_key) and the draft does not provide one. On the other hand, we do have ssl_password_file and ssl_stapling_file. What term do other projects use?
• There should be multiple directives allowed, each of them receiving a file name. See ssl_session_ticket_key: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key. The implementation should also be similar.
• While I did suggest file patterns as an option for future, I don't think we need it now. Other similar directives do not currently take patterns. This may or may not came as a separate change. And the "glob" expansion will be in in http/stream code, not in ssl code. The pattern will just expand to multiple files, like a shortcut for multiple directives. And if we do it for ech, but don't do it for other directives (like ssl_session_ticket_key, or maybe even ssl_certificate/ssl_certificate_key) this will be inconsistent. This needs to be done consistently across nginx, if we decide to do it (which we have not yet decided).

We should end up with a very simple patch at this point.

Regarding the squash, yes please do it.

Have a good trip!

@Maryna-f5 - if that milestone has a date that it'd be useful for me to understand be good to know that so I don't miss it. (I'm travelling home today so will be back at this once I get there.)

Hi, @sftcd,

Thank you for your contribution!
We are planning to release 1.29.4 milestone on December 9, 2025.

Gonna start doing that squash-commits and splitting out the boring stuff shortly. Will post on here when things are ready for another review, as I might temporarily break something in the PR branch along the way:-)

OK, I think the push above is the more minimal PR asked-for. It squashed commits, allows multiple ssl_echfile directives, and doesn't include BoringSSL nor globbing support. (I'll make a PR with both of those too in a bit.) I also rebased and added a small new thing - only the first named file from an ssl_echfile will be used in an ECH retry-config during the ECH fallback.

The more complete PR (with boriing support and globbing) is #973. A couple of notes on that:

• Yes, BoringSSL doesn't produce the ECH PEM files, but you can use boring's bssl command with a small script wrapper to make them .(Here's one)
• Given BoringSSL "releases" have ECH by default but OpenSSL doesn't yet include it in releases, that may argue to include boring support as soon as possible.
• You'll notice that there's a small bit of code in this PR now that's done to make ECH shared-mode with both BoringSSL and globbing #973 easier (e.g. an abstract ECH store void *). If you'd prefer not have that, that's fine.
• If you wanted, I'm fine with separating out the BoringSSL support from the globbing stuff, but I get the impression we'll be parking ECH shared-mode with both BoringSSL and globbing #973 for a while (which is fine if that's what's preferred) so I've left 'em together for now as the easier thing to do:-)

oops, I notice I forgot to do s/ssl_echfile/ssl_ech_file/ in that push, will do next go around if one's needed (probably:-)