Opened 2 years ago

Last modified 5 months ago

#2275 new enhancement

Support Encrypted Client Hello

Reported by: Seirdy Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: TLS, security Cc: Seirdy
uname -a: Linux host01 5.14.16-301.fc35.x86_64 #1 SMP Wed Nov 3 13:55:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.4 (static-pie gcc musl mimalloc-secure zlib-ng brotli march=haswell boringssl hpack nginx build)
built by gcc 10.2.1 20201203 (GCC)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --build='static-pie gcc musl mimalloc-secure zlib-ng brotli march=haswell boringssl hpack nginx build' --with-file-aio --with-threads --with-pcre --with-debug --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-http_quic_module --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_grpc_module --without-http_uwsgi_module --without-http_empty_gif_module --without-http_ssi_module --without-http_fastcgi_module --without-http_scgi_module --without-http_referer_module --without-http_split_clients_module --without-http_userid_module --without-http_access_module --without-http_mirror_module --without-http_autoindex_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-http_upstream_hash_module --with-cc-opt='-O3 -DNDEBUG -fno-semantic-interposition -fipa-pta -fdevirtualize-at-ltrans -march=haswell -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-all -m64 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full -fpic -fpie -static-pie -s -L. -fno-plt -Bsymbolic -malign-data=cacheline -Wno-parentheses -Wno-unused-value -Wno-unused-but-set-variable -flto -fvisibility=hidden -fgraphite-identity -ffunction-sections -fdata-sections -mtls-dialect=gnu2 -L/ghq/git.musl-libc.org/musl/lib -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -fno-builtin-memalign -fno-builtin-posix_memalign -fno-builtin-valloc -fno-builtin-pvalloc -I/ghq/github.com/zlib-ng/zlib-ng -I/ghq/github.com/zlib-ng/zlib-ng/build-server-gcc -I/ghq/boringssl.googlesource.com/boringssl/include -Wno-error -DTCP_FASTOPEN=23 -I/ghq/src.fedoraproject.org/rpms/pcre/pcre-8.44' --with-ld-opt='-O3 -DNDEBUG -fno-semantic-interposition -fipa-pta -fdevirtualize-at-ltrans -march=haswell -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-all -m64 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full -fpic -fpie -static-pie -s -L. -fno-plt -Bsymbolic -malign-data=cacheline -Wno-parentheses -Wno-unused-value -Wno-unused-but-set-variable -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -Wl,-E -Wl,-z,noexecstack -Wl,-Bstatic -L/ghq/git.musl-libc.org/musl/lib -Wl,--gc-sections -L/ghq/github.com/zlib-ng/zlib-ng/build-server-gcc -l:libz.a -lz -L/ghq/boringssl.googlesource.com/boringssl/build-server-gcc/ssl -l:libssl.a -L/ghq/boringssl.googlesource.com/boringssl/build-server-gcc/crypto -l:libcrypto.a -L/ghq/src.fedoraproject.org/rpms/pcre/pcre-8.44/.libs' --add-module=/ghq/github.com/google/ngx_brotli/static --add-module=/ghq/github.com/openresty/headers-more-nginx-module

Description

Current specification: https://datatracker.ietf.org/doc/draft-ietf-tls-esni/

Encrypted Client Hello removes a major source of information leakage when using TLS: the hostname. When combined with OCSP Must-Staple, the only information leaked over a TLS connection will be the source/dest IPs and traffic sizing (the latter of which can be mitigated with TLS 1.3's random padding). This offers a significant privacy improvement.

ECH has been implemented by Firefox, Cloudflare, H2O (in quictls), NSS, and BoringSSL.

ECH was previously known as ESNI (Encrypted SNI). The EFF promoted it in its Deeplinks blog: https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https

Change History (6)

comment:1 by arekm.maven.pl@…, 7 months ago

google chrome 117 ships with ECH support (hiding under flag for now)

https://chromestatus.com/feature/6196703843581952

comment:2 by arekm.maven.pl@…, 6 months ago

comment:3 by Neil Craig, 6 months ago

+1 on this. We're very keen to roll out ECH for privacy and also as an anti-blocking mechanism.

comment:4 by hardfalcon@…, 6 months ago

Here seems to be an experimental EHC implementation for nginx, though I have not tested if it actually works:

https://github.com/sftcd/nginx/tree/ECH-experimental

Note that this likely requires an equally experimental ECH-enabled fork open OpenSSL:

https://github.com/sftcd/openssl/tree/ECH-draft-13c/

Last edited 6 months ago by hardfalcon@… (previous) (diff)

in reply to:  4 comment:5 by Seirdy, 5 months ago

Replying to hardfalcon@…:

Note that this likely requires an equally experimental ECH-enabled fork open OpenSSL:

https://github.com/sftcd/openssl/tree/ECH-draft-13c/

Yeah. Rather than an experimental fork of OpenSSL, it's probably safer to use BoringSSL for now.

comment:6 by yaroslavros@…, 5 months ago

I've submitted an experimental patch to nginx-devel list that implements ECH with BoringSSL.

Source code fork with this patch is also available at https://github.com/yaroslavros/nginx/

Tested against current Chrome and Firefox.

Note: See TracTickets for help on using tickets.