id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2275	Support Encrypted Client Hello	Seirdy		"Current specification: https://datatracker.ietf.org/doc/draft-ietf-tls-esni/

Encrypted Client Hello removes a major source of information leakage when using TLS: the hostname. When combined with OCSP Must-Staple, the only information leaked over a TLS connection will be the source/dest IPs and traffic sizing (the latter of which can be mitigated with TLS 1.3's random padding). This offers a significant privacy improvement.

ECH has been implemented by Firefox, Cloudflare, H2O (in quictls), NSS, and BoringSSL.

ECH was previously known as ESNI (Encrypted SNI). The EFF promoted it in its Deeplinks blog: https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https"	enhancement	new	minor		nginx-module	1.19.x		TLS, security	Seirdy	Linux host01 5.14.16-301.fc35.x86_64 #1 SMP Wed Nov 3 13:55:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.21.4 (static-pie gcc musl mimalloc-secure zlib-ng brotli march=haswell boringssl hpack nginx build)
built by gcc 10.2.1 20201203 (GCC)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --build='static-pie gcc musl mimalloc-secure zlib-ng brotli march=haswell boringssl hpack nginx build' --with-file-aio --with-threads --with-pcre --with-debug --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-http_quic_module --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_grpc_module --without-http_uwsgi_module --without-http_empty_gif_module --without-http_ssi_module --without-http_fastcgi_module --without-http_scgi_module --without-http_referer_module --without-http_split_clients_module --without-http_userid_module --without-http_access_module --without-http_mirror_module --without-http_autoindex_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-http_upstream_hash_module --with-cc-opt='-O3 -DNDEBUG -fno-semantic-interposition -fipa-pta -fdevirtualize-at-ltrans -march=haswell -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-all -m64 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full -fpic -fpie -static-pie -s -L. -fno-plt -Bsymbolic -malign-data=cacheline -Wno-parentheses -Wno-unused-value -Wno-unused-but-set-variable -flto -fvisibility=hidden -fgraphite-identity -ffunction-sections -fdata-sections -mtls-dialect=gnu2 -L/ghq/git.musl-libc.org/musl/lib -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -fno-builtin-memalign -fno-builtin-posix_memalign -fno-builtin-valloc -fno-builtin-pvalloc -I/ghq/github.com/zlib-ng/zlib-ng -I/ghq/github.com/zlib-ng/zlib-ng/build-server-gcc -I/ghq/boringssl.googlesource.com/boringssl/include -Wno-error -DTCP_FASTOPEN=23 -I/ghq/src.fedoraproject.org/rpms/pcre/pcre-8.44' --with-ld-opt='-O3 -DNDEBUG -fno-semantic-interposition -fipa-pta -fdevirtualize-at-ltrans -march=haswell -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-all -m64 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full -fpic -fpie -static-pie -s -L. -fno-plt -Bsymbolic -malign-data=cacheline -Wno-parentheses -Wno-unused-value -Wno-unused-but-set-variable -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -Wl,-E -Wl,-z,noexecstack -Wl,-Bstatic -L/ghq/git.musl-libc.org/musl/lib -Wl,--gc-sections -L/ghq/github.com/zlib-ng/zlib-ng/build-server-gcc -l:libz.a -lz -L/ghq/boringssl.googlesource.com/boringssl/build-server-gcc/ssl -l:libssl.a -L/ghq/boringssl.googlesource.com/boringssl/build-server-gcc/crypto -l:libcrypto.a -L/ghq/src.fedoraproject.org/rpms/pcre/pcre-8.44/.libs' --add-module=/ghq/github.com/google/ngx_brotli/static --add-module=/ghq/github.com/openresty/headers-more-nginx-module"