-
Notifications
You must be signed in to change notification settings - Fork 57
Implementation sharp edges
sftcd edited this page Nov 3, 2021
·
4 revisions
- DNS dependency and plumbing will be very non-trivial for clients like curl or wget
- to date curl has only had to have very simple DNS handling, the need to support SVCB/HTTPS (in order to get ECH) makes that far more complex, with name chasing needed and possibly complex caching
- ECHConfig.public_name IP address parsing is non-trivial (WHATWG? Something else?)
- ECH split-mode + HRR requires modifying more than just the first message in a connection
- E.g. for haproxy it makes sense to handle split-mode ECH using "tcp" mode (as opposed to "http" mode which is suitable when haproxy is acting as the TLS server endpoint); it appears that haproxy in tcp mode can only examine or change the first message in a connection (presumably for performance reasons, but that's still TBC) - the result may be that HRR can't easily work in one setup where it might be most relevant?
- ECH implementation complexity generates possibly many many test cases
- there are so many more moving parts in ECH (vs. ESNI) that the number of test cases could be huge