1*6236dae4SAndroid Build Coastguard Worker--- 2*6236dae4SAndroid Build Coastguard Workerc: Copyright (C) Daniel Stenberg, <[email protected]>, et al. 3*6236dae4SAndroid Build Coastguard WorkerSPDX-License-Identifier: curl 4*6236dae4SAndroid Build Coastguard WorkerTitle: CURLOPT_ECH 5*6236dae4SAndroid Build Coastguard WorkerSection: 3 6*6236dae4SAndroid Build Coastguard WorkerSource: libcurl 7*6236dae4SAndroid Build Coastguard WorkerSee-also: 8*6236dae4SAndroid Build Coastguard Worker - CURLOPT_DOH_URL (3) 9*6236dae4SAndroid Build Coastguard WorkerProtocol: 10*6236dae4SAndroid Build Coastguard Worker - TLS 11*6236dae4SAndroid Build Coastguard WorkerTLS-backend: 12*6236dae4SAndroid Build Coastguard Worker - OpenSSL 13*6236dae4SAndroid Build Coastguard Worker - wolfSSL 14*6236dae4SAndroid Build Coastguard WorkerAdded-in: 8.8.0 15*6236dae4SAndroid Build Coastguard Worker--- 16*6236dae4SAndroid Build Coastguard Worker 17*6236dae4SAndroid Build Coastguard Worker# NAME 18*6236dae4SAndroid Build Coastguard Worker 19*6236dae4SAndroid Build Coastguard WorkerCURLOPT_ECH - configuration for Encrypted Client Hello 20*6236dae4SAndroid Build Coastguard Worker 21*6236dae4SAndroid Build Coastguard Worker# SYNOPSIS 22*6236dae4SAndroid Build Coastguard Worker 23*6236dae4SAndroid Build Coastguard Worker~~~c 24*6236dae4SAndroid Build Coastguard Worker#include <curl/curl.h> 25*6236dae4SAndroid Build Coastguard Worker 26*6236dae4SAndroid Build Coastguard WorkerCURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config); 27*6236dae4SAndroid Build Coastguard Worker~~~ 28*6236dae4SAndroid Build Coastguard Worker 29*6236dae4SAndroid Build Coastguard Worker# DESCRIPTION 30*6236dae4SAndroid Build Coastguard Worker 31*6236dae4SAndroid Build Coastguard WorkerECH is only compatible with TLSv1.3. 32*6236dae4SAndroid Build Coastguard Worker 33*6236dae4SAndroid Build Coastguard WorkerThis experimental feature requires a special build of OpenSSL, as ECH is not 34*6236dae4SAndroid Build Coastguard Workeryet supported in OpenSSL releases. In contrast ECH is supported by the latest 35*6236dae4SAndroid Build Coastguard WorkerBoringSSL and wolfSSL releases. 36*6236dae4SAndroid Build Coastguard Worker 37*6236dae4SAndroid Build Coastguard WorkerThere is also a known issue with using wolfSSL which does not support ECH when 38*6236dae4SAndroid Build Coastguard Workerthe HelloRetryRequest mechanism is used. 39*6236dae4SAndroid Build Coastguard Worker 40*6236dae4SAndroid Build Coastguard WorkerPass a string that specifies configuration details for ECH. In all cases, if 41*6236dae4SAndroid Build Coastguard WorkerECH is attempted, it may fail for various reasons. The keywords supported are: 42*6236dae4SAndroid Build Coastguard Worker 43*6236dae4SAndroid Build Coastguard Worker## false 44*6236dae4SAndroid Build Coastguard Worker 45*6236dae4SAndroid Build Coastguard WorkerTurns off ECH. 46*6236dae4SAndroid Build Coastguard Worker 47*6236dae4SAndroid Build Coastguard Worker## grease 48*6236dae4SAndroid Build Coastguard Worker 49*6236dae4SAndroid Build Coastguard WorkerInstructs client to emit a GREASE ECH extension. (The connection fails if ECH 50*6236dae4SAndroid Build Coastguard Workeris attempted but fails.) 51*6236dae4SAndroid Build Coastguard Worker 52*6236dae4SAndroid Build Coastguard Worker## true 53*6236dae4SAndroid Build Coastguard Worker 54*6236dae4SAndroid Build Coastguard WorkerInstructs client to attempt ECH, if possible, but to not fail if attempting 55*6236dae4SAndroid Build Coastguard WorkerECH is not possible. 56*6236dae4SAndroid Build Coastguard Worker 57*6236dae4SAndroid Build Coastguard Worker## hard 58*6236dae4SAndroid Build Coastguard Worker 59*6236dae4SAndroid Build Coastguard WorkerInstructs client to attempt ECH and fail if attempting ECH is not possible. 60*6236dae4SAndroid Build Coastguard Worker 61*6236dae4SAndroid Build Coastguard Worker## ecl:\<base64-value\> 62*6236dae4SAndroid Build Coastguard Worker 63*6236dae4SAndroid Build Coastguard WorkerIf the string starts with `ecl:` then the remainder of the string should be a 64*6236dae4SAndroid Build Coastguard Workerbase64-encoded ECHConfigList that is used for ECH rather than attempting to 65*6236dae4SAndroid Build Coastguard Workerdownload such a value from the DNS. 66*6236dae4SAndroid Build Coastguard Worker 67*6236dae4SAndroid Build Coastguard Worker## pn:\<name\> 68*6236dae4SAndroid Build Coastguard Worker 69*6236dae4SAndroid Build Coastguard WorkerIf the string starts with `pn:` then the remainder of the string should be a 70*6236dae4SAndroid Build Coastguard WorkerDNS/hostname that is used to over-ride the public_name field of the 71*6236dae4SAndroid Build Coastguard WorkerECHConfigList that is used for ECH. 72*6236dae4SAndroid Build Coastguard Worker 73*6236dae4SAndroid Build Coastguard Worker## 74*6236dae4SAndroid Build Coastguard Worker 75*6236dae4SAndroid Build Coastguard WorkerThe application does not have to keep the string around after setting this 76*6236dae4SAndroid Build Coastguard Workeroption. 77*6236dae4SAndroid Build Coastguard Worker 78*6236dae4SAndroid Build Coastguard WorkerUsing this option multiple times makes the last set string override the 79*6236dae4SAndroid Build Coastguard Workerprevious ones. Set it to NULL or "false" to disable its use again. 80*6236dae4SAndroid Build Coastguard Worker 81*6236dae4SAndroid Build Coastguard Worker# DEFAULT 82*6236dae4SAndroid Build Coastguard Worker 83*6236dae4SAndroid Build Coastguard WorkerNULL, meaning ECH is disabled. 84*6236dae4SAndroid Build Coastguard Worker 85*6236dae4SAndroid Build Coastguard Worker# %PROTOCOLS% 86*6236dae4SAndroid Build Coastguard Worker 87*6236dae4SAndroid Build Coastguard Worker# EXAMPLE 88*6236dae4SAndroid Build Coastguard Worker 89*6236dae4SAndroid Build Coastguard Worker~~~c 90*6236dae4SAndroid Build Coastguard Workerint main(void) 91*6236dae4SAndroid Build Coastguard Worker{ 92*6236dae4SAndroid Build Coastguard Worker CURL *curl = curl_easy_init(); 93*6236dae4SAndroid Build Coastguard Worker 94*6236dae4SAndroid Build Coastguard Worker const char *config = \ 95*6236dae4SAndroid Build Coastguard Worker "ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+" \ 96*6236dae4SAndroid Build Coastguard Worker "CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; 97*6236dae4SAndroid Build Coastguard Worker if(curl) { 98*6236dae4SAndroid Build Coastguard Worker curl_easy_setopt(curl, CURLOPT_ECH, config); 99*6236dae4SAndroid Build Coastguard Worker curl_easy_perform(curl); 100*6236dae4SAndroid Build Coastguard Worker } 101*6236dae4SAndroid Build Coastguard Worker} 102*6236dae4SAndroid Build Coastguard Worker~~~ 103*6236dae4SAndroid Build Coastguard Worker# %AVAILABILITY% 104*6236dae4SAndroid Build Coastguard Worker 105*6236dae4SAndroid Build Coastguard Worker# RETURN VALUE 106*6236dae4SAndroid Build Coastguard Worker 107*6236dae4SAndroid Build Coastguard WorkerReturns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient 108*6236dae4SAndroid Build Coastguard Workerheap space. 109