Skip to content
@defo-project

DEfO Project

Developing ECH for OpenSSL
README.md

Developing ECH for OpenSSL (DEfO)

The encrypted ClientHello (ECH) mechanism (draft-spec) is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that's used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project has developed an implementation of ECH for OpenSSL, and proof-of-concept implementations of various clients and servers that use OpenSSL as a demonstration and for interoperability testing. DEfO is funded by the Open Technology Fund (OTF). Tolerant Networks Ltd. and people from the Guardian Project are doing the work in DEfO.

This organisation is where we keep our various ECH-enabled code repos and our ech-dev-utils repo that has HOWTOs, test scripts and other ancillary ECH developer content. That's the place to start if you want to play with these ECH-enabled packages.

Builder/CI status for repos

The ECH APIs used in these repos match those agreed with OpenSSL maintainers, as part of the work to upstream our ECH code into the OpenSSL ECH feature branch. That work is partly completed, so you can think of the OpenSSL repo here as being a few PRs ahead of the "official" OpenSSL feature branch for ECH.

For each of these ECH-enabled repos, we've added a 'builder' workflow (run daily and after a push) that attempts to merge our code with the latest upstream and that then does a build and a basic test. We expect these to fail from time to time as changes occur in the upstream packages. When that happens, there's a red badge below and we usually fix those within a couple of days by rebasing the repos here with the relevant upstream. Note that a red badge doesn't mean that our ECH-enabled code is broken, just that some manual intervention is needed to bring us back up to the bleeding edge with the upstream package.

Packages with our ECH code yet to be upstreamed:

Package 'Builder' status Details
openssl openssl packages.yaml workflow link
apache-httpd apache-httpd packages.yaml workflow link
haproxy haproxy packages.yaml workflow link
nginx nginx packages.yaml workflow link
python python packages.yaml workflow link

For packages where our ECH code has already been upstreamed, we also have a daily check that those build and pass a basic ECH test. So far, that's just for curl and lighttpd:

Package 'Builder' status Details
curl curl packages.yaml workflow link
lighttpd1.4 lighttpd packages.yaml workflow link

Popular repositories Loading

  1. defo-ech-apps defo-ech-apps Public

    a demo fork of F-Droid that uses TLS ECH by default

    Java 17 4

  2. ech-dev-utils ech-dev-utils Public

    Scripts, configurations and HOWTOs for playing with Encrypted ClientHello (ECH)

    Shell 5 3

  3. EchInteropTest EchInteropTest Public

    simple Android app to test Conscrypt-ECH

    Java 3

  4. nginx nginx Public

    Forked from nginx/nginx

    a fork to implement TLS Encrypted ClientHello (ECH) in nginx

    C 3

  5. openssl openssl Public

    Forked from openssl/openssl

    a fork to implement TLS Encrypted ClientHello (ECH) in OpenSSL

    C 3 1

  6. curl curl Public

    Forked from curl/curl

    a fork to implement TLS Encrypted ClientHello (ECH) in curl

    C

Repositories

Showing 10 of 13 repositories
  • cpython Public Forked from python/cpython

    The Python programming language

    defo-project/cpython’s past year of commit activity
    Python 0 31,534 0 0 Updated Jan 11, 2025
  • haproxy Public Forked from haproxy/haproxy

    HAProxy Load Balancer's development branch (mirror of git.haproxy.org)

    defo-project/haproxy’s past year of commit activity
    C 0 828 0 0 Updated Jan 11, 2025
  • curl Public Forked from curl/curl

    a fork to implement TLS Encrypted ClientHello (ECH) in curl

    defo-project/curl’s past year of commit activity
    C 0 6,818 0 0 Updated Jan 11, 2025
  • apache-httpd Public Forked from apache/httpd

    a fork to implement TLS Encrypted ClientHello (ECH) in Apache HTTP Server

    defo-project/apache-httpd’s past year of commit activity
    C 0 Apache-2.0 1,186 0 0 Updated Jan 11, 2025
  • lighttpd1.4 Public Forked from lighttpd/lighttpd1.4

    a fork to implement TLS Encrypted ClientHello (ECH) in lighttpd1.4

    defo-project/lighttpd1.4’s past year of commit activity
    C 0 BSD-3-Clause 289 0 0 Updated Jan 11, 2025
  • nginx Public Forked from nginx/nginx

    a fork to implement TLS Encrypted ClientHello (ECH) in nginx

    defo-project/nginx’s past year of commit activity
    C 3 BSD-2-Clause 7,256 0 0 Updated Jan 11, 2025
  • openssl Public Forked from openssl/openssl

    a fork to implement TLS Encrypted ClientHello (ECH) in OpenSSL

    defo-project/openssl’s past year of commit activity
    C 3 Apache-2.0 11,070 0 0 Updated Jan 11, 2025
  • .github Public
    defo-project/.github’s past year of commit activity
    0 0 0 0 Updated Jan 10, 2025
  • ech-dev-utils Public

    Scripts, configurations and HOWTOs for playing with Encrypted ClientHello (ECH)

    defo-project/ech-dev-utils’s past year of commit activity
    Shell 5 Apache-2.0 3 0 0 Updated Jan 9, 2025
  • ech-interop-report Public

    ECH Interoperability Report

    defo-project/ech-interop-report’s past year of commit activity
    TeX 0 MIT 0 1 1 Updated Jan 5, 2025
View all repositories

Top languages

Loading…

Most used topics

Loading…