On Wed, 13 Sep 2023, Stephen Farrell via curl-library wrote:
Lovely to see the progress!
- Only the first HTTPS RR value retrieved is actually processed as described at [2]. That could be extended in future, though picking the "right" HTTPS RR could be non- trivial if multiple RRs are published - matching IP address hints versus A/AAAA values might be a good basis for that. Last I checked though, browsers supporting ECH didn't handle multiple HTTPS RRs well, though that needs re-checking as it's been a while.
This is a very specific problem that I suspect we can only get the answer to by looking how others do it and see how things work in real life when we try to use the feature. I think picking and documenting the solution is enough, and then we adapt and adjust as we go forward. Like with everything.
I also want to mention that we have also discussed adding support for HTTPS records for other purposes than ECH. More specificaly for selecting HTTP/3. There has also been voices "out there" talking about an updated take to alt-svc that would use (rely on) it so maybe this record will become a slightly more important piece in our infra going forward.
I'm just saying this so that you keep that in mind when working on this, so that you don't think "too" ECH-specific here. We have not otherwise come around yet to actually try any code for this for anything else, so your work here is the first in this area as far as I know.
In addition to several of your other thoughts: one of the benfits with us adding new features such as this as EXPERIMENTAL is that we do not carve the API or options in stone until we remove that tag. That means that for such feeatures it is fine to start with the basic approach that we can think of, and then polish and improve that as we go forward and get feedback and experience from real user and their use cases. We don't have to figure out the best possible solution ahead of time, we can allow ourselves to evolve from "something that works" to "awesome controls" in the actual code repo.
TLS wise: I know wolfSSL already has ECH support in their API and possibly a few of the others libs have too. We need to think a bit there so that we do a proper internal API to allow other TLS backends to get the same functionality with causing too much pain.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
