Hi all,
I've proposed a PR [1] for including ECH support in apache2. Be very happy to discuss that, on this list, or via github. I've included the text describing the PR below in case some people prefer that via mail rather than github. Cheers, Stephen. PS: This is my first PR for this project, apologies in advance for the things I've inevitably gotten wrong;-) [1] https://github.com/apache/httpd/pull/551 Text describing the PR:This PR adds Encrypted Client Hello (ECH) functionality to apache2, when using OpenSSL for TLS.
Notes:- ECH is not yet part of an OpenSSL release. We'd hope ECH will be part of OpenSSL 4.0 in April 2026. However, we have been working with OpenSSL maintainers on the so-called "ECH feature branch" and that branch (subject to the same OpenSSL maintainer approval process as the OpenSSL master branch) now includes sufficient ECH code for web servers like apache2. So there's plenty of time for this PR to be discussed, but starting now may be timely. - This PR includes documentation in a markdown document in the repo's top directory, which is certainly the wrong place, but may be useful short-term. That describes how to do the build, configuration and logging changes, and the code changes for ECH. (So should be a good place for reviewers to start.) - While OpenSSL releases do not yet include ECH support, some other TLS libraries do, in particular boringssl. If useful, we could extend this PR to also support boringssl, or that could be a follow-up. (It'd be good if the server configuration were the same regardless of the TLS library.) - ECH support using these OpenSSL ECH APIs was included in the ligthttpd web server (in January 2025) so some code and patterns are common with that. We also plan to submit similar PRs to apache2 and haproxy, and ideally all would share some commonality. - We have proposed a very similar PR for the NGINX project (OpenSSL ECH integration nginx/nginx#840). - All that said, we're not fixated at all on things being done this way, and would be happy to make whatever changes are desired for apache2 and there are some notes on potential changes in the documentation.
Lastly, for open-ness, our work on this has been funded by the Open Technology Fund (OTF) in the DEfO project.
OpenPGP_signature.asc
Description: OpenPGP digital signature
