Great, I like it! Cheers, Stefan
> Am 18.08.2025 um 19:13 schrieb Stephen Farrell <stephen.farr...@cs.tcd.ie>: > > > Hi all, > > I've proposed a PR [1] for including ECH support in apache2. > Be very happy to discuss that, on this list, or via github. > I've included the text describing the PR below in case some > people prefer that via mail rather than github. > > Cheers, > Stephen. > > PS: This is my first PR for this project, apologies in > advance for the things I've inevitably gotten wrong;-) > > [1] https://github.com/apache/httpd/pull/551 > > Text describing the PR: > > This PR adds Encrypted Client Hello (ECH) functionality to apache2, when > using OpenSSL for TLS. > > Notes: > > - ECH is not yet part of an OpenSSL release. We'd hope ECH will be part of > OpenSSL 4.0 in April 2026. However, we have been working with OpenSSL > maintainers on the so-called "ECH feature branch" and that branch (subject to > the same OpenSSL maintainer approval process as the OpenSSL master branch) > now includes sufficient ECH code for web servers like apache2. So there's > plenty of time for this PR to be discussed, but starting now may be timely. > - This PR includes documentation in a markdown document in the repo's top > directory, which is certainly the wrong place, but may be useful short-term. > That describes how to do the build, configuration and logging changes, and > the code changes for ECH. (So should be a good place for reviewers to start.) > - While OpenSSL releases do not yet include ECH support, some other TLS > libraries do, in particular boringssl. If useful, we could extend this PR to > also support boringssl, or that could be a follow-up. (It'd be good if the > server configuration were the same regardless of the TLS library.) > - ECH support using these OpenSSL ECH APIs was included in the ligthttpd web > server (in January 2025) so some code and patterns are common with that. We > also plan to submit similar PRs to apache2 and haproxy, and ideally all would > share some commonality. > - We have proposed a very similar PR for the NGINX project (OpenSSL ECH > integration nginx/nginx#840). > - All that said, we're not fixated at all on things being done this way, and > would be happy to make whatever changes are desired for apache2 and there are > some notes on potential changes in the documentation. > > Lastly, for open-ness, our work on this has been funded by the Open > Technology Fund (OTF) in the DEfO project.
