Basic TLS Encrypted ClientHello (ECH) support (updated) #1340
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This introduces a new Exception so that clients can respond only to the ECH retry request without having to parse SSLHandshakeExceptions in general. This exception should probably be implemented in boringssl or native_crypto.cc.
OpenJDK's JNDI API and Android DnsResolver API both provide support for raw DNS queries. These must be parsed to be useful, so this includes Android's DnsPacket to parse the raw DNS answer. Original source: https://android.googlesource.com/platform/frameworks/libs/net/+/de5905fe0407a1f5e115423d56c948ee2400683d/common/framework/com/android/net/module/util/DnsPacket.java
https://docs.gradle.org/current/userguide/gradle_wrapper.html#sec:verification https://gradle.org/release-checksums/ ./gradlew wrapper --gradle-distribution all --gradle-version 6.5 \ --gradle-distribution-sha256-sum \ c9910513d0eed63cd8f5c7fec4cb4a05731144770104a0871234a4edc3ba3cef
…ter_google_fix
…master_google_fix_merge
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
fortuna
reviewed
Jun 6, 2025
| /** | ||
| * | ||
| * @param socket the socket | ||
| * @param enabled whether ECH GREASE is enabled or not |
There was a problem hiding this comment.
Good call, I fixed this and also added descriptions for the other new methods in Conscrypt.java.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an update to #1044 which includes both additional changes made by @eighthave and the updates made to conscrypt since the original pull request was created.
Original description:
This is the first stage of implementing Encrypted ClientHello (ECH) in Conscrypt #730. It provides the APIs required for clients to make TLS connections using ECH. This implements enough of the server-side to provide ECH in the test suite using ECH Key and Configs generated by boringssl. This should be enough to let libs like OkHTTP fully implement ECH square/okhttp#6539