Upon receiving an "encrypted_client_hello" extension in an initial ClientHello , the client-facing server determines if it will accept ECH prior to negotiating any other TLS parameters. Note that successfully decrypting the extension will result in a new ClientHello to process, so even the client's TLS version preferences may have changed.¶
First, the server collects a set of candidate ECHConfig values. This list is determined by one of the two following methods:¶
Compare ECHClientHello.config_id against identifiers of each known ECHConfig and select the ones that match, if any, as candidates.¶ Collect all known ECHConfig values as candidates, with trial decryption below determining the final selection.¶
Some uses of ECH, such as local discovery mode, may randomize the ECHClientHello.config_id since it can be used as a tracking vector. In such cases, the second method SHOULD be used for matching the ECHClientHello to a known ECHConfig . See Section 10.4. Unless specified by the application profile or otherwise externally configured, implementations MUST use the first method.¶
The server then iterates over the candidate ECHConfig values, attempting to decrypt the "encrypted_client_hello" extension as follows.¶
The server verifies that the ECHConfig supports the cipher suite indicated by the ECHClientHello.cipher_suite and that the version of ECH indicated by the client matches the ECHConfig.version . If not, the server continues to the next candidate ECHConfig .¶
Next, the server decrypts ECHClientHello.payload , using the private key skR corresponding to ECHConfig , as follows:¶
context = SetupBaseR(ECHClientHello.enc, skR, "tls ech" || 0x00 || ECHConfig) EncodedClientHelloInner = context.Open(ClientHelloOuterAAD, ECHClientHello.payload) ¶
ClientHelloOuterAAD is computed from ClientHelloOuter as described in Section 5.2. The info parameter to SetupBaseR is the concatenation "tls ech", a zero byte, and the serialized ECHConfig . If decryption fails, the server continues to the next candidate ECHConfig . Otherwise, the server reconstructs ClientHelloInner from EncodedClientHelloInner , as described in Section 5.1. It then stops iterating over the candidate ECHConfig values.¶
Once the server has chosen the correct ECHConfig , it MAY verify that the value in the ClientHelloOuter "server_name" extension matches the value of ECHConfig.contents.public_name and abort with an "illegal_parameter" alert if these do not match. This optional check allows the server to limit ECH connections to only use the public SNI values advertised in its ECHConfigs. The server MUST be careful not to unnecessarily reject connections if the same ECHConfig id or keypair is used in multiple ECHConfigs with distinct public names.¶
... continue reading