RFC 9849: TLS Encrypted Client Hello

7.1. client-facing server

Upon initially receiving the “encrypted_client_hello” extension
ClientHelloThe client-facing server determines whether it will accept ECH before negotiating any other TLS parameters. Note that successfully decrypting the extension will yield a new result ClientHello To process, the client’s TLS version preferences may therefore have changed as well.

First, the server collects a set of candidate ECHConfig Value. This list is determined by one of the following two methods:

1. compare ECHClientHello.config_id against the identifiers of each known ECHConfig
   And select those who match, if any, as candidates.

2. collect all known ECHConfig Values ​​as candidates, with trial decryption below to determine the final selection.

Some uses of ECH, such as local search mode, can make it random.
ECHClientHello.config_id Since it can be used as a tracking vector. In such cases, the second method Needed will be used to match ECHClientHello to someone known ECHConfig. See Section 10.4. Unless specified by the application profile or otherwise configured externally, the implementation Sure Use the first method.

Then the server iterates over the candidate ECHConfig The value, attempting to decrypt the “encrypted_client_hello” extension, is as follows.

The server verifies that ECHConfig Supports cipher suites indicated by ECHClientHello.cipher_suite and the version of ECH represented by the client matches ECHConfig.version. If not, the server continues to the next candidate. ECHConfig.¸

After this, the server decrypts ECHClientHello.payloadUsing the corresponding private key skR ECHConfigas follows:¶

    context = SetupBaseR(ECHClientHello.enc, skR,
                         "tls ech" || 0x00 || ECHConfig)
    EncodedClientHelloInner = context.Open(ClientHelloOuterAAD,
                                           ECHClientHello.payload)

ClientHelloOuterAAD is calculated from ClientHelloOuter As described in Section 5.2. info SetupBaseR’s parameter combination is “tls ech”, a zero byte and serialization ECHConfig. If decryption fails, the server continues to the next candidate. ECHConfig. Otherwise, the server rebuilds. ClientHelloInner From
EncodedClientHelloInnerAs described in Section 5.1. After this it stops talking about the candidate ECHConfig Value.¶

Once the server has selected the correct option ECHConfigit May Verify that the value is in ClientHelloOuter The value of “server_name” extension matches
ECHConfig.contents.public_name And if these do not match abort with “invalid_parameter” warning. This optional check allows the server to limit ECH connections to only using the public SNI values ​​advertised in its ECHConfigs. server Sure If so then be careful not to reject the connection unnecessarily
ECHConfig The ID or keypair is used in multiple ECHConfigs with different public names.¸

upon determining ClientHelloInnerThe client-facing server checks that the message includes a well-formed “encrypted_client_hello” type extension
inner And it doesn’t offer TLS 1.2 or below. If any of these checks fail, the client-facing server Sure Abort with warning “invalid_parameters”.

If these checks succeed, the client-facing server forwards
ClientHelloInner On the appropriate backend server, which proceeds as per Section 7.2. If the backend server responds with a HelloRetryRequest, the client-facing server forwards it, decrypting the client’s second ClientHelloOuter
using the procedure in Section 7.1.1, and forwards the resulting to another ClientHelloInner. The client-facing server forwards all other TLS messages between the client and the backend server unmodified.

Otherwise, if all the candidates ECHConfig Value extensions fail to decrypt on client-facing servers Sure Ignore the extension and proceed using the connection ClientHelloOuter With the following amendments:

• If sending HelloRetryRequest, the server May Include an “encrypted_client_hello” extension with a payload of 8 random bytes; See Section 10.10.4 for details.¸

• If the server is configured with any ECHConfigs, this Sure In its encrypted extension set the “encrypted_client_hello” extension with the “retry_configs” field set to one or more. ECHConfig Structures with updated keys. server May supply multiple ECHConfig Values ​​of different versions. This allows a server to support multiple versions simultaneously.¸

Note that decryption failure may indicate grease ECH extension (see Section 6.2), so it is necessary for the server to proceed with the connection and trust the client to abort when ECH is required. In particular, an unrecognized value alone does not indicate a misconfigured ECH advertisement (Section 8.1.1). Instead, servers can measure occurrences of “ech_required” alerts to detect this case.

    EncodedClientHelloInner = context.Open(ClientHelloOuterAAD,
                                           ECHClientHello.payload)