8000 gh-89730: EncryptedClientHello support in ssl module by irl · Pull Request #135435 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

gh-89730: EncryptedClientHello support in ssl module #135435 8000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

gh-89730: EncryptedClientHello support in ssl module #135435

wants to merge 1 commit into from
+637 −10

Conversation

irl
Copy link
@irl irl commented Jun 12, 2025
edited by github-actions bot
Loading

Exposes options for clients to use Encrypted Client Hello (ECH) when establishing TLS connections. It is up to the user to source the ECH public keys before making use of these options.

To use these options requires a version of openssl that includes these options, which currently are on a feature branch:

https://github.com/openssl/openssl/tree/feature/ech

We do not expect that the API here will have any substaintial changes when it is merged.

For testing, clone the above repository, checkout the feature/ech branch, and build. Then use this openssl installation when building cPython:

git clone https://github.com/openssl/openssl.git
pushd openssl
git checkout feature/ech
./configure --prefix=$HOME/opt/openssl
make -j8
make install_sw
popd
git clone https://github.com/irl/cpython.git
git checkout issue-89730
./configure --with-pydebug --with-openssl=$HOME/opt/openssl
make -j8

Additionally I have added to the documentation an example of the use of these options, which is built at: https://irl.github.io/cpython/library/ssl.html#encrypted-client-hello

📚 Documentation preview 📚: https://cpython-previews--135435.org.readthedocs.build/

@python-cla-bot
Copy link
python-cla-bot bot commented Jun 12, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app bedevere-app bot mentioned this pull request Jun 12, 2025
Open
ZeroIntensity
ZeroIntensity reviewed Jun 12, 2025
View reviewed changes
picnixz
picnixz requested changes Jun 13, 2025
View reviewed changes
Copy link
Member
@picnixz picnixz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you mentioned, the ECH feature is not yet available in OpenSSL (https://github.com/openssl/openssl/tree/feature/ech). I would like to defer this until it's released.

In addition:

  • please remove blank lines as much as possile. Too many blank lines hinder the reading flow.
  • check return codes from OpenSSL (SSL_ech_get1_retry_config may fail for instance, so you should check if it succeeded, and if not, correctly handle the return code)
  • we need tests

Misc/NEWS.d/next/Library/2025-06-12-15-39-48.gh-issue-89730.Lu35Fu.rst Outdated
Comment on lines 1 to 8
Adds support for Encrypted Client Hello (ECH) to the ssl module. Clients may
use the options exposed to establish TLS connections using ECH. Third-party
libraries like dnspython can be used to query for HTTPS and SVCB records
that contain the public keys required to use ECH with specific servers. If
no public key is available, an option is available to "GREASE" the
connection, and it is possible to retrieve the public key from the retry
configuration sent by servers that support ECH as they terminate the initial
connection.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This description should also be put in What's New rather here.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know what this means.

@bedevere-app
Copy link
bedevere-app bot commented Jun 13, 2025

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@irl irl force-pushed the issue-89730 branch 2 times, most recently from 27dcb2f to 7092144 Compare June 27, 2025 13:03
@irl irl marked this pull request as draft June 27, 2025 13:05
@irl
EncryptedClientHello support in ssl module
4fbb9cc 
Exposes options for clients to use Encrypted Client Hello (ECH) when
establishing TLS connections. It is up to the user to source the
ECH public keys before making use of these options.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZeroIntensity ZeroIntensity ZeroIntensity left review comments

@picnixz picnixz picnixz requested changes

@gpshead gpshead Awaiting requested review from gpshead gpshead is a code owner

@erlend-aasland erlend-aasland Awaiting requested review from erlend-aasland erlend-aasland is a code owner

@corona10 corona10 Awaiting requested review from corona10 corona10 is a code owner

Assignees
No one assigned
Labels
topic-SSL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@irl @picnixz @ZeroIntensity
0