IETF Logo Mail Archive

[TLS] ECH draft-13 servers for interop testing

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 15 September 2021 00:11 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E3D73A38BF for <tls@ietfa.amsl.com>; Tue, 14 Sep 2021 17:11:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yN7T51u0QupG for <tls@ietfa.amsl.com>; Tue, 14 Sep 2021 17:11:12 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2128.outbound.protection.outlook.com [40.107.21.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12FAB3A38C6 for <tls@ietf.org>; Tue, 14 Sep 2021 17:11:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OpAQrzn9G9iY1lXCgZWmBEow2iW4LROKYWkvQ6fidulC4HFBYhx0Q60yzvnCl/YWt4j0/bCF8KgCaZDtaDeQ3M/LoK0TofYrxgCdmS7wPkX6RnEmhwyBhy61Od5XlF4QzCq3pBtKE3QMOZxMaLDiVwtehO4m0+RH8LCmDhQLW6JjiDkfY8ILt2ZOeI+9Ctwyk9kWYa5y/y7yygU/erriYYmmD5XYOM9diQaKAktpH4sEHduiGAloRujWzCH3lXTCmRPRAX7mH3MU6hFBIc0g4EumAUzvnWAP2s+8cPKF/urIyPmr9aBtkE7w3syMYtZZh6NTW0I3ax0/hvz7LODjgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KnM+hUjQboaCSlDNM8lwpDaq+GFqerk7m/ibYq6OjK0=; b=gh18T/3AO14+qsG2mrClJrBogf7SZHI/P+55uFACtkKdcOb0xe51F6NFaJ7gkN1teySqWlyabovtXb+EpcCLmn7YpKvFWouE8LtvIlVB4HWo2rVrfguYW/O6jf/Baa5/o5/jSrfRZG2R9lyauzz+pt0i/+hxxXqCoUdqoVRSlN+UrGRg/GrLkzPFfO/vB8m+l9XWHc4VpmOCsXgapSbDSs/5Qdf8jXQAFDP4tWVohTQJO6sstmYRu8APuVIMCQLrs5Md3hLWOeXyO9tjFJW1MIHEqy21HnBsXnECRtE/3Xk0jMULtwzU2E38oh4EpZ5Y46a8EGMLRjRCL/vnjNGurg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KnM+hUjQboaCSlDNM8lwpDaq+GFqerk7m/ibYq6OjK0=; b=LLVTfotutf2y27jKmuq/5zwNbC+l2guBTzeVFAYqEN1uvwtGh1vTiaHoIYs6FBbIIQp2Y5CaE3I3I2c5GPkM3Kp6zikwEYBpyYr/PIQIsCWPTnVeddkt1aRQz4V5jICyRthelvI5m6Ce0ulUos3X0mvaT/XaZNXL/6JINq/GPhc8WmzyCAb24GAMn7dAwh3gdjsO3a1jVTemKhXN0kiHxxlvjVYzCd9VIxpjOz5DQDYbby4JakZDVBkqZeAQdA7pfs9IzXH02mnV7N4TiqcMEni7FjB+kLDLhHgrgaIMVIpkBhmuNQ5BNYsEP/3HOclC5SIfdJYEiBRh7nG6M502gg==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB3PR0202MB3275.eurprd02.prod.outlook.com (2603:10a6:8:5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Wed, 15 Sep 2021 00:11:07 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4198:a9d1:7246:8272]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4198:a9d1:7246:8272%3]) with mapi id 15.20.4500.019; Wed, 15 Sep 2021 00:11:07 +0000
To: "tls@ietf.org" <tls@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <eb896888-5041-091e-a967-efc06a3b6819@cs.tcd.ie>
Date: Wed, 15 Sep 2021 01:11:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="DzohI1F6Q8FbI2YilqOLHju4ZUtEvygrz"
X-ClientProxiedBy: DB6PR07CA0105.eurprd07.prod.outlook.com (2603:10a6:6:2c::19) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.244.2.119] (95.45.153.252) by DB6PR07CA0105.eurprd07.prod.outlook.com (2603:10a6:6:2c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.9 via Frontend Transport; Wed, 15 Sep 2021 00:11:06 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4543b6ac-5fac-468f-3830-08d977dd5058
X-MS-TrafficTypeDiagnostic: DB3PR0202MB3275:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB3PR0202MB3275461DC7F5001CBAE003C3A8DB9@DB3PR0202MB3275.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:62;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +Xe0WqXd+VWmDthRQ9Z6W/XbbgVw6uy9DIl8Ym4q8EEbERtz6SSI8Rpmttdj7VyXP3zCu8fNJ9zwNU4mylxkcBJuAVSsXqM3hkn/6ib7qYOn3xTcuISd9pXizjZZZfhW+cd4ITs5Qd2PxGi9+dF2D7ANGXT4D0ZBp2bQw5XOWy74tnJpGRatlLsia08cU9wCmlveV6sbPSgp6Z+HFYVaywCErGbI9yHXMtmS3C2HVwurlYBeJyf2rQJQNR9Xi483PERphj6nN87IMM+ZrBc7t9i06ZvzjOvemhaDeIMcmOj//oVBXl+EK6eqgkuA4I7L2atjhFPdu/MgJLkCwHvQqnvSUm79yAyBXwp0ekd83dktonvuKiYnTHoJrx6UKDsg/leV/ryNB1w9nCvHIDQiXRd1rQ6EKxOUh0QREthj1NqQgCHzjpdADYb/mzOT3b9MenKSDRizQ7uWe5fXsI9P6Xi5Gvm8r5antE1LT1IGMM/lR/we8ft0M/1hLYwACKFHCr/aJftJsi87LUWKMJKkYxG2gT2QSE1it3N+83aJqbeGrTEx/QqBMmWR+x8UFnp0U/HWJmro3v9QLrTxdZpuUFeRy/914arJgh9amiqEAps7Vb/xRmyhPAjW/vOt0A0bwWlTfk3iWQAzrXvW/Q7O18NbWsahT1J1V9b8C4zq+W3KU/Gjqms+4lkbLc6dsEG4hqQa/ZWvHDUXnvjte6nJWsm3EdrkdYWSLTmb9mtEL7bw3rKtsdNHTX7RDRK7ZYDe4EcT1p3IXeuAWATRG4CeLz2p1HqxJ+vT5pNAnF0uAFfRKYYFPnoIwsrMmLhW8MWx4hbfAuQLOjb2T3lojyLHvBvvTFwCxA1fMt2e0WOkdy9+rreAw/Qm2lNLBnPmQ1hD
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(376002)(396003)(366004)(346002)(21480400003)(6486002)(44832011)(38100700002)(31686004)(26005)(8676002)(31696002)(2616005)(235185007)(2906002)(966005)(478600001)(36756003)(66946007)(33964004)(316002)(5660300002)(86362001)(6916009)(186003)(956004)(16576012)(83380400001)(66616009)(66556008)(66476007)(8936002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 49mHOqQiZvlc70ZjIb5aDiHgQA6xdyWTysGwkTP1oonTEEvgmWL9/677RQg7lx+S0OtPUk2eGH4j/8+78jvoXCJrGjsgdYmVFMGIte6hprq2A/wOKCoJ1K/i65GUmgg4GqjWKv5Te+YgVMi3menNCHnr1xMvQh6gzcYiZcUFSGfJeLnmkBRSPXk03+TDEsqTQZxShS7pbjWcMIXCOJaWXOopNoRlpZX1YWPN6/YFMWLd9EyxteaPr0cVc3/hiYCzZPnHamFsSHHxqpL0wIhJ9Qni8LwNotCGkH9WrCpty10HnVPtP4vUofLMUsENlalmKcO2/E6ddxtI/OZxMYmZzmlbXFuZVOc4ro3AGQrxha6XOPs9eKjkj5z8yutminudCAbqySY/KfXL3tCLhHUkOLRr0pzr1LKnNEMMFcbBVad2SaNiKMkPTefoBwUxY8X/R9+nAHxm9eg3RasjJYd7oDvzedeYTvcsnaiLRcVvGaBzwWqi829Vfx2AezqyXEwYtVC5GzNeUvTQxIBMtbHtrT5Qr1OY1M3SNRGpSHkBhR+ZkpH6KUJdoyjcELHMAaYD1pUdqVyWYPa/MFgaJnHarfJIbzf1P/DISGyGx0pEeRpb1pqzalMp+7gf2RqYvydHKgUCjonsfbAPaPCHMgYCdnj4bonAhCUjH1KHOt1aXv2NQ51x9kV4/nzP/hcm3mWF5pJm5QSW1TY63N8H8jYxkim4bw4WbYrWFTA5ifqeOGsDnqpVsWzGPhAndsP8Kg0s5odsxsKSxpPGKQWIvma9QWxwP15uc2XupAO1d0zAN8rGynVo9o+TQiutCMkEX+KSRczMZNDSWIadZkUmrBEs81l1oHaL0CfeUf1+ibG2KFbb/rLguv7Hg8dD+kXTD24zl8YF4qMA6/tc0wp+LEEuWy9oDOZFidXEzbuy2J+WuoDNd0kiHcoIvqkGoBaLLuZrBWjRvEszGJNKgLMfIGQHSoHC2BNgKbtdOQ6nn1CtQ2MdGl7oxVyQNkE0LCtFh0AIIydLIwOvyN9bOY/nElYAKsTso+wUOhpHJIqkIv+uHASvrKqxQHDc9cmUEWYFHD9x9d1mKJ6cg/JxuWOJmeDdlPwOTDJ6tcOVsffYAIcmwMeOxwJxOVIm1QwYaOkCKve9q9lcI7CWVitc2aVlLtPbhI0mJwYdWLf2ulrs3w/b4Bh1l+SFAI4UQ2Ypg8bKYl81Bbexe7i43Jr5ucoDhMyxY5dpUYbdCPEQ57PqIY5Im6L59OK1lcKfSk5JwyaS3y4uadEALcLqhBaWYso86f8ZtncDSk8Xc8n7UAaB/OlkVVoWi//gXt7aDC3aDQkqNit5
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 4543b6ac-5fac-468f-3830-08d977dd5058
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Sep 2021 00:11:07.1730 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: GiAzHTI8mL32oLg/79pZsIEw41vvTm8AfKvlEJPEzTG5sC664TLI0OSaBjCNWzm/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR0202MB3275
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DmMuf-CCzNNxSNY9LvxxQlu-fy4>
Subject: [TLS] ECH draft-13 servers for interop testing
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 00:11:30 -0000

Hiya,

I've put up a bunch of server instances for ECH draft-13
interop as described below and at [1].

- OpenSSL s_server: draft-13.esni.defo.ie:8413 using all algs
- OpenSSL s_server: draft-13.esni.defo.ie:8414 likely forces
                     HRR as it only likes P-384 for TLS 	
- lighttpd: draft-13.esni.defo.ie:9413
- nginx: draft-13.esni.defo.ie:10413
- apache: draft-13.esni.defo.ie:11413
- haproxy: draft-13.esni.defo.ie:12413 shared mode
            (haproxy terminates TLS)
- haproxy: draft-13.esni.defo.ie:12414 split mode
            (haproxy only decrypts ECH)

Those all use the latest branch of my OpenSSL fork [2]. There
are links to the server source for each at [1]. Each of the
above have keys (well, the same key:-) published in DNS.

I also think my (of course still radically imperfect:-) code
interops with boringssl and the test server Cloudflare have
put up. I've still to try get HRR working in split mode but
will be working on that shortly, other than that though, the
spec seems implementable, if complex for my wee brain:-)

Those aren't setup to be resilient as I'd like to see some
detail if they crash, so in that case, or if stuff just
doesn't work, mail me and we can figure a way to test stuff.

Cheers,
S.

[1] https://defo.ie/
[2] https://github.com/sftcd/openssl/tree/ECH-draft-13a

v2.23.0 | Report a Bug | By Email