[TLS] Re: Port number and ALPN of ECH client facing servers
Ben Schwartz <bemasc@meta.com> Mon, 09 June 2025 18:37 UTC
Return-Path: <prvs=22552bd91b=bemasc@meta.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B1FB632CFD7C for <tls@mail2.ietf.org>; Mon, 9 Jun 2025 11:37:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cfr49nNbbIjZ for <tls@mail2.ietf.org>; Mon, 9 Jun 2025 11:37:08 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by mail2.ietf.org (Postfix) with ESMTP id E4F2D32CFD67 for <tls@ietf.org>; Mon, 9 Jun 2025 11:37:07 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 559HVAcR007939; Mon, 9 Jun 2025 11:36:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=RBy77KGr6+MmQG0tE97S VrA3DCtUb5ZKQhGRzG7637Q=; b=F/4ogOl3IQUuTUuNJ4Li/uBMF2ToEfwZNkw/ mDirlK2nsZjtjLO6LQeQL6Kda+7/Fa3WFf4L80cE/u7UBE7KRngug8mDNm6l+Nlb KK6rkHFoLYFSCKBZk6wsogqTk8RaYOxx9hVePJ63jd2tcIljwp3sxKqgPoNmG4Xi 4MnrVORuMe3QY7KQJdJwrcOWFN2DK228spXJsVYDJHSGBSWJq70/nIL9X8ZrTuuW VD3bBt1k9BXikvHiWbImnmOwRFJpp8ITJBDQk4ed+X55SwEyhzC65FiccKot/ev1 4+BncASKsQ4/WtnCFGdxYlHQexHNZqXBlLK8ToIF/GPZcVtoaw==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11on2073.outbound.protection.outlook.com [40.107.236.73]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4755a4qx4k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Jun 2025 11:36:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=oLPR0/kycu5+C8+41LelxH/pGj0RhcteVdcDE7w27MLfa3x1f9vKAZEl+/JiLx6G1sKJAEQS3HGITgeEeji6K6aotzV5ovZXd07OKB2rCl4LsEYysu7+3ATTA4Fn0CFBNzqHLcyx55nO6m2ldgmCrf6p7s6ZsEyAEDZDgEIFd2jeMHVKEUw5XxN+iF7wcJEiJ9afsZ0qEgAfiSCMK4uMNCf/N4P4yIGEJCG+15+WPGNBTysBA3dxsQ8dzx6PicNbcGdUJZEhTDmrgj8Z/CYQwKZe7CTG3YHhTCZogufGQDVhNY7tgSBoJfm9CBhiSUZbWey6XbjoF7DVNkZkuNrQpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RBy77KGr6+MmQG0tE97SVrA3DCtUb5ZKQhGRzG7637Q=; b=eApKR/axzy0JvgATjdnOJUY+zXY9VLRLLNL1LIZ6CXj1susEOk9tMimA6WmXpT1mX3yDPDCaWFMz2E53IiGrMLrMFGUytvg1/Nx7+XM4J8FwgFreoQEqVGprMGCl/76+17aOxnfmW1erjQa1iVS1Y8cpqDsAFnlz8Ip3DzeiYLGXEMcJLWEY6DE9/q76DmWd4SO8pT3z3/ETKx/mX/OzHqTeRVnknAUOh0cGcGj27Q0UGKVlv7Pf/aqVRK1WW13j/VM2rPOxjjz21UTaFKUoGBF7gIysmsS5Pv0j5UYaJJe3s1Z0ZTEWkOlEOz5Ro/IH8GrSJyNMlrQWNU3ykAMNJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from DM6PR15MB2361.namprd15.prod.outlook.com (2603:10b6:5:82::33) by DS4PPFD75547B79.namprd15.prod.outlook.com (2603:10b6:f:fc00::9c3) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8813.21; Mon, 9 Jun 2025 18:36:45 +0000
Received: from DM6PR15MB2361.namprd15.prod.outlook.com ([fe80::33bb:f6d1:d19f:95b6]) by DM6PR15MB2361.namprd15.prod.outlook.com ([fe80::33bb:f6d1:d19f:95b6%6]) with mapi id 15.20.8813.024; Mon, 9 Jun 2025 18:36:45 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Christian Huitema <huitema@huitema.net>, Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: Port number and ALPN of ECH client facing servers
Thread-Index: AQHb12zB+kPVpJYBU0mionJZ1iGAjLP3RgSAgAMtMQCAAKF2AIAAD75g
Date: Mon, 09 Jun 2025 18:36:45 +0000
Message-ID: <DM6PR15MB23611B074F232556D4564952B36BA@DM6PR15MB2361.namprd15.prod.outlook.com>
References: <cd762457-4949-4b1d-8cb2-c46ecc9700c6@huitema.net> <ME0P282MB55874535EA95DB504B806C5DA369A@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <8669d982-00e4-428b-9c9e-553241663b94@huitema.net> <b660a55f-af83-46e9-b460-abfde942523e@app.fastmail.com> <e8fa178e-ff59-4405-8c53-fdbaf8d23334@huitema.net>
In-Reply-To: <e8fa178e-ff59-4405-8c53-fdbaf8d23334@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR15MB2361:EE_|DS4PPFD75547B79:EE_
x-ms-office365-filtering-correlation-id: e2b33d8b-1eb3-4ddb-d8ba-08dda7849643
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|10070799003|376014|1800799024|8096899003|38070700018|7053199007;
x-microsoft-antispam-message-info: OfX5WeSB1+TJFzvsdgUAYRNJMAIeaRDzSzLsKDxlPruUVHSSpXpOIAzUIiACztrySTvzFRRZScxDmPi+Goss5Os9mSto4n3oLyYU7vAiBjGhVn0WoGkXPSB7/Du1//hyiACfyOdQgPFsJG+VZzNBmMgEjk15+Zr8M5Y336ojFQl+RO26wmtjbIr4/W8sXlFtKR+1gWDnlouo0BCtz4qLhqGAgixDi2rvIquq4dypfOwNoYGG+zy/MoQxAkNYDYdcjwuEGo+RFhBEQn/tB37ATtk8PnofUJpZJ5aFcaxmrdav7JDpBbkSa74vgJPIVy9WQdzdkrJ72qNAHMlfSKce9Ob1W966Ol8m/uFN5Du0i0Xn/sw+u1PRJf2P722vGP+NUPYndYdQ1NrKffGakUTAr5lRl+LqD6C/IMEnY35DfW+OSHrCTfhzEENb/QA2ZWEniE7fHemHN2ey5nhVwfwKf4ZW525rlv5on9pknhGhwzCb6pur5bTPAWIuENJhR/2oWDMiZlNlM09vpsk+xsKwtHnIDh/TKfxDxExf5VF7y8fg8/PFFsETUIjTKvabkFAiUWikbd2UcF1eurWOBdhukmuQFTz3oNrpQDrunx+R2VWUBiKjACIjolEb3p9NsBBcAXJzQfzFVLQnSVC6+hOWDhmkPzvfG9Rbd08HokN8Psit2JVo1G5IgYEyYOldZN//zrWXrLhGnACCHjugkvKIcWuvzRfVpPXoNXPpO5s5j/CKPwVBB14iGfLHItF/zdHeBimdWjDJMVxQQKbK6aDGwV9WFy7Hn4bGCGxjyy/sxSz0ZfhFaV7TyLdsNplsoLeEABeBSc3X4BwQtj4bYNs4xsB91jbsqCr671tKIlbLkxklVt9wFNys/fwXzVs83R2aVC3otf/ftusa5/Ud5PDieUG+E5AOVo0hY4RUvPM7Nu8creTBy8HwnF5z3XtUAHd+kAF6RRbwvyeCM/IOWF2TK5SiaTpzlRNZSEtojXRECn98WRrTc1k7P3xosIj6DZwBjiy46h7scPJ138UWMc8X8NHB0YR+EM4At9+KBgBRobHmJjcEWkbl7uKjcDjCN+6QVomi4u3ZyZOYdejsOH4htQbcbJ+tvYMI8WYFvAjBpmdcR4bBL+1xMS7Y1Vx7Pn5TNX+9pVb8m5u2p8icrW59LiXplIXsU57BxoyN/yJOckGPuUs1uidk95nhruYlUHrd2J+yWwthsWmzhXnie9VtdXmxbSAGLM1KqZYYBORJ+7osgRmDMjrK7iM/hk7Gi0lDATlAklXdXj82NlRP3Sk9BxWPPEWvds6kzyM0tDUP12FEUsT/3BZJuM2rlfSsBOc0DfMXIW+spJbbDB/xu27kEnWn6vD2am5x28KX0rNvJ17c/ApvSCZ/pvMU34OpKMpjnairifmfdTPjhaZFYDt0XKzYtTVPB1oJnBW/3kvOreQ=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR15MB2361.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(10070799003)(376014)(1800799024)(8096899003)(38070700018)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qQQ2R3j4wcrZT2XVHYa6/GQH8PS7XpiPRZwOEjLNHyxfZ9yu9h9CFr1+TX2ZT7ge7iDd4FUhtzhssZ/0OF8isPd2kWZp34S8scZxabkZ2E+MHyN1XWBgUFlcTDZ7G9oRvnFF4h0uVCH6Jojgb+qKGeOU29/Tfo65pLceCkBbfcjqYigDV2r5I/zES779U/hagvcIMAqZEd3qyRj3i+fdrVDeetWz06Cayz0C7zKi5/XL6dxZIJ7kg3KYcSLT8lfmLUKvYarJKW3XvBe3Ea3xZjw2h5fL/E+WXk82O9y8hHP5Z+luzTs4MEJOf7Gd6+kKC+CRuBQHZ+Sm8pJMUfGQqer+tWDbMR4/nvGME2WXQl40AcryEwlRH6CVdIl2VxgVUfoXjNOXKp6+JKacuTP1QOIhCVe+J2Eu4VvAmbv8qmYJCckGpCwxE6YxHFE+4wbkzGB+mjrYMU3uBQgbjW1vEc13+s/85C8M9NH/ra+X49HA0RzNLLAV8KL/Q7YVMTw4wg3i3zZDRUuOzXZizGJMKkAvlaQ8O0vsgRlkCSf70/P5bMKpEqVyHV9F3kR3b6Y1NIJO9DiROHyNAW5uN5L++1c7FIV5wQdRXjbhQ8ZFs6trlUXXZ9Q/o8pQUphTy0DCwKoefmVMDztuazrKDyB1civiAomWF1iTJm6XeiEIGHYYL0A5sIe7en1YtfDwjwRPD0GIw3bSXzVBfFTeif3FlJW4aaUlkcfrSLuNRcgBARzbl7hVnb6Jsk6eGZSpDy7LPgpD2KSVtiKiwWc9b8lrbCfuq2JcNqFemj3YQSLHq5RVg7aOLeHglrQXspaB52eItXqHynh6HRnxyveRAHoWSdP6ZqfUtH3a3pGzBp5DpZDRN5euQ1YK1QufmhaDXG9mxSLIquXwNtZ1Mzrcw8hvwxS/C/n3lT4VLt+JNy1+0dGtT1C92F/MdID9rfBEXM7XOEE+ez5CtXvzz29iQ9SpzHThyx98RxSXy+iy6iNfc6/hvr6GqeN9+6W3FxYK0D2+ATjjUej2yTOdREgyII+HOB32ZyHlEdL2eUej8jBQAeYDDbfxcAytlNeUR/INsU1C1UYNgUnoO3lI4cbtWEOi2gFHPT2p+QmiAqidJ/4gJ5Uz9ls2tQ7+1bbNKhryDOwGtAHXCqQAFlbDlo6bEnnvpRTKzkfAr7/YZNqOVcFQYHYb7vnuxgyGyRPvGep4dphfdrOvw3R1aH8kJhWouGTywMvJg7mWbjqLqWKk4u7/eAEkDI4zpEduLCx5NvFHXIxJCGS1Cgq9N+QhN3JvU18aBEzjZcJgUJcvPAG1od21MQWQhff4UzA+v3DHQrXtHrfdcn8QWSFbo4h+dRf+4obfxxDqkrbcctgV5sIQFeLZjB2mlqrXDrSbHbbXQI35zP5f7GImEADwTPkRjG+rkxPhbgyb9yj4gYwVrYG/qsmMsRfM+TVm8Xo4mVKQxPsMDP4AnOE8SE9GWqf2YuJzt03i0OAFdYdUNKz8fT00JZwYPrsb+lgN4587nowF/eZuwwCCHqhgST7wY6hDmuAS5tN382euCp8X1gm36eDrFgBG9AkqFGpwI5mP8GEQq9RLcUHZb6XjM4hXiazYhRnA3ROKKQ==
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23611B074F232556D4564952B36BADM6PR15MB2361namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2361.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e2b33d8b-1eb3-4ddb-d8ba-08dda7849643
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2025 18:36:45.4790 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WphBQT8NJeue3l/l7sHBl2itBEbk3lklhRb7NPBMYZUX4UmzM/nX1CvOz5Mjuylu
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS4PPFD75547B79
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA5MDE0MSBTYWx0ZWRfX0/070FvrZ4d6 KtvszGVl9qeeb0b8Lu+Ho572BgkjZEkg77RFSqhu/9dAGPoQnxYC44LsoJRYQFPncTdJ/9uqI3b 5ra0Mjck5bTp2ZJQZqpLoaqMl8PQPBsZbVTEU1V2c4UFyt3XfUX3VanYJns17swyD4YMMYtpYWW 6j89VujDTmErhvc4y72YPdLWj8hdpRG+HbzOODB/Rj+TQZ55VVQwBUVvznCglfhoOF/7jVDdYgq zM57yCFA3pu8gv8yx+mlSb07/2gJh0ykM5GPeUGF/4SYzYIpBntTBnpXBcXQKwcotqM3HztShH6 y+kNOt/n+oKs343c8IUI72V9YLnn8bNV8gSSgzuPrnucDbg1hEMU7iPZB8j3yPnfRt/3/VpBIaP JZopgzI1JoyUP559K4A2Yc0p3E2Rayzz7/gSJ8/BeFRr7cFcOTjTfcCg7UgWkfD/p1zH74wf
X-Authority-Analysis: v=2.4 cv=WcYMa1hX c=1 sm=1 tr=0 ts=684729c0 cx=c_pps a=TYblChEjXdO7wzn6qzPPXQ==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=6IFa9wvqVegA:10 a=o0cgAmUEAAAA:8 a=ggRxIZ02TGvb5TVanbsA:9 a=wPNLvfGTeEIA:10 a=4J3F-JIaDc2ZJfPx:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=93OKDtsEuLfqN5HIeoUr:22
X-Proofpoint-GUID: 7lx54S5w8cPHybNh7BbiNkiKMuJaAoGP
X-Proofpoint-ORIG-GUID: 7lx54S5w8cPHybNh7BbiNkiKMuJaAoGP
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-09_07,2025-06-09_02,2025-03-28_01
Message-ID-Hash: 3RJRY7RPTVQ6NKGS4OCISHWPBFDKRHTS
X-Message-ID-Hash: 3RJRY7RPTVQ6NKGS4OCISHWPBFDKRHTS
X-MailFrom: prvs=22552bd91b=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Port number and ALPN of ECH client facing servers
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aC3WspdvGgIW1dkdNRGiYox0ADk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
________________________________ From: Christian Huitema <huitema@huitema.net> Sent: Monday, June 9, 2025 1:13 PM ... > On 6/9/2025 12:35 AM, Martin Thomson wrote: ... >> The purpose of the ALPN parameter in SVCB is not so much to change what the client offers in the ClientHello, but to allow the client to filter out service endpoints that only speak protocols it doesn't understand. > I am not sure about your reasoning on ALPN. Martin is correct regarding the significance of RFC 9460's "alpn" parameter. ... > I believe there is at least some value into hiding > what exactly the client wants to do. draft-ietf-tls-esni Section 10.5 agrees: "A client that treats this context as sensitive SHOULD NOT send context-specific values in ClientHelloOuter.". ... > But still, one of the most effective ways to reduce the outgoing flow of > information is to do caching. The HTTPS + A/AAAA exchange produces three > pieces of information: the list of facing servers that might serve the > backend service; the ECH configuration and port number for the selected > facing server; and the current IP address of that server. These three > pieces of information have their own time to live: when the relation > between backend and facing server changes due to contracts or other > arrangements; when the ECH configuration changes due to configuration > changes or software updates on the facing server; when the IP address > changes with the connectivity of the facing server. For effective > caching, I would like to split those. FWIW, these can normally be split into a CNAME or AliasMode record (www.origin.example CNAME cdn.example), a ServiceMode record (cdn.example HTTPS 1 . ech=...), and IP addresses (cdn.example. AAAA ...). This works under certain limitations: 1. The origin chooses a single split-mode service. 2. The split-mode service's backend targets are all willing to use the same SVCB parameters. 3. The domain is not an "apex" (so it can use CNAME) or the client supports AliasMode (sadly still missing in Chromium). Given that there is zero deployment (or even implementation?) of split mode today, I think it's a bad idea to add even more complexity in pursuit of incremental privacy improvements. > That's what caused my question about ALPN. We have a little bit of mess > here because not all facing server are expected to have an HTTPS record. > The ones that implement HTTP will, but for other servers one has to look > at SVCB records instead. This is essentially incorrect. Any split-mode server that wants to support AliasMode for HTTP would publish an HTTPS record, even if it does not actually accept HTTP requests for this hostname. HTTPS records cannot alias to SVCB records. > And SVCB records are keyed by domain name + > scheme. The scheme depends on the application, and thus from the ALPN. This is also sort of incorrect. The SVCB records for _foo1.origin.example and _foo2.origin.example could both be aliased to the same SVCB record on "cdn.example" ... on the condition that foo1:// and foo2:// can use the same SVCB contents. --Ben
- [TLS] Port number and ALPN of ECH client facing s… Christian Huitema
- [TLS] Re: Port number and ALPN of ECH client faci… Christian Huitema
- [TLS] Re: Port number and ALPN of ECH client faci… Raghu Saxena
- [TLS] Re: Port number and ALPN of ECH client faci… Martin Thomson
- [TLS] Re: Port number and ALPN of ECH client faci… Christian Huitema
- [TLS] Re: Port number and ALPN of ECH client faci… Ben Schwartz
- [TLS] Re: Port number and ALPN of ECH client faci… Stephen Farrell