IETF Logo Mail Archive

[TLS] Re: Port number and ALPN of ECH client facing servers

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 09 June 2025 19:22 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D8FB832D54F5 for <tls@mail2.ietf.org>; Mon, 9 Jun 2025 12:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KILXSsOowHJf for <tls@mail2.ietf.org>; Mon, 9 Jun 2025 12:22:09 -0700 (PDT)
Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11021139.outbound.protection.outlook.com [40.107.130.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7A69232D54DC for <tls@ietf.org>; Mon, 9 Jun 2025 12:22:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DkdTzraKjLlsntPu3+4be1AhXYrMQZzzUjmXwiqFMkUuEo6bG6F7o6o2lzNPL27jw9p83CxNVNeifJvgF4/kBdZZquoAYhmC9GpTp9fPDA7zgNg3C7qHxgusqN/TItMucdMRucGb2l2ROvWk+XUlcj58wKApWlFSGzcGEjXh6HdE11t3L9j3hHiNDaELtv/t9QZbGsJdumI1+ZCkuCjYSUpHVv7nJ50ER1/V8FwthtdF2POb7ClKcbBCXQDv/tTUbOxSFMNdPq5Tvo2Mu6yxsCY7vAvIywy+kOrvn51A0yNeIKsC+olJuUDYDQj/XSz2oSW5KaeDio1SXF0qySsX3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=64WgVNGrXldf5Lm5PQQbGsGw378sLWE4LhzCGuVaeV0=; b=QNPfpwnTS8AK15e+a3ZipMPwNEWQhu+mQJrTj2Gmje+zHi5YNFBIKRu4ZoboxPloorGRFu6Cf0HEMQCwPCn9gfb8dw/OvfizbNE28g8Bjez1nz8g3bQiypZfiVuCC4vkxsTRvpDZPA06OScF5guiWQAcRFpZP/xrpolo2AS186Ig61wjLiSOxtaN8HSzKTlIkkuESlb4pv9Rvqzb1eUCnXPoe6687JzfnXo1lVsB06A4AoRsCeLP/egkspyrpVt/lsN+uZs6vOfgQd7cnQkirn76VtOENMaVd/+BzladWxOeXf6ZaWL8riu1Di/LbldMH9pQhhCwkz0Q2hccuAOYcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=64WgVNGrXldf5Lm5PQQbGsGw378sLWE4LhzCGuVaeV0=; b=ob4L+UcfaSEYJFMFJZQiGMHZf1Rathewi8eWS7yje2PJ0gn+6XlnsRLlN/d2CzBFrqExgYEc3v+Jlf6xmsTiM8LFEp+ZmRo1rgX2icnYfji5nSqiFkc3qG4E0fzwG6VAWiBj9UJnWTnnsCXgj89GTI7ykYtB0Zq8Akdt1rUr2kxIXPdqNDYC9JltlkHw8krE2R0H+hLCRct4X5+szdN21B3sd5R7sk4sLecJACI4QDMooDsolLbJPpPw/WJJMNalT/E2VvXTBM12ejfsgh2w3bd9QzXZa2ozVCoaNgzdIgjB1J0sbu45O+2Wu5zPoLaO3biUXxGea6ZLZ85UUc4fCw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by AS2PR02MB9582.eurprd02.prod.outlook.com (2603:10a6:20b:599::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8813.24; Mon, 9 Jun 2025 19:22:07 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%2]) with mapi id 15.20.8813.024; Mon, 9 Jun 2025 19:22:07 +0000
Message-ID: <eff131ef-0459-44cb-bee5-867060324b43@cs.tcd.ie>
Date: Mon, 09 Jun 2025 20:22:04 +0100
User-Agent: Mozilla Thunderbird
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Christian Huitema <huitema@huitema.net>, Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
References: <cd762457-4949-4b1d-8cb2-c46ecc9700c6@huitema.net> <ME0P282MB55874535EA95DB504B806C5DA369A@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <8669d982-00e4-428b-9c9e-553241663b94@huitema.net> <b660a55f-af83-46e9-b460-abfde942523e@app.fastmail.com> <e8fa178e-ff59-4405-8c53-fdbaf8d23334@huitema.net> <DM6PR15MB23611B074F232556D4564952B36BA@DM6PR15MB2361.namprd15.prod.outlook.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <DM6PR15MB23611B074F232556D4564952B36BA@DM6PR15MB2361.namprd15.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------P7eGEXyiZ0q9Io06y2QPTQT0"
X-ClientProxiedBy: DBBPR09CA0024.eurprd09.prod.outlook.com (2603:10a6:10:c0::36) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|AS2PR02MB9582:EE_
X-MS-Office365-Filtering-Correlation-Id: 8009b287-bc6a-4a75-751f-08dda78aec48
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|10070799003|366016|1800799024;
X-Microsoft-Antispam-Message-Info: 6obuAROVflXkWmwk//XBgwiY0BapFYRZ32u+8NBKp2oLcHGxMex0Ry7P4psP5puan7J/gypPKvtBxKajJnvLmQTySyaqGTlLYxVp7dZDdcJlSEMcU3RvJ5mIImHus0oXTj8LF1xndgZW/aEGKgzGQLgqd1b66uDAQDWIXJm5R2BvNRUokgOb4wHLzh5Il8p1m9GoOy5GPVrcsnhMLoKxBJqlyg5iMleNctz81r2bCCM7alkFqwgnOt3FdHoSQjCqBVnPc10rQWbFy0GKPo7ise1spk6yPakGEmxinMSj7JAxCLmcA74XkviiPo5/DDTn8g5K1/9EsYKTS8NzALEKxTFddbxZBsL8tEyoy+C5LFr2Kn+SMIEA/WvDqpvfdE0cdpaxjHAjFZVMzJSFBdm95vkx40R+Ndj0WsQqDtYRXSCkq8E19mnJQwQ1egbrJVjhNzaJyOrQpfMRcvINFfCEPcDYjLQneNkof5A/lUpnb4MQfoElE0EekyZkb8k0qJz6sG8cxMY7doPj/qCo+ZfzT/nCzu/17OyAzyYUsU6YvvgdxhKo77eCbWW/77ukYGuApOSLAu5cyfcqFx4NJUBVITI2b48TkIULL8AQE0MiFMH6811PnnH7DJ7gvQceCelWrqX1/qZ7FuzJgE0z3ctA6wcUb+zDT286yYfB54hHnZ4fFZd5Lf2v9VHi7Ro9zSFb+NF5r/ObNg9G1ZlpJqA9FJyD4CpI8+IgiSfc067d3OJN/ioAKGmLV7ike1hiTT2QKX4FYlUeZ4R8pmDIHuPPDpY6o/O66xQ5ZEChicXnEbi+4AKFaC3eH4ajPcTj/XdzvCFfkHI9/QbCn+ytO4zL/RPYPNUxBTJl6Qbng0uy4CFMKUB2bVH+hrpMhyumGiIRcArPPTgTmsX6R03rKV8ZZ4FsW2Dcp6FUAe0/OiUk8yxo03idDdLA8QBPofMcuDb5FI4+wGnGPoRONGENLIj2MIseeYi5aUP07zpIzeWkjOsuc4xECJtNyYCOrJXLQnkoynbTylk+Y1ouapOwj7Zm16XrQ2osS0leON7t1smQ6ICusoj+yzpL5vXR39rMp3aZAu1ariFaK+G+aAYJDl6ppwKLedyG1jYlc0y6uwdEseSB7bBJf3HSIIU6+vZ7j1fJaTflHAaun7KtBcoHs/0lEHk/zZxJbQW3s/IGow3zFKLTgPNbbiqpPpOH3u14CzVB8+ZhCpsEdzU1br469vAKrC/Cj8/Pxj+YMgzXZDxmpcAehQKIPmhJ6rZYtgZerXPmwxy2AslyCEdF5Hu2zNOL/ZLVmhNpgN2GVyHV18Y9SWHynWOil487WcfhQ1NvYFWVtlQi64Jotm1YXaVpxFx57cBy2BrzWmBDREJD2jJKpzTJTI8Y3cwxtBimnOJwnZhWz1Rl6HDp5FTLPO6UhI3A0j8PkP7XYkfipoqGGkukRs8=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(10070799003)(366016)(1800799024);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: CK3X1C4VuAwS/JKgJz/RJqRDp9zjI50+1Q0rvc6DzpXoxbNzMtu/bpEunJpWP1Lzz8hFDvxELr6QibQDMvN0I1KINabd1ERnRSKp53gvaUX4us8HaLBoE7N6e3XaOslEK8vYPwxMkCZXFPIq/Z4s/lM/uD6BHn2cA/tEwy6rch3RvzljCQ2ptBijyx6/FmwtmjTtE33GPl9trOvorhia73qsC7omKb/3QS9XJkkLtkzzAG2HNYmXPW9v+evqtSQPaI8xUC1BlWDHe6FoI51rQljtlbpTWLt5uPoNYqSoFFoUYtm2FgF7E/RjRNZKoz3yQxIjqONQUcKUgPqR0vDoESe7lCz7+2uz86br/xSbhJ9xzY6cEPnmOUv0b3DjVO6J0j5AJsYH2g1uhkIgA9f3z1bL8mIPzR63D9BaLUPROAfN+ku0oflpaODloFtpelI+7xb6dmQuBbetXjqSdN38KkGXC/K1iA5igfZK0C9KGpK9quYIFpOoRTadytbDzCpZstf6oXIPApxiL15O6GIncdj0Q+6/TRnmK46nyeNBYUqHmmFEJRQLTQHwE6/SACFxuMjp0kQVPDqAzpOeTnrLGguQ0efDtggx0kxWDm1MpHrQ9tzZzzIxUNZKhL7sx+C4aDDlX94HRGWbq6sPmAO7AOwqWqwKbqfg0dbOuWXke6sU5ifQiz7zvNzJmoiURpvVZKQ5vmz7E/wbucNAZChzDBU7T0lQEKQdhsqgr0IZg2fmPFNKDWsOL/mH0uuCpOiW9gG+TNNBI9YoBNJe4j6JBgXonBQHenYRqQ8vIt1EsMWEUnAAa+W8yMxLtvRWsdD5tnV5/y+a3GWQIfvuHGKGMQtPzZH0aw+S4bLSWkDp9/VP1owP3H9CzIeKrR9kxxEAqWOU/xxVkP1zam5syoYAEdriGsFwqIB3rCo8kXYgHwjRs/eBa69jOK7AEpVMEvxEsAU8qHQRqwTlZrouG5OBvYbN5AUF4pz+f6DpkkkQ3olQvxC80LUjSOvq27bmL5GpSRiLxy2YDFjf/J5CvYnh2frs0rjyLh/T9z8u96WIRSIftqt1cbrevW3IzBbw2l1IQScuJzsVjUppqS5AyCiWh8fxuE7rOFSgrJv8QXKqHGCGdXYINfAkHqMJL041B/Sa5pA1O/o5sZ9ltotfrcIN6Qz4JgERLPeDTH/Z7WjDtBdEfEPMkGvweglKtoVCWiRWc4As3q8ML/0AMom8qDB/Xbcpw+2HGiuAAYsPmwbYagTDyhxpWhkFP4iDDu7K4PuQOz+fsdSTWOMTgsedzk6b8lG5Gk26ZG6IxOna9LfMKQ0i13SmfFpHN5tsM23T0N4myOZYSngjMOkFV6EOGpQL90QOSUJlmZ8N+xJg3vx82kZL0DbFzD6DPXzJbjSsL0azVrRatZ/j3UPuqIkxlEI78lbyG3fVSNIkl/CIIErIS+zP6xXgre+c+NYd3zitul7KZ3npPYSyLypaiYUAGkD8X5HmpgvXOqpvnwYNnhJ9m2UtIUMa+XtpG1ATZKhn7JECiflqZxBR1dKN+gi6yO7J7H9iyD8W2wxiJt9QWnuyx+VCZ17AP8y69Z6PLkyKb2/+GuuDoBXaumdyIggkBw69YCGhF6ISzfT4pnrYpw5aaeYxjb8Vwr1vS+tUXsEqazzK
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 8009b287-bc6a-4a75-751f-08dda78aec48
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jun 2025 19:22:07.1410 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: PAfgqQZdeaVe2QsRP//dejJPXcxRNoGDEjIEZaDeT2sc31fer0oAxndfFpaum+No
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB9582
Message-ID-Hash: CWZAWVY7UWHTRHHAPAJEBYVEOORZJZ4S
X-Message-ID-Hash: CWZAWVY7UWHTRHHAPAJEBYVEOORZJZ4S
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Port number and ALPN of ECH client facing servers
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gyGJ7maOtNYw1WFVa4GD6MpTueo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>


On 09/06/2025 19:36, Ben Schwartz wrote:
> Given that there is zero deployment (or even implementation?) of
> split mode today

FWIW, I've implemented ECH split mode in haproxy and nginx PoC code.
Some (possibly slightly outdated) details at [1].

I'd be happy to chat with someone who'd like to test/deploy that in
something more than the interop test services I've setup. Ping me
offlist if that's of interest.

Cheers,
S.

[1] 
https://github.com/defo-project/ech-dev-utils/blob/main/howtos/split-mode.md

v2.31.3 | Report a Bug | By Email | System Status