2024-04-04 21:23:35 +08:00
|
|
|
---
|
|
|
|
|
c: Copyright (C) Daniel Stenberg, <daniel.se>, et al.
|
|
|
|
|
SPDX-License-Identifier: curl
|
|
|
|
|
Title: CURLOPT_ECH
|
|
|
|
|
Section: 3
|
|
|
|
|
Source: libcurl
|
|
|
|
|
See-also:
|
2024-04-16 14:37:43 +08:00
|
|
|
- CURLOPT_DOH_URL (3)
|
2024-04-04 21:23:35 +08:00
|
|
|
Protocol:
|
|
|
|
|
- TLS
|
|
|
|
|
TLS-backend:
|
|
|
|
|
- OpenSSL
|
|
|
|
|
- wolfSSL
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# NAME
|
|
|
|
|
|
|
|
|
|
CURLOPT_ECH - configuration for Encrypted Client Hello
|
|
|
|
|
|
|
|
|
|
# SYNOPSIS
|
|
|
|
|
|
|
|
|
|
~~~c
|
|
|
|
|
#include <curl/curl.h>
|
|
|
|
|
|
|
|
|
|
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config);
|
|
|
|
|
~~~
|
|
|
|
|
|
|
|
|
|
# DESCRIPTION
|
|
|
|
|
|
|
|
|
|
ECH is only compatible with TLSv1.3.
|
|
|
|
|
|
|
|
|
|
This experimental feature requires a special build of OpenSSL, as ECH is not
|
|
|
|
|
yet supported in OpenSSL releases. In contrast ECH is supported by the latest
|
2024-04-16 14:37:43 +08:00
|
|
|
BoringSSL and wolfSSL releases.
|
2024-04-04 21:23:35 +08:00
|
|
|
|
2024-04-16 14:37:43 +08:00
|
|
|
There is also a known issue with using wolfSSL which does not support ECH when
|
|
|
|
|
the HelloRetryRequest mechanism is used.
|
2024-04-04 21:23:35 +08:00
|
|
|
|
2024-04-16 14:37:43 +08:00
|
|
|
Pass a string that specifies configuration details for ECH. In all cases, if
|
|
|
|
|
ECH is attempted, it may fail for various reasons. The keywords supported are:
|
2024-04-04 21:23:35 +08:00
|
|
|
|
|
|
|
|
## false
|
2024-04-16 14:37:43 +08:00
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
Turns off ECH.
|
2024-04-16 14:37:43 +08:00
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
## grease
|
2024-04-16 14:37:43 +08:00
|
|
|
|
|
|
|
|
Instructs client to emit a GREASE ECH extension. (The connection fails if ECH
|
|
|
|
|
is attempted but fails.)
|
|
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
## true
|
2024-04-16 14:37:43 +08:00
|
|
|
|
|
|
|
|
Instructs client to attempt ECH, if possible, but to not fail if attempting
|
|
|
|
|
ECH is not possible.
|
|
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
## hard
|
2024-04-16 14:37:43 +08:00
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
Instructs client to attempt ECH and fail if if attempting ECH is not possible.
|
2024-04-16 14:37:43 +08:00
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
## ecl:\<base64-value\>
|
2024-04-16 14:37:43 +08:00
|
|
|
|
|
|
|
|
If the string starts with `ecl:` then the remainder of the string should be a
|
|
|
|
|
base64-encoded ECHConfigList that is used for ECH rather than attempting to
|
|
|
|
|
download such a value from the DNS.
|
|
|
|
|
|
2024-04-04 21:23:35 +08:00
|
|
|
## pn:\<name\>
|
2024-04-16 14:37:43 +08:00
|
|
|
|
|
|
|
|
If the string starts with `pn:` then the remainder of the string should be a
|
|
|
|
|
DNS/hostname that is used to over-ride the public_name field of the
|
|
|
|
|
ECHConfigList that is used for ECH.
|
2024-04-04 21:23:35 +08:00
|
|
|
|
|
|
|
|
# DEFAULT
|
|
|
|
|
|
|
|
|
|
NULL, meaning ECH is disabled.
|
|
|
|
|
|
|
|
|
|
# EXAMPLE
|
|
|
|
|
|
|
|
|
|
~~~c
|
|
|
|
|
CURL *curl = curl_easy_init();
|
|
|
|
|
|
|
|
|
|
const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA";
|
|
|
|
|
if(curl) {
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_ECH, config);
|
|
|
|
|
curl_easy_perform(curl);
|
|
|
|
|
}
|
|
|
|
|
~~~
|
|
|
|
|
# AVAILABILITY
|
|
|
|
|
|
|
|
|
|
Added in 8.8.0
|
|
|
|
|
|
|
|
|
|
# RETURN VALUE
|
|
|
|
|
|
2024-04-16 14:37:43 +08:00
|
|
|
Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient
|
|
|
|
|
heap space.
|
