Harry Sintonen1d ago
#OpenSSL 4.0.0 ported and we have #curl #ECH
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕™2d ago

«OpenSSL 4.0 verschlüsselt, was TLS bisher verraten hat:
OpenSSL 4.0.0 ist da: Die Kryptobibliothek entfernt Altlasten, führt ECH für mehr Datenschutz ein und bereitet auf Post-Quantum-Kryptografie vor.»

Ich nutze OpenSSL doch technisch habe ich davon so gut wie keine Ahnung. Ich sehe dies als positiv da nun auch PQC und ja Technik entwickelt sich permanent weiter wenn auch nicht auf sofort.

🔏 https://www.heise.de/news/OpenSSL-4-0-verschluesselt-was-TLS-bisher-verraten-hat-11259152.html

#openssl #verschlusselung #internet #ssl #webtech #ech #pqc #PQCryptography

OpenSSL 4.0 verschlüsselt, was TLS bisher verraten hat

OpenSSL 4.0.0 ist da: Die Kryptobibliothek entfernt Altlasten, führt ECH für mehr Datenschutz ein und bereitet auf Post-Quantum-Kryptografie vor.

heise online
Gea-Suan Lin2d ago

https://blog.gslin.org/archives/2026/04/15/12990/openssl-4-0-0-%e6%94%af%e6%8f%b4-ech/

OpenSSL 4.0.0 支援 ECH

#client #ech #encrypted #hello #openssl #privacy

OpenSSL 4.0.0 支援 ECH

在 Lobsters 上看到 OpenSSL 4.0.0 的 release note:「OpenSSL 4.0.0」。 雖然是 4.0.0,但裡面其實不算是大改版,這次比較吸引人的就是支援 ECH (Encrypted Client Hello) 了: Support for Encrypted Client Hello (ECH, RFC 9849). See doc/designs/ech-api.md for details.

Gea-Suan Lin's BLOG
kpcyrd 🏴Apr 6

I pushed curl-rustls-8.19.0-3-x86_64.pkg.tar.zst to Arch Linux, with this version it's now possible to encrypt the TLS client hello:

curl-rustls -sSv --ech hard --doh-url='https://dns.mullvad.net/dns-query' 'https://defo.ie/ech-check.php'

Should display:

<p>SSL_ECH_OUTER_SNI: cover.defo.ie <br />
SSL_ECH_INNER_SNI: defo.ie <br />

The --doh-url is mandatory, otherwise curl won't query the `https` dns records (dig +short https defo.ie).

For opportunistic ECH use `--ech true`.

#archlinux #curl #ech

CyberVeille.chApr 3

📢 RFC 9849 : Publication du standard TLS Encrypted Client Hello (ECH) par l'IETF
📝 ## 🌐 Contexte

Publié le 3 mars 2026 sur le datatracker de l'IETF (https://datatracker.ietf.org/doc/rfc9849/), ce document constitue la **RFC 9849**, un standard de la catégorie *Standa...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-04-rfc-9849-publication-du-standard-tls-encrypted-client-hello-ech-par-l-ietf/
🌐 source : https://datatracker.ietf.org/doc/rfc9849/
#ECH #HPKE #Cyberveille

RFC 9849: TLS Encrypted Client Hello

This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.

IETF Datatracker
Guardian ProjectMar 29

#Mainstream adoption, here we come! The official #Debian package for #curl just got #ECH support:

https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/

#Android has added new polices for enforcing ECH:
https://developer.android.com/reference/android/security/NetworkSecurityPolicy#DOMAIN_ENCRYPTION_MODE_ENABLED

#EncryptedClientHello #TLS #privacy

I use curl with ECH btw (in Debian) | Samuel Henrique (samueloph)

My personal website

Samuel Henrique (samueloph)
Show threadshxMar 27

@samueloph The hard part, for all the self hosting small scale setups, will be the key rotation and DNS part of the story. E.g. implementing https://datatracker.ietf.org/doc/html/draft-ietf-tls-wkech will probably create many fancy scripts with sharp edges until it works for every custom setup.
OTOH if you've a small scale setup with only a handful of domains your anonymity set is so small that the value of ECH might be questionable.
If it help someone: The Caddy guy already ships in beta ECH support with the DNS plugins.

#ech

A well-known URI for publishing service parameters

We define a well-known URI at which an HTTP origin can inform an authoritative DNS server, or other interested parties, about its Service Bindings. Service binding data can include Encrypted ClientHello (ECH) configurations, that may change frequently. This allows the HTTP origin, in collaboration with DNS infrastructure elements, to publish and rotate its own ECH keys. Other service binding data such as information about TLS supported groups is unlikely to change quickly, but the HTTP origin is much more likely to have accurate information when changes do occur. Service data published via this mechanism is typically available via an HTTPS or SVCB resource record.

IETF Datatracker
Patrick Mar 21
One Open-source Project Daily

Multi-platform auto-proxy client, supporting Sing-box, X-ray, TUIC, Hysteria, Reality, Trojan, SSH etc. It’s an open-source, secure and ad-free.

https://github.com/hiddify/hiddify-app

#1ospd #opensource #clash #clashmeta #ech #hysteria #hysteria2 #proxy #reality #shadowsocks #shadowtls #singbox #singbox #ssh #tuic #v2ray #vless #vmess #wireguard #xray
John ShaftMar 19

Yay, #OpenSSL 4.0, set to be released in April, will add support for Encrypted Client Hello (RFC 9849) #ECH

https://github.com/openssl/openssl/blob/openssl-4.0.0-alpha1/CHANGES.md

openssl/CHANGES.md at openssl-4.0.0-alpha1 · openssl/openssl

TLS/SSL and crypto library. Contribute to openssl/openssl development by creating an account on GitHub.

GitHub
Alex ZarzaMar 16
He notado cierto cierto regustillo y felicidad en los comentarios de @ecollado en su último podcast sobre #ECH https://overcast.fm/+AAV0zD9mEpQ