table of contents
- bookworm-backports 8.10.1-1~bpo12+1
- testing 8.10.1-2
- unstable 8.10.1-2
CURLOPT_ECH(3) | Library Functions Manual | CURLOPT_ECH(3) |
NAME¶
CURLOPT_ECH - configuration for Encrypted Client Hello
SYNOPSIS¶
#include <curl/curl.h> CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config);
DESCRIPTION¶
ECH is only compatible with TLSv1.3.
This experimental feature requires a special build of OpenSSL, as ECH is not yet supported in OpenSSL releases. In contrast ECH is supported by the latest BoringSSL and wolfSSL releases.
There is also a known issue with using wolfSSL which does not support ECH when the HelloRetryRequest mechanism is used.
Pass a string that specifies configuration details for ECH. In all cases, if ECH is attempted, it may fail for various reasons. The keywords supported are:
- false
- Turns off ECH.
- grease
- Instructs client to emit a GREASE ECH extension. (The connection fails if ECH is attempted but fails.)
- true
- Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible.
- hard
- Instructs client to attempt ECH and fail if if attempting ECH is not possible.
- ecl:<base64-value>
- If the string starts with ecl: then the remainder of the string should be a base64-encoded ECHConfigList that is used for ECH rather than attempting to download such a value from the DNS.
- pn:<name>
- If the string starts with pn: then the remainder of the string should be a DNS/hostname that is used to over-ride the public_name field of the ECHConfigList that is used for ECH.
DEFAULT¶
NULL, meaning ECH is disabled.
PROTOCOLS¶
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
This option works only with the following TLS backends: OpenSSL and wolfSSL
EXAMPLE¶
CURL *curl = curl_easy_init(); const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; if(curl) {
curl_easy_setopt(curl, CURLOPT_ECH, config);
curl_easy_perform(curl); }
AVAILABILITY¶
Added in 8.8.0
RETURN VALUE¶
Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient heap space.
SEE ALSO¶
CURLOPT_DOH_URL(3)
2024-06-09 | libcurl |