Hey all, I'm working on implementing server-side ECH in the Go standard library TLS implementation, and ran across what I think is an error in Section 7. Additionally I had a question about the distinction between modes described in that section.
First off on the error, the paragraph about shared mode servers contains the following sentence: "A shared mode server which receives a ClientHello with ECHClientHello.type of outer MUST abort with an "illegal_parameter" alert, because such a ClientHello should never be received directly from the network." This appears to be backwards, presumably a shared mode server acts initially like a client-facing server in split mode, and should only ever expect to see an ECHClientHello.type of outer, and instead should fail on seeing inner. This seems like an easy fix. The question I have is about whether this distinction is particularly important. It seems when implementing a TLS library with server support, it is simpler to implement a shared-split hybrid server, which dynamically checks the ECHClientHello.type and then either acts as a shared-mode server, or a split-mode backend server, depending on the value (i.e. if it's an outer, do the section 7.1 behavior first and then the 7.2 behavior, if not skip immediately to the 7.2 behavior). It is not clear to me that there are any real security implications of operating in such a manner? It seems if this is an acceptable manner of operation, the only real distinction in section 7 is between a client-facing server and a shared-mode/backend server (which could plausibly be a single entity). Is there something obvious I'm missing here? Thanks! Roland
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
