How can I generate ECH keys for testing with nginx?

[ckcr4lyf]

I am following the March 2023 steps here: https://github.com/sftcd/openssl/blob/9e66beb759d274f3069e19cc96c793712e83122c/esnistuff/nginx.md?plain=1#L172

I've generated some fake CA / website certs via make-example-ca.sh , which seems to be fine. However if I try testnginx-draft-13.sh , I get the following:

Executing:  /home/ubuntu/code/nginx/objs/nginx -c /home/ubuntu/code/openssl-for-nginx/esnistuff/nginxmin-draft-13.conf
nginx: [emerg] load_echkeys, error opening /home/ubuntu/code/openssl-for-nginx/esnistuff/echkeydir at 1463
nginx: [emerg] Hey some bad ech stuff happened at 1544

I tried to search around a bit, but not too sure how to populate this directory with the ECH keys. Any advice would be great.

[sftcd]

Hiya, we created a bloggy post here that should answer the question. The basic thing is you need to do an # openssl ech -public_name example.com -pemout echkeydir/example.pem.ech for the relevant public_name. Sorry that's not yet on the defo.ie web page, we'll add it. There's also now a matrix chat room you can join if chatting that way is better. Cheers, S.

[ckcr4lyf]

Nice, it seems to have worked!

./echcli.sh Summary:
Looks like ECH worked ok
ECH: success: outer SNI: 'example.com', inner SNI: 'foo.example.com'

Thanks for the help. I'll play around with it more and ask questions if need be!

[sftcd]

On 16/11/2023 09:33, Raghu Saxena wrote:

Nice, it seems to have worked!

Excellent! Any feedback on the HOWTO text welcome too.

S.