Closed ckcr4lyf closed 7 months ago
Hiya, we created a bloggy post here that should answer the question. The basic thing is you need to do an # openssl ech -public_name example.com -pemout echkeydir/example.pem.ech
for the relevant public_name
. Sorry that's not yet on the defo.ie web page, we'll add it. There's also now a matrix chat room you can join if chatting that way is better.
Cheers,
S.
Nice, it seems to have worked!
./echcli.sh Summary:
Looks like ECH worked ok
ECH: success: outer SNI: 'example.com', inner SNI: 'foo.example.com'
Thanks for the help. I'll play around with it more and ask questions if need be!
On 16/11/2023 09:33, Raghu Saxena wrote:
Nice, it seems to have worked!
Excellent! Any feedback on the HOWTO text welcome too.
S.
I am following the March 2023 steps here: https://github.com/sftcd/openssl/blob/9e66beb759d274f3069e19cc96c793712e83122c/esnistuff/nginx.md?plain=1#L172
I've generated some fake CA / website certs via
make-example-ca.sh
, which seems to be fine. However if I trytestnginx-draft-13.sh
, I get the following:I tried to search around a bit, but not too sure how to populate this directory with the ECH keys. Any advice would be great.