TLS client & server: Support Encrypted Client Hello (ECH) (#3813)

b9a72a4a26 --------- Co-authored-by: yuhan6665 <1588741+yuhan6665@users.noreply.github.com>
2025-08-22 09:36:49 +08:00 · 2025-07-26 16:47:27 +08:00
parent 3fe02a658a
commit fb7a9d8d61
10 changed files with 520 additions and 45 deletions
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -412,6 +412,8 @@ type TLSConfig struct {
 	MasterKeyLog                         string           `json:"masterKeyLog"`
 	ServerNameToVerify                   string           `json:"serverNameToVerify"`
 	VerifyPeerCertInNames                []string         `json:"verifyPeerCertInNames"`
+	ECHConfigList                        string           `json:"echConfigList"`
+	ECHServerKeys                        string           `json:"echServerKeys"`
 }

 // Build implements Buildable.
@@ -483,6 +485,16 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	}
 	config.VerifyPeerCertInNames = c.VerifyPeerCertInNames

+	config.EchConfigList = c.ECHConfigList
+
+	if c.ECHServerKeys != "" {
+		EchPrivateKey, err := base64.StdEncoding.DecodeString(c.ECHServerKeys)
+		if err != nil {
+			return nil, errors.New("invalid ECH Config", c.ECHServerKeys)
+		}
+		config.EchServerKeys = EchPrivateKey
+	}
+
 	return config, nil
 }