Align rpxy-l4 with IETF ECH draft #36
Description
This issue focuses on updating the rpxy-l4 repository to align it with the latest IETF draft for Encrypted Client Hello (ECH) (draft-ietf-tls-esni-25). Several tasks and improvements are required to achieve compliance with the draft:
Tasks:
1. Implement Retry Configurations
- Add support for retry configurations in the
EncryptedExtensionsmessage when decryption fails. - Generate retry configurations containing multiple ECHConfig values for different versions.
- Update
_decrypt_ech_brute_forceto handle retry configurations.
2. Expand Cipher Suite Support
- Extend support to include all cipher suites recommended in the draft (e.g., AesGcm256 with HkdfSha384).
- Update
_decrypt_echto handle additional cipher suites.
3. Improve GREASE Handling
- Detect and gracefully handle GREASE (Generate Random Extensions And Sustain Extensibility) configurations.
- Add tests to validate GREASE handling.
4. Validate Public Name Consistency
- Harden the validation logic for consistency between
public_namein the ECHConfig and SNI. - Ensure normalization for case-insensitive comparisons.
5. Add Unit and Integration Tests
- Add tests for successful ECH decryption with various configurations and cipher suites.
- Test edge cases such as missing SNI values, GREASE configurations, and retry configurations.
6. Update Documentation
- Add a new section in the README to explain ECH support.
- Provide examples of configuration and current limitations.
7. Optimize Logging and Debugging
- Use structured logging (e.g., JSON format) for easier parsing.
- Add log levels to control verbosity.
8. Performance Benchmarking
- Benchmark ECH decryption performance under various loads.
- Optimize critical paths in the decryption logic.
Goals:
- Ensure compliance with draft-ietf-tls-esni-25.
- Improve robustness and performance of the ECH handling pipeline.
- Enhance user and developer documentation for better usability.