[ech] ECH-PR comments and a question

[Stephen Farrell]

Hi all,

I'm finally starting to get some substantive comments on the
ECH-PR, [1] which is great. Please do jump in and send yours!
(The more the merrier from my POV and its easier to make a
set of changes over a short duration rather than have big gaps
between changes.)

One of the comments raised an issue for which I've not yet
figured out a good answer so I wondered if anyone here has any
advice that might help.

What I'd like to do is make a test that injects an ECH extension
into a TLSv1.2 client hello to check that an ECH-enabled (and
configured) server handles that out-of-spec combination correctly.

The code in the PR of course provides no way to emit a TLSv1.2
CH containing an ECH, so what I tried was to create a TLSv1.2
connection and add an ECH via the custom extension handler. But
the code still detected that as there's a check that nobody
adds an extension type that is built-in via the custom exts APIs.

So, for now, I've just #define'd a symbol that when defined omits
that last check and runs the test code. (That's in this commit. [2]).

Question: any ideas for a better way to do this so that the TLSv1.2
session with an ECH-enabled (and configured) server succeeds?

Ta,
S.

[1] https://github.com/openssl/openssl/pull/22938
[2] 
https://github.com/sftcd/openssl/commit/f22a83085425d1177884cc8927bec161814bf8a3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE4D8E9F997A833DD.asc
Type: application/pgp-keys
Size: 1197 bytes
Desc: OpenPGP public key
URL: <https://mta.openssl.org/pipermail/ech/attachments/20240521/4346b7d6/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/ech/attachments/20240521/4346b7d6/attachment.sig>