Would it be possible to add ECH support to the Cloudflare workers ? #172
-
|
I was wondering if it'd be possible to add ECH (Encrypted Client Hello) support to the Cloudflare DoH we host on the workers. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
That's enabled by default. Cloudflare auto-sets the pre-requisite HTTPS / SVCB records. If the client knows what to do, it should be able to ECH with the Workers endpoint just fine. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, my client which is Edge browser supports ECH and i can verify it using this website And in Cloudflare test website https://www.cloudflare.com/ssl/encrypted-sni/
and in Wireshark with this filter
but I see my original domain name in the client hello in DoH connections meaning no ECH is being performed to hide the inner SNI. But since you said Cloudflare workers do support ECH and my client supports it too, I can think of 2 things
In Cloudflare I'm using a custom domain of my own which I added as a custom route to Cloudflare worker. I set the minimum TLS version to 1.3 and set the TLS requirement to strict. |
Beta Was this translation helpful? Give feedback.
-
|
You're right. For Workers endpoints, ECH doesn't work [0] Not sure what else we could do other than report this to Cloudflare? [0] notice |
Beta Was this translation helpful? Give feedback.
-
|
@ignoramous Thanks for checking, yes, if nothing else can be done then reporting to Cloudflare should be enough |
Beta Was this translation helpful? Give feedback.
You're right. For Workers endpoints, ECH doesn't work [0] Not sure what else we could do other than report this to Cloudflare?
[0] notice
sni=plaintextfor https://dl.nile.workers.dev/cdn-cgi/trace but https://crypto.cloudflare.com/cdn-cgi/trace showssni=encrypted.