On Wed, Jun 04, 2025 at 05:23:59PM +0200, Bjorn Ketelaars wrote: > On Wed 04/06/2025 14:25, Christoph Liebender wrote: > > Am 03.06.25 um 15:53 schrieb Christoph Liebender: > > > I will probably submit a PR to upstream that disables this test on > > > OpenBSD altogether, when I find time... > > > > Upstream was very responsive and integrated that into 10.4.2. > > > > > In any case, comments w.r.t. the --tls-ech-enable feature are welcome. > > > > Which is supposed to mean that I cannot make this work on my setup, and > > right now I am not sure whether it is due to an upstream bug, packaging bug > > or issue with my setup. Can ECH be considered a niche feature anyway? If so, > > it might also make sense to not use aws-lc-rs as a crypto provider and fall > > back to native TLS at some point. > > I'm far from being an expert here, so there are multiple options for me > to be wrong: > - ECH uses Hybrid Public Key Encryption > - HPKE is provided by aws-lc-rs > - On OpenBSD, aws-lc-rs is not used. Instead ring is used as backend > [0].
The version of aws-lc-rs crate that wstunnel uses is recent enough to be xonly and btci clean. So using it should be fine now. > > Long story short, no ECH with wstunnel on OpenBSD. > > [0] > https://github.com/erebe/wstunnel/blob/eba8f8609423c3d4afc155cf2989cef72242e3eb/Cargo.toml#L64-L72 >
