xref: /curl/docs/libcurl/opts/CURLOPT_ECH.md (revision a1ecd0ba) 
1---
2c: Copyright (C) Daniel Stenberg, <daniel.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_ECH
5Section: 3
6Source: libcurl
7See-also:
8  - CURLOPT_DOH_URL (3)
9Protocol:
10  - TLS
11TLS-backend:
12  - OpenSSL
13  - wolfSSL
14---
15
16# NAME
17
18CURLOPT_ECH - configuration for Encrypted Client Hello
19
20# SYNOPSIS
21
22~~~c
23#include <curl/curl.h>
24
25CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config);
26~~~
27
28# DESCRIPTION
29
30ECH is only compatible with TLSv1.3.
31
32This experimental feature requires a special build of OpenSSL, as ECH is not
33yet supported in OpenSSL releases. In contrast ECH is supported by the latest
34BoringSSL and wolfSSL releases.
35
36There is also a known issue with using wolfSSL which does not support ECH when
37the HelloRetryRequest mechanism is used.
38
39Pass a string that specifies configuration details for ECH. In all cases, if
40ECH is attempted, it may fail for various reasons. The keywords supported are:
41
42## false
43
44Turns off ECH.
45
46## grease
47
48Instructs client to emit a GREASE ECH extension. (The connection fails if ECH
49is attempted but fails.)
50
51## true
52
53Instructs client to attempt ECH, if possible, but to not fail if attempting
54ECH is not possible.
55
56## hard
57
58Instructs client to attempt ECH and fail if if attempting ECH is not possible.
59
60## ecl:\<base64-value\>
61
62If the string starts with `ecl:` then the remainder of the string should be a
63base64-encoded ECHConfigList that is used for ECH rather than attempting to
64download such a value from the DNS.
65
66## pn:\<name\>
67
68If the string starts with `pn:` then the remainder of the string should be a
69DNS/hostname that is used to over-ride the public_name field of the
70ECHConfigList that is used for ECH.
71
72# DEFAULT
73
74NULL, meaning ECH is disabled.
75
76# EXAMPLE
77
78~~~c
79CURL *curl = curl_easy_init();
80
81const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA";
82if(curl) {
83  curl_easy_setopt(curl, CURLOPT_ECH, config);
84  curl_easy_perform(curl);
85}
86~~~
87# AVAILABILITY
88
89Added in 8.8.0
90
91# RETURN VALUE
92
93Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient
94heap space.
95