Provided by: libcurl4-doc_8.9.1-2ubuntu2.1_all
NAME
CURLOPT_ECH - configuration for Encrypted Client Hello
SYNOPSIS
#include <curl/curl.h> CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config);
DESCRIPTION
ECH is only compatible with TLSv1.3. This experimental feature requires a special build of OpenSSL, as ECH is not yet supported in OpenSSL releases. In contrast ECH is supported by the latest BoringSSL and wolfSSL releases. There is also a known issue with using wolfSSL which does not support ECH when the HelloRetryRequest mechanism is used. Pass a string that specifies configuration details for ECH. In all cases, if ECH is attempted, it may fail for various reasons. The keywords supported are: false Turns off ECH. grease Instructs client to emit a GREASE ECH extension. (The connection fails if ECH is attempted but fails.) true Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible. hard Instructs client to attempt ECH and fail if attempting ECH is not possible. ecl:<base64-value> If the string starts with ecl: then the remainder of the string should be a base64-encoded ECHConfigList that is used for ECH rather than attempting to download such a value from the DNS. pn:<name> If the string starts with pn: then the remainder of the string should be a DNS/hostname that is used to over-ride the public_name field of the ECHConfigList that is used for ECH.
DEFAULT
NULL, meaning ECH is disabled.
PROTOCOLS
This functionality affects all TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. This option works only with the following TLS backends: OpenSSL and wolfSSL
EXAMPLE
CURL *curl = curl_easy_init(); const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; if(curl) { curl_easy_setopt(curl, CURLOPT_ECH, config); curl_easy_perform(curl); }
AVAILABILITY
Added in curl 8.8.0
RETURN VALUE
Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient heap space.
SEE ALSO
CURLOPT_DOH_URL(3)