feature: add support for Encrypted Client Hello (ECH) in TLS 1.3

.env

@@ -1,6 +1,6 @@
 BASE_VERSION=3.23.3
 BASE_HASH=25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
-OPENSSL_VERSION=3.6.1
+OPENSSL_VERSION=4.0.0
 APP_VERSION=1.29.5
 PCRE_VERSION=10.47
 ZLIB_VERSION=2.3.3

Dockerfile.template

@@ -194,11 +194,11 @@ COPY --chown="${UID}:${GID}" ./default.conf /etc/freenginx/conf.d/default.conf
 EXPOSE 8080/tcp 8443/tcp 8443/udp
 
 # OCI labels for image metadata
-LABEL description="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \
+LABEL description="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \
       maintainer="ammnt <admin@msftcnsi.com>" \
-      org.opencontainers.image.description="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \
+      org.opencontainers.image.description="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \
       org.opencontainers.image.authors="ammnt, admin@msftcnsi.com" \
-      org.opencontainers.image.title="Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀" \
+      org.opencontainers.image.title="Distroless FreeNGINX with HTTP/3, QUIC, ECH and PQC support🚀" \
       org.opencontainers.image.source="https://github.com/ammnt/freenginx/" \
       org.opencontainers.image.created=${BUILD_DATE} \
       org.opencontainers.image.documentation="https://github.com/ammnt/freenginx/blob/main/README.md" \

README.md

@@ -8,16 +8,16 @@
 ![GitHub Maintained](https://img.shields.io/badge/open%20source-yes-orange)
 ![GitHub Maintained](https://img.shields.io/badge/maintained-yes-yellow)
 
-> **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC and PQC support.**
+> **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC, ECH and PQC support.**
 
 > [!IMPORTANT]
-> QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️
+> QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC, ECH and QUIC⚠️
 
 > [!IMPORTANT]
 > NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies⚠️
 
 > [!TIP]
-> You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3 and PQC💡
+> You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3, ECH and PQC💡
 
 > [!IMPORTANT]
 > UID/GID changed to 10001 - it's [recommended](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Kubernetes and prevents conflicts with system users⚠️
@@ -114,6 +114,7 @@ spec:
 - **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000)
 - **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205)
 - **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001)
+- **Native support for the Encrypted Client Hello (ECH)** - extension of the TLS 1.3 protocol (RFC 9849)
 
 ### **Supply Chain Integrity**
 - **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations)

example.conf

@@ -1,4 +1,4 @@
-# This is an example of a configuration file for enabling QUIC, HTTP3 and "A+" SSL tests rating. Further configuration is required.
+# This is an example of a configuration file for enabling QUIC, HTTP3, PQC, ECH and "A+" SSL tests rating. Further configuration is required.
 worker_processes auto;
 worker_rlimit_nofile 65536;
 pid /tmp/freenginx.pid;
@@ -46,6 +46,10 @@ http {
     ssl_session_tickets off;
     ssl_session_timeout 1440m;
     ssl_buffer_size 4k;
+    # ssl_protocols TLSv1.3;
+    # ssl_ecdh_curve X25519MLKEM768:X25519;
+    # ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE:!COMPLEMENTOFDEFAULT;
+    # ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
     ssl_protocols TLSv1.3 TLSv1.2;
     ssl_ecdh_curve X25519MLKEM768:X25519:SecP384r1MLKEM1024:SecP256r1MLKEM768:secp521r1:secp384r1;
     ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20;
@@ -56,6 +60,7 @@ http {
     ssl_certificate_key /etc/freenginx/ssl/privkey.pem;
     ssl_trusted_certificate /etc/freenginx/ssl/fullchain.pem;
     ssl_dhparam /etc/freenginx/ssl/dhparam.pem;
+    # ssl_encrypted_hello_key /etc/angie/ssl/ech.pem.ech;
     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_ocsp on;
@@ -68,7 +73,9 @@ http {
     add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1' always;
     quic_retry on;
     quic_gso on;
-    log_format main '$time_iso8601 $ssl_server_name $scheme $ssl_alpn_protocol $status $uri $ssl_protocol $server_protocol $ssl_curve $ssl_cipher';
+    log_format main '[$time_local] $request_time $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher';
+    # log_format ech '[$time_local] $request_time "$request" $status $uri $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'
+    #                 'ECH:$ssl_ech_status:$ssl_ech_outer_server_name $ssl_server_name';
     log_format debug escape=json '{'
                                  '"@timestamp": "$time_iso8601", '
                                  '"msec": "$msec", '
@@ -114,8 +121,9 @@ http {
                                  '"http_cf_ray": "$http_cf_ray", '
                                  '"http_x_forwarded_proto": "$http_x_forwarded_proto" '
                                  '}';
-    access_log /dev/stdout simple;
+    access_log /dev/stdout main;
     error_log stderr warn;
+
     gzip on;
     gzip_vary on;
     gzip_proxied any;