crypto/tls: encryptedExtensions.echRetryConfigs not returned to client

[rthellend]

Go version

go version 1.24rc1

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/robin/.cache/go-build'
GODEBUG=''
GOENV='/home/robin/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1150069972=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/home/robin/src/bug/go.mod'
GOMODCACHE='/home/robin/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/robin/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/robin/src/goroot'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/robin/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/robin/src/goroot/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='devel go1.24-95b433eed4 Tue Dec 17 13:28:29 2024 -0800'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I've been testing ECH in go1.24rc1. I noticed that when the client uses and incorrect / outdated echConfigList, the server correctly returns echRetryConfigs in EncryptedExtensions, but the client doesn't use it.

https://go.dev/play/p/BTzFrLzaxjV?v=gotip

This code outputs:

devel go1.24-95b433eed4 Tue Dec 17 13:28:29 2024 -0800
RetryConfigListRetry: []

With this change:

diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
index 38c6025db7..6601fcf9d7 100644
--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
@@ -39,7 +39,8 @@ type clientHandshakeStateTLS13 struct {
        masterSecret  *tls13.MasterSecret
        trafficSecret []byte // client_application_traffic_secret_0
 
-       echContext *echClientContext
+       echContext         *echClientContext
+       echRetryConfigList []byte
 }
 
 // handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and,
@@ -117,6 +118,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
                        // If the server sent us retry configs, we'll return these to
                        // the user so they can update their Config.
                        echRetryConfigList = hs.serverHello.encryptedClientHello
+                       _ = echRetryConfigList
                }
        }
 
@@ -155,7 +157,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 
        if hs.echContext != nil && hs.echContext.echRejected {
                c.sendAlert(alertECHRequired)
-               return &ECHRejectionError{echRetryConfigList}
+               return &ECHRejectionError{hs.echRetryConfigList}
        }
 
        c.isHandshakeComplete.Store(true)
@@ -605,6 +607,7 @@ func (hs *clientHandshakeStateTLS13) readServerParameters() error {
                c.sendAlert(alertUnsupportedExtension)
                return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
        }
+       hs.echRetryConfigList = encryptedExtensions.echRetryConfigs
 
        return nil
 }

I get:

$ go run .
devel go1.24-95b433eed4 Tue Dec 17 13:28:29 2024 -0800
RetryConfigListRetry: [0 62 254 13 0 58 1 0 32 0 32 223 67 164 145 141 206 235 159 159 106 211 183 218 14 188 83 72 66 133 229 14 63 128 130 46 169 103 246 116 108 254 88 0 4 0 1 0 3 0 11 101 120 97 109 112 108 101 46 99 111 109 0 0]

What did you see happen?

RetryConfigList is empty:

RetryConfigList: []

What did you expect to see?

RetryConfigList: [0 62 254 13 0 58 1 0 32 0 32 223 67 164 145 141 206 235 159 159 106 211 183 218 14 188 83 72 66 133 229 14 63 128 130 46 169 103 246 116 108 254 88 0 4 0 1 0 3 0 11 101 120 97 109 112 108 101 46 99 111 109 0 0]

[gabyhelp]

Related Issues

• crypto/tls: After the ech key verification fails, the new key sent by the ech server will not be used for handshake. #70073 (closed)
• crypto/tls: support server side Encrypted Client Hello #68500 (closed)
• crypto/tls: TLS13 handshake does not fail if no cipherSuites overlap between server and client #30109 (closed)
• crypto/tls: tls client-side test recordings don't include the close notify message #69846 (closed)
• crypto/tls: don't include supported_versions extension if MaxVersion < 1.3 #53384
• crypto/tls: client requires HelloRetryRequest to change curve #30149 (closed)
• crypto/tls: remote error: tls: handshake failure #46270 (closed)
• crypto/tls: Failure to handshake when ClientHello lacks Point Formats Extension #54116 (closed)

Related Code Changes

• crypto/tls: add ech client support
• crypto/tls: add Config.GetConfigForClient

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[dr2chase]

@FiloSottile @rolandshoemaker