{"id":23405155,"url":"https://github.com/c2fmzq/ech","last_synced_at":"2025-10-29T20:31:01.842Z","repository":{"id":268942392,"uuid":"905405168","full_name":"c2FmZQ/ech","owner":"c2FmZQ","description":"Encrypted Client Hello with Split Mode Topology","archived":false,"fork":false,"pushed_at":"2025-02-13T19:25:18.000Z","size":180,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-13T20:26:35.818Z","etag":null,"topics":["client-facing-server","dns-over-https","doh","ech","encrypted-client-hello","rfc8484","rfc9460","tls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/c2FmZQ.png","metadata":{"files":{"readme":"docs/README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-18T18:57:58.000Z","updated_at":"2025-02-13T19:19:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"047f57b5-13de-4372-ad88-16563a42a613","html_url":"https://github.com/c2FmZQ/ech","commit_stats":null,"previous_names":["c2fmzq/ech"],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c2FmZQ%2Fech","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c2FmZQ%2Fech/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c2FmZQ%2Fech/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/c2FmZQ%2Fech/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/c2FmZQ","download_url":"https://codeload.github.com/c2FmZQ/ech/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238809004,"owners_count":19534303,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["client-facing-server","dns-over-https","doh","ech","encrypted-client-hello","rfc8484","rfc9460","tls"],"created_at":"2024-12-22T13:18:43.778Z","updated_at":"2025-10-29T20:31:01.830Z","avatar_url":"https://github.com/c2FmZQ.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Tests](https://github.com/c2FmZQ/ech/actions/workflows/pr.yml/badge.svg?branch=main)](https://github.com/c2FmZQ/ech/actions/workflows/pr.yml)\n[![Go Reference](https://pkg.go.dev/badge/github.com/c2FmZQ/ech.svg)](https://pkg.go.dev/github.com/c2FmZQ/ech)\n\n# Encrypted Client Hello with Split Mode Topology (a.k.a. TLS Passthrough)\n\nThis repo implements a library to support Encrypted Client Hello with a Split Mode Topology, along with secure client-side name resolution and network connections.\n\nSplit Mode Topology is defined in https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni/#section-3.1\n\n```mermaid\nflowchart LR\n  subgraph Client\n    c1(\"Client\")\n  end\n  subgraph Client-Facing Server\n    prx(((\"public.example.com\")))\n  end\n  subgraph Backend Servers\n    be1(\"private1.example.com\")\n    be2(\"private2.example.com\")\n  end\n  c1--\u003eprx\n  prx--\u003ebe1\n  prx--\u003ebe2\n```\n\nThe ECH library handles the Client-Facing Server part. A `ech.Conn` transparently inspects the TLS handshake and decrypts/decodes Encrypted Client Hello messages. The decoded ServerName and/or ALPN protocols can then be used to route the TLS connection to the right backend server which terminates the TLS connection.\n\nECH Configs and ECH ConfigLists are created with `ech.NewConfig` and `ech.ConfigList`.\n\nClients can use `ech.Resolve` and/or `ech.Dial` to securely connect to services. They use RFC 8484 DNS-over-HTTPS (DoH) and RFC 9460 HTTPS Resource Records, along with traditional A, AAAA, CNAME records for name resolution. If a HTTPS record contains an ECH config list, it can be used automatically. `ech.Dial` also supports concurrent connection attempts to gracefully handle slow or unreachable addresses.\n\nThe [example](https://github.com/c2FmZQ/ech/tree/main/example) directory has working client and server examples.\n\nSee the [godoc](https://pkg.go.dev/github.com/c2FmZQ/ech) for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fc2fmzq%2Fech","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fc2fmzq%2Fech","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fc2fmzq%2Fech/lists"}