Skip to content

caddytls: ECH key rotation #7356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mholt merged 4 commits into from
Dec 10, 2025
Merged

caddytls: ECH key rotation #7356

mholt merged 4 commits into from
Dec 10, 2025
+233 −72

Conversation

@mholt
Copy link
Member

@mholt mholt commented Nov 20, 2025

This change implements ECH key rotation, made possible in Go 1.25 thanks to the GetEncryptedClientHelloKeys callback in tls.Config.

Currently, keys are rotated every 30 days, and are supported for 90 days (so, 60 days after rotation), to give clients time to update without needing to retry.

It's not clear what are actually good intervals for these things, as this is new technology and there isn't much diversity of deployments. But generally, smaller anonymity sets (fewer sites) should rotate a less frequently than big anonymity sets, and I suspect most Caddy instances are smaller.

We can always change the rotation intervals based on feedback/experience.

@mholt mholt added this to the v2.11.0 milestone Nov 20, 2025
@mholt
Copy link
Member Author

mholt commented Nov 24, 2025

Let's try something stupid:

@copilot Are there any (other) resource leaks or any security vulnerabilities in this code?

Copy link

Copilot AI commented Nov 24, 2025

@mholt I've opened a new pull request, #7363, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Nov 24, 2025
Closed
@mohammed90 mohammed90 mentioned this pull request Nov 25, 2025
Closed
@mholt mholt requested a review from francislavoie December 10, 2025 17:27
@mholt
Copy link
Member Author

mholt commented Dec 10, 2025

I think I've got all the missing pieces, no thanks to Copilot. 🥲

Ready to merge, probably.

francislavoie
francislavoie approved these changes Dec 10, 2025
View reviewed changes
Copy link
Member

@francislavoie francislavoie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I honestly don't understand ECH flows well enough to give a confident review. But I assume you've tested it, so we might as well merge.

@mholt
Copy link
Member Author

mholt commented Dec 10, 2025

Thanks; makes sense. Yeah, I tested it by reducing the rotation interval, etc, to a matter of seconds, instead of hours, and it seemed to be working!

@mholt mholt merged commit 3c9c67e into master Dec 10, 2025
30 checks passed
@mholt mholt deleted the ech-key-rotation branch December 10, 2025 18:50
@github-actions github-actions bot mentioned this pull request Jan 6, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@francislavoie francislavoie francislavoie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.11.0

Development

Successfully merging this pull request may close these issues.

3 participants

@mholt @francislavoie