GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CURLOPT_ECH(3) FreeBSD Library Functions Manual CURLOPT_ECH(3)

CURLOPT_ECH - configuration for Encrypted Client Hello

#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config);

ECH is only compatible with TLSv1.3.

This experimental feature requires a special build of OpenSSL, as ECH is not yet supported in OpenSSL releases. In contrast ECH is supported by the latest BoringSSL, wolfSSL and rustls-ffi releases.

There is also a known issue with using wolfSSL which does not support ECH when the HelloRetryRequest mechanism is used.

Pass a string that specifies configuration details for ECH. In all cases, if ECH is attempted, it may fail for various reasons. The keywords supported are:

Turns off ECH.
Instructs client to emit a GREASE ECH extension. (The connection fails if ECH is attempted but fails.)
Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible.
Instructs client to attempt ECH and fail if attempting ECH is not possible.
If the string starts with ecl: then the remainder of the string should be a base64-encoded ECHConfigList that is used for ECH rather than attempting to download such a value from the DNS.
If the string starts with pn: then the remainder of the string should be a DNS/hostname that is used to over-ride the public_name field of the ECHConfigList that is used for ECH.

The application does not have to keep the string around after setting this option.

Using this option multiple times makes the last set string override the previous ones. Set it to NULL or "false" to disable its use again.

NULL, meaning ECH is disabled.

This functionality affects all TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.

This option works only with the following TLS backends: OpenSSL, rustls and wolfSSL

int main(void)
{


  CURL *curl = curl_easy_init();


  const char *config = \


    "ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+" \


    "CAAEAAEAAQANY292ZXIuZGVmby5pZQAA";


  if(curl) {


    curl_easy_setopt(curl, CURLOPT_ECH, config);


    curl_easy_perform(curl);


  }
}

Added in curl 8.8.0

curl_easy_setopt(3) returns a CURLcode indicating success or error.

CURLE_OK (0) means everything was OK, non-zero means an error occurred, see libcurl-errors(3).

CURLOPT_DOH_URL(3)

2025-07-03 libcurl
Search for    or go to Top of page |  Section 3 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.