From: William Lallemand <wlallemand@irq6.net>
Date: Sun, 30 Nov 2025 08:44:20 +0000 (+0100)
Subject: DOC: configuration: ECH support details
X-Git-Tag: v3.4-dev1~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c641ea4f9b4f09af34fa7357e130651f39710871;p=thirdparty%2Fhaproxy.git

DOC: configuration: ECH support details

Specify which OpenSSL branch is supported and that AWS-LC is not
supported.

Must be backported to 3.3.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5187c67d1..173acf321 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16941,9 +16941,10 @@ ech <dir> [ EXPERIMENTAL ]
   See https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
 
   This is an experimental feature, which requires the
-  "expose-experimental-directives" option in the global section. It also
-  necessitates an OpenSSL version that supports ECH, and HAProxy must be
-  compiled with USE_ECH=1.
+  "expose-experimental-directives" option in the global section.
+  It also necessitates an OpenSSL version that supports ECH
+  ( https://github.com/openssl/openssl/tree/feature/ech), and HAProxy must be
+  compiled with USE_ECH=1. The ECH API of AWS-LC is not supported.
 
   Example:
     $ openssl ech -public_name foobar.com -out /etc/haproxy/echkeydir/foobar.com.ech