Content - b7736d4b96fa2f77342d7d14b76b1f2958105668 - 2cd25d4/man1/openssl-ech.pod.in – ENEA Mirror of the Software Heritage archive

openssl-ech.pod.in
=pod
{- OpenSSL::safe::output_do_not_edit_headers(); -}

=head1 NAME

openssl-ech - ECH key generation

=head1 SYNOPSIS

B<openssl> B<ech>
[B<-help>]
[B<-verbose>]
[B<-pemout> I<file>]
[B<-public_name> I<name>]
[B<-max_name_len> I<len>]
[B<-suite> I<suite_str>]
[B<-ech_version> I<version>]

=head1 DESCRIPTION

The L<openssl-ech(1)> command generates Encrypted Client Hello (ECH) private keys 
and public keys in the ECHConfig format.

The "ECHConfig PEM file" format mentioned below is specified in
L<https://datatracker.ietf.org/doc/draft-farrell-tls-pemesni/> and consists of
one private key in PKCS#8 format and a base64 encoded ECHConfig containing one
matching public value.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-verbose>

Print more verbosely.

=item B<-pemout> I<file> 

Name of output ECHConfig PEM file.

=item B<-public_name> I<name>

The DNS name to use in the "public_name" field of the ECHConfig.

=item B<-max_name_len> I<num>

Maximum name length field value to use in the ECHConfig.

=item B<-suite> I<str>

HPKE suite to use in the ECHConfig.

=item B<-ech_version> I<version>

The ECH version to use in the ECHConfig. Only 0xfe0d is supported in this version.

=back

=head1 NOTES

Ciphersuites are specified using a comma-separated list of IANA-registered
codes/numbers e.g. "-c 0x20,1,3" or a comma-separated list of strings from:
- KEMs: p256, p384, p521, x25519, x448
- KDFs: hkdf-sha256, hkdf-sha384, hkdf-sha512
- AEADs: aes128gcm, aes256gcm, chachapoly1305

For example the default is: x25519, hkdf-sha256, aes128gcm
See L<OSSL_HPKE_CTX_new(3)> for details.

=head1 SEE ALSO

L<openssl(1)>,
L<openssl-s_client(1)>,
L<openssl-s_server(1)>,
L<SSL_set1_echstore(3)>

=head1 HISTORY

This functionality described here was added in OpenSSL 3.5.

=head1 COPYRIGHT

Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut