caddytls: Enable ECH on the "gotten" tls.Config instead of the "getter"

No idea if this fixes #7555
2026-05-26 16:52:40 -04:00 · 2026-03-12 15:42:47 -06:00
1 changed files with 13 additions and 6 deletions
@@ -167,12 +167,6 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 				}
 				tlsApp.RegisterServerNames(echNames)
 			}
-
-			tlsCfg.GetEncryptedClientHelloKeys = func(chi *tls.ClientHelloInfo) ([]tls.EncryptedClientHelloKey, error) {
-				tlsApp.EncryptedClientHello.configsMu.RLock()
-				defer tlsApp.EncryptedClientHello.configsMu.RUnlock()
-				return tlsApp.EncryptedClientHello.stdlibReady, nil
-			}
 		}
 	}

@@ -376,6 +370,19 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 		cfg.MaxVersion = SupportedProtocols[p.ProtocolMax]
 	}

+	// enable ECH (Encrypted ClientHello) if configured
+	if tlsApp.EncryptedClientHello != nil {
+		cfg.GetEncryptedClientHelloKeys = func(_ *tls.ClientHelloInfo) ([]tls.EncryptedClientHelloKey, error) {
+			tlsApp.EncryptedClientHello.configsMu.RLock()
+			defer tlsApp.EncryptedClientHello.configsMu.RUnlock()
+			return tlsApp.EncryptedClientHello.stdlibReady, nil
+		}
+		// TLS 1.3 is the first version that supports ECH
+		if cfg.MinVersion < tls.VersionTLS13 {
+			cfg.MaxVersion = tls.VersionTLS13
+		}
+	}
+
 	// client authentication
 	if p.ClientAuthentication != nil {
 		if err := p.ClientAuthentication.provision(ctx); err != nil {