)]}'
{
  "commit": "d274b1bacdca36f3941bf78e43dc38acf676a1a8",
  "tree": "34d30870528869d5fbb2905376972e699efcdaea",
  "parents": [
    "b34976cae99f8d1b864dbab31e20fc00d06acb09"
  ],
  "author": {
    "name": "Rushil Mehra",
    "email": "rmehra@cloudflare.com",
    "time": "Thu Jun 06 10:07:43 2024 -0700"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Tue Jul 16 19:53:12 2024 +0000"
  },
  "message": "Add ECH fallback API\n\nThis commit solves\nhttps://bugs.chromium.org/p/boringssl/issues/detail?id\u003d714. To\nsummarize, there are cases where servers will advertise ECH on hostnames\nthat may, in practice, be unable to actually negotiate e.g. TLS 1.3. To\ngracefully handle this case, this commit adds a new return value for the\nselect_cert_cb that signals to the server that ECH must be disabled. To\naccomplish this, we slightly rewind the state machine to instead\nhandshake with ClientHelloOuter, and clear ech_keys on the handshake\nstate such that the server hello does not include any retry_configs in\nEncryptedExtensions. Clients will take this as a signal that ECH is\ndisabled on the hostname, and that they should instead handshake without\nECH.\n\nBug: 42290593\nChange-Id: I1806ba052ffbc3e5c46161a1596d125cc5e5a8fc\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69087\nReviewed-by: David Benjamin \u003cdavidben@google.com\u003e\nCommit-Queue: Bob Beck \u003cbbe@google.com\u003e\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "9f95a06bba8ff1000c797de6e279cd706f2825fb",
      "old_mode": 33188,
      "old_path": "include/openssl/ssl.h",
      "new_id": "10898a9c37141456b21f6a6b7c9f1b8c139e4b03",
      "new_mode": 33188,
      "new_path": "include/openssl/ssl.h"
    },
    {
      "type": "modify",
      "old_id": "afa0927f367f9b7c576e9185102e43349507d3e4",
      "old_mode": 33188,
      "old_path": "ssl/handshake_server.cc",
      "new_id": "508f9bf6f42aa6026baa38fa441360902205185f",
      "new_mode": 33188,
      "new_path": "ssl/handshake_server.cc"
    },
    {
      "type": "modify",
      "old_id": "3a8caa1e7bf3971c726b849f27d2b3f5a004542a",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/common.go",
      "new_id": "6bdd664dc306509e8f384d1c07b40fcc806da076",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/common.go"
    },
    {
      "type": "modify",
      "old_id": "a0a81f999635727d724e42d481c46e29e9800c1a",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/handshake_client.go",
      "new_id": "a7ab0e2c847c5a2c10ae838e3135f4a52c0d2939",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/handshake_client.go"
    },
    {
      "type": "modify",
      "old_id": "3aab605c75a9e5c40629bc4be0c08e772c8468d6",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/runner.go",
      "new_id": "18ed78ba5a8f5a36507595627d717caefa578a14",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/runner.go"
    },
    {
      "type": "modify",
      "old_id": "24b1bdd4db2c3d8a2c39b0ce030fec4eeae2ea6d",
      "old_mode": 33188,
      "old_path": "ssl/test/test_config.cc",
      "new_id": "dfe1cb46246fb739701066ef36d271f761169c9e",
      "new_mode": 33188,
      "new_path": "ssl/test/test_config.cc"
    },
    {
      "type": "modify",
      "old_id": "89656d19e8be1536fe2f9feda53433d00d09d94c",
      "old_mode": 33188,
      "old_path": "ssl/test/test_config.h",
      "new_id": "607f58dc14ed6fa36532a2b1c264933c2578d710",
      "new_mode": 33188,
      "new_path": "ssl/test/test_config.h"
    }
  ]
}
