The Open Source Technology Improvement Fund is proud to share the results of our security engagement on Developing ECH for OpenSSL (“DEfO”). DEfO is an open source implementation of Encrypted Client Hello (ECH) for OpenSSL, and provides proof-of-concept implementations for various clients and servers that use OpenSSL as a demonstration and for interoperability testing. With the help of Ada Logics, 7ASecurity, and the Sovereign Tech Agency, this project received expert security review, testing, and custom documentation contributing to DEfO’s ongoing development and security.
Audit Process:
OSTIF divided up the scope of the DEfO engagement between two teams, Ada Logics and 7ASecurity. Ada Logics audited the Python ECH implementation, executing a threat model, manual code review and SAST-assisted auditing. Their firm was also responsible for fuzzing the OpenSSL ECH implementation, where they identified the trust boundaries of the TLS handshake and designed fuzzers to exercise the handshake process. 7ASecurity audited the DEfO ECH patchset and OpenSSL Core integration, executing 4 work packages: whitebox tests against DEfO ECH patchset and OpenSSL core integration, automated and manual code review, configuration and regression review against OpenSSL hardening, and a lightweight threat model.
Audit Results:
- 3 Reports
- 15 Findings with Security Impact
- 3 High
- 6 Medium
- 4 Low
- 2 Informational
- 6 Hardening Recommendations
- 3 Threat Models
- Encrypted ClientHello (ECH) implementation in the feature/ech branch of OpenSSL
- Python ECH
- OpenSSL ECH-enabled clients, servers, and deployments
- Fuzzing Improvements
- Custom harnesses
- Integrated onto OSS-Fuzz
- Recommendations for Future Security Work
The team at OpenSSL who maintains DEfO was responsive and helpful to the multiple auditing bodies working to review the project. Multiple changes have been made to the OpenSSL project as a result of this work and other reviews, with the ECH code now merged to the master branch. When it becomes available on April 14, 2026, please upgrade to OpenSSL 4.0 release to take advantage of the hard work done by the maintainers, auditors, and community.
Thank you to the individuals and groups that made this engagement possible:
- OpenSSL DEfO community and maintainers
- Ada Logics: Arthur Chan, Adam Korczynski, and David Korczynski
- 7ASecurity: Abraham Aranguren, Daniel Ortiz, Dariusz Jastrzębski, Dheeraj Joshi, Miroslav Štampar, and Szymon Grzybowski
- Sovereign Tech Agency
You can read 7ASecurity’s blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to [email protected].
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups