crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled

[rbqvq]

Go version

go1.25

Output of go env in your module/workspace:

N/A

What did you do?

I create a crypto/tls fork.
During resolving my fork earlyData issue.

I found a bug in crypto/tls.

What did you see happen?

I found earlyTrafficSecret use ClientHelloOuter instead of ClientHelloInner.

https://github.com/golang/go/blob/master/src/crypto/tls/handshake_client.go#L317-L325

What did you expect to see?

If ECH is enabled, it should use ClientHelloInner.

[JunyangShao]

@golang/security

[gabyhelp]

Related Issues

• crypto/tls: client should not fail if it sets an ECH config and the server rejects it #75240 (closed)
• crypto/tls: ClientHelloOuter should hide the actual ALPN list #71220
• crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions #71642 (closed)
• crypto/tls: wrong error returned in ECHConfig parsing #71706 (closed)
• crypto/tls: encryptedExtensions.echRetryConfigs not returned to client #70915 (closed)
• crypto/tls: add GetEncryptedClientHelloKeys callback #71920 (closed)
• crypto/tls: After the ech key verification fails, the new key sent by the ech server will not be used for handshake. #70073 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/720920 mentions this issue: crypto/tls: use inner hello for earlyData when using QUIC and ECH

[rbqvq]

Cc @marten-seemann

I think you need mention user, enable both of ECH and Early will cause bad_record_mac if server accepted the early and ech.

[rbqvq]

@rolandshoemaker Can you backport it to stable branch (1.24/1.25)?

[rbqvq]

@gopherbot please consider this for backport to 1.25 and 1.24.

Its a bug and minimal fixes that can backport easily

[gopherbot]

Backport issue(s) opened: #76408 (for 1.24), #76409 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.