Inner CH should be TLS 1.3 only

[oneton]

You might recall I looked into reviving the BoringSSL test suite for OpenSSL in openssl#27553
After the feedback I decided to abandon the effort, but I tried running the test suite against the ECH branch: https://github.com/oneton/openssl/tree/bssl-ech. I haven't updated my branch yet to include your server side changes.

I noticed that the ECH client-tests fail because the inner CH includes supported versions < TLS1.3 and extensions only relevant for versions < TLS1.3.
 According to the draft, 6.1 - “It MUST NOT offer to negotiate TLS 1.2 or below.” As far as I can tell, the list of cipher suites in the inner CH is also not limited to TLS1.3 suites.

Unfortunately addressing this seems like quite a fundamental change, so I wasn’t able to come up with an easy solution.

Happy to update my branch and provide steps to run the test suite if that's helpful.

I looked into this as a learning project in my spare time, so my apologies if I missed something obvious.

[sftcd]

Thanks. Will take a peek. Is the issue that OpenSSL ECH clients are able to emit TLS1.2 inner CH's that boring rejects? (Just checking.) If so, that's relatively easy to fix.

[oneton]

Let me provide a little more context. The test suite I've used is the extended test suite (written in Go) that BoringSSL uses for their own tests. So it's not a matter of interoperability. BoringSSL might be more flexible in what they accept compared to their own quality standards.

The specific tests failing are here. Rejecting supported versions other than TLS1.3 as well as TLS1.2-only extensions (OpenSSL might offer a few more than this test suite tests for).
https://boringssl.googlesource.com/boringssl/+/refs/heads/main/ssl/test/runner/handshake_server.go#520

Obviously this is an OpenSSL client configured to offer TLS1.0 - TLS1.3 (or at least more than just TLS1.3). The way I read the draft (and for what I've seen in BoringSSL's implementation), the inner CH should basically be constructed as a TLS1.3-only CH and only the outer CH should offer other versions (including relevant extensions and cipher suites). The current implementation seems to assume that inner and outer CH are a lot more similar.

[sftcd]

Have to check some, but looks like adding a check here to try force TLSv1.3 if ECH is to be attempted should fix, and seems to sorta make sense.