crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions [1.24 backport]

[gopherbot]

@gdy666 requested issue #71642 to be considered for backport to the next 1.24 minor release.

@gopherbot please backport to go 1.24

[gopherbot]

Change https://go.dev/cl/661936 mentions this issue: [release-branch.go1.24] crypto/tls: fix ECH compatibility

[cagedmantis]

@gdy666 @rolandshoemaker It would be helpful to provide a reason for why a backport is requested.

[gdy666]

It would be helpful to provide a reason for why a backport is requested.

I would like to request a backport to the 1.24 branch because the fix addresses a critical compatibility issue specifically related to the use of Encrypted Client Hello (ECH) with Chromium-based browsers like Chrome and Edge. These browsers have significant market shares, and the current implementation fails to properly negotiate TLS 1.3 with ECH enabled, which could disrupt a substantial number of users and applications.

This modification only involves an improvement in the version checking logic and does not introduce any new features, making the risk of backporting extremely low. By addressing this issue, we improve reliability and user trust, crucial for environments where Go is used in secure communications.

[rolandshoemaker]

I agree it makes sense to backport this. The change is minimal, and only makes the implementation more permissive, so is unlikely to break any users, just remove some existing incompatibility.

[dmitshur]

Can you please clarify if the request to backport to the 1.24 branch is because the problem only exists in 1.24 but not 1.23? Or does this problem affect 1.23 too? We need this information because the release policy is to support last two releases equally. Thanks.

[rolandshoemaker]

ECH server support was added in 1.24, this functionality is not present in 1.23.