DEfO-2 OpenSSL HPKE PR Security Audit

DEfO is developing an implementation of the Encrypted ClientHello (ECH) mechanism for OpenSSL. This effectively closes a privacy loophole in the Transport Layer Security protocol.

Project Overview

The DEfO project is developing an implementation of the encrypted ClientHello (ECH) mechanism for OpenSSL, which is a widely used library that provides an implementation of the Transport Layer Security (TLS) protocol. The ECH mechanism effectively plugs a privacy loophole in the TLS protocol.

The Hybrid Public Key Encryption (HPKE) mechanism defined in Request for Comments 9180 is a significant component of ECH and other security protocols. It’s a new cryptographic mechanism that aims to provide a flexible and secure way to perform public key encryption in various scenarios (Learn more about HPKE integration into OpenSSL).The DEfO project developed an OpenSSL implementation of HPKE that is included in the most recent release of OpenSSL.

In addition to the implementation of ECH for OpenSSL, the project has also developed proof-of-concept implementations of various clients and servers that use OpenSSL, as a demonstration and for interoperability testing.

The team behind DEfO (Tolerant Networks Ltd. and people from the Guardian Project) is now focused on DEfO-2, a continuation of this effort with a focus on upstreaming the relevant ECH code to the various projects involved. 

Security Audit

Through OTF’s Red Team Lab7ASecurity conducted a security assessment of the DEfO-2 OpenSSL HPKE pull request (PR) in October 2023.

The auditors completed a penetration test and used a whitebox-assessment methodology; white box testers are aware of a program’s structure and then design inputs to test based on this knowledge. The DEfO team provided 7ASecurity with access to reference client and server implementations, documentation, and source code. 


Auditors did not identify any directly exploitable vulnerabilities on the DEfO-2 implementation—an unusual result in general, but particularly remarkable for a first security audit. In addition, the code audit of the HPKE codebase failed to spot any significant issue.

7ASecurity did find 10 issues that were either “low-severity” (three) or “informational” (seven), and made recommendations to enhance security.


The DEfO team has implemented the recommended improvements and those changes were part of the recent OpenSSL release. The team will pursue a second phase security audit fully covering ECH in the future.

“I’d like to thank OTF and 7ASecurity – working with them for this audit was both a pleasure and really useful for the DEfO project team. Doing audits like this for code to be contributed to important upstream projects like OpenSSL is a really good plan and I look forward to the next phase when we do an audit for the full ECH code.”

Dr. Stephen Farrell from Trinity College Dublin and Tolerant Networks Ltd., one of the DEfO developers

Full Security Audit Report for DEfO-2 OpenSSL HPKE PR

OTF Blog Post