We are working on free plan and ECH feature (since few days) making us some problems. I just have a question ifI rise up to PRO plan can I disable ECH featrue? It will be disabled automaticly or how I can disable it? (related with ECH Protocol | Cloudflare SSL/TLS docs)
When we try to reach our few websites (cannot share with you exact hostnames) we have same error [ERR_ECH_NOT_NEGOTIATED] on chrome. I’m just wondering how to disable that ECH feature on cloudflare and If I rise up my plan to pro can I disable ECH somehow.
ECH is disabled on Pro Plans - an API to disable on Free plans will be available next week. It seems the problem is with Fortinet and blocking our domain. I will reach out to Fortinet to see if we can expedite a fix for all.
Great! thank you for answer. It’s good news. I misunderstood you at first look but I disabled TLS 1.3 on cloudflare and it helped. Before I only disabled tls 1.3 on chrome.
Fortinet is not blocking the site. The issue seems to be that the encrypted client hello is breaking SSL inspection through the FortiGate. Implementing an SSL inspection bypass of the domain name cloudflare-ech.com will fix the ECH issue. However - this is a work around - not a fix.
Bypassing this domain name from inspection has the consequence of causing a bypassing of SSL inspection for ALL Cloudflare sites that use ECH.
The real question is - why is Cloudflare deploying a still experimental feature across their production environments - and turning it on by default!
According to IETF, ECH is currently only a “Proposed Standard”…
Cloudflare deploying this to production, and enabling it by default - was a mistake.
Is there an update to this? I have seen that ECH has been removed as an option, but we´re still getting an ECH_NOT_NEGOTIATED error on a specific network in Google Chrome