Testing ech

android-test-app/build.gradle.kts

@@ -9,7 +9,9 @@ plugins {
 }
 
 android {
-  compileSdk = 36
+  compileSdk {
+    version = preview("CANARY")
+  }
 
   namespace = "okhttp.android.testapp"
 

android-test/build.gradle.kts

@@ -7,7 +7,9 @@ plugins {
 }
 
 android {
-  compileSdk = 36
+  compileSdk {
+    version = preview("CANARY")
+  }
 
   namespace = "okhttp.android.test"
 
@@ -38,7 +40,7 @@ android {
   }
 
   testOptions {
-    targetSdk = 34
+    targetSdk = 37
     unitTests.isIncludeAndroidResources = true
   }
 
@@ -101,6 +103,9 @@ dependencies {
   androidTestImplementation(libs.square.moshi.kotlin)
   androidTestImplementation(libs.square.okio.fakefilesystem)
 
+  //noinspection UseTomlInstead
+  androidTestImplementation("dnsjava:dnsjava:3.6.4")
+
   androidTestImplementation(libs.androidx.test.runner)
   androidTestImplementation(libs.junit.jupiter.api)
   androidTestImplementation(libs.junit5android.core)

android-test/src/androidTest/java/okhttp/android/test/EchTest.kt

@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2026 OkHttp Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package okhttp.android.test
+
+import assertk.assertThat
+import assertk.assertions.isNotNull
+import assertk.assertions.matchesPredicate
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.Response
+import org.junit.jupiter.api.Test
+
+class EchTest {
+
+  @Test
+  fun testHttpsRequest() {
+    val client: OkHttpClient =
+      OkHttpClient
+        .Builder()
+        .build()
+
+    val cloudflareEchBody =
+      client.sendRequest(Request.Builder().url("https://cloudflare-ech.com/").build()) {
+        it.body.string()
+      }
+    assertThat(cloudflareEchBody).matchesPredicate { it.contains("ECH enabled") }
+
+    val cloudflareBody = client.sendRequest(
+      Request.Builder().url("https://crypto.cloudflare.com/cdn-cgi/trace").build()
+    ) {
+      it.body.string()
+    }
+    assertThat(cloudflareBody).matchesPredicate { it.contains("ECH enabled") }
+
+    val tlsEchBody = client.sendRequest(Request.Builder().url("https://tls-ech.dev/").build()) {
+      it.body.string()
+    }
+    assertThat(tlsEchBody).matchesPredicate { it.contains("ECH enabled") }
+  }
+
+  private fun <T> OkHttpClient.sendRequest(request: Request, fn: (Response) -> T): T {
+    val response = newCall(request).execute()
+
+    assertThat(response.handshake?.echConfig).isNotNull()
+
+    return response.use {
+      fn(it)
+    }
+  }
+}

android-test/src/main/AndroidManifest.xml

@@ -4,6 +4,6 @@
   <uses-permission android:name="android.permission.INTERNET" />
   <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
 
-  <application android:usesCleartextTraffic="true" tools:targetApi="m"/>
+  <application android:usesCleartextTraffic="true" tools:targetApi="m" android:networkSecurityConfig="@xml/network_security_config"/>
 
 </manifest>

android-test/src/main/res/xml/network_security_config.xml

@@ -2,4 +2,10 @@
 <network-security-config>
   <base-config cleartextTrafficPermitted="false">
   </base-config>
-</network-security-config>
+  <domain-config>
+    <domain includeSubdomains="true">cloudflare-ech.com</domain>
+    <domain includeSubdomains="true">crypto.cloudflare.com</domain>
+    <domain includeSubdomains="true">tls-ech.dev</domain>
+    <domainEncryption mode="opportunistic"/>
+  </domain-config>
+</network-security-config>

android-test/src/test/kotlin/okhttp/android/test/AndroidSocketAdapterTest.kt

@@ -58,7 +58,12 @@ class AndroidSocketAdapterTest(
     val sslSocket = socketFactory.createSocket() as SSLSocket
     assertTrue(adapter.matchesSocket(sslSocket))
 
-    adapter.configureTlsExtensions(sslSocket, null, listOf(HTTP_2, HTTP_1_1))
+    adapter.configureTlsExtensions(
+      call = null,
+      sslSocket = sslSocket,
+      hostname = null,
+      protocols = listOf(HTTP_2, HTTP_1_1)
+    )
     // not connected
     assertNull(adapter.getSelectedProtocol(sslSocket))
   }
@@ -89,7 +94,12 @@ class AndroidSocketAdapterTest(
       object : DelegatingSSLSocket(context.socketFactory.createSocket() as SSLSocket) {}
     assertFalse(adapter.matchesSocket(sslSocket))
 
-    adapter.configureTlsExtensions(sslSocket, null, listOf(HTTP_2, HTTP_1_1))
+    adapter.configureTlsExtensions(
+      call = null,
+      sslSocket = sslSocket,
+      hostname = null,
+      protocols = listOf(HTTP_2, HTTP_1_1)
+    )
     // not connected
     assertNull(adapter.getSelectedProtocol(sslSocket))
   }

gradle.properties

@@ -21,3 +21,5 @@ org.gradle.jvmargs='-Dfile.encoding=UTF-8'
 # AGP 9.0 Settings
 android.builtInKotlin=true
 android.newDsl=true
+
+android.suppressUnsupportedCompileSdk=CANARY

mockwebserver/src/main/kotlin/mockwebserver3/MockWebServer.kt

@@ -473,7 +473,12 @@ public class MockWebServer : Closeable {
           openClientSockets.add(sslSocket)
 
           if (protocolNegotiationEnabled) {
-            Platform.get().configureTlsExtensions(sslSocket, null, protocols)
+            Platform.get().configureTlsExtensions(
+              call = null,
+              sslSocket = sslSocket,
+              hostname = null,
+              protocols = protocols,
+            )
           }
 
           sslSocket.startHandshake()

mockwebserver/src/test/java/mockwebserver3/internal/http2/Http2Server.kt

@@ -82,7 +82,12 @@ class Http2Server(
         true,
       ) as SSLSocket
     sslSocket.useClientMode = false
-    Platform.get().configureTlsExtensions(sslSocket, null, listOf(Protocol.HTTP_2))
+    Platform.get().configureTlsExtensions(
+      call = null,
+      sslSocket = sslSocket,
+      hostname = null,
+      protocols = listOf(Protocol.HTTP_2),
+    )
     sslSocket.startHandshake()
     return sslSocket
   }

okhttp/api/android/okhttp.api

@@ -485,6 +485,10 @@ public abstract interface class okhttp3/Dns {
 public final class okhttp3/Dns$Companion {
 }
 
+public abstract interface class okhttp3/EchAware {
+	public abstract fun getHostRecords (Ljava/lang/String;)Lokio/ByteString;
+}
+
 public abstract class okhttp3/EventListener {
 	public static final field Companion Lokhttp3/EventListener$Companion;
 	public static final field NONE Lokhttp3/EventListener;
@@ -575,6 +579,7 @@ public final class okhttp3/Handshake {
 	public fun equals (Ljava/lang/Object;)Z
 	public static final fun get (Ljavax/net/ssl/SSLSession;)Lokhttp3/Handshake;
 	public static final fun get (Lokhttp3/TlsVersion;Lokhttp3/CipherSuite;Ljava/util/List;Ljava/util/List;)Lokhttp3/Handshake;
+	public final fun getEchConfig ()Lokhttp3/ech/EchConfig;
 	public fun hashCode ()I
 	public final fun localCertificates ()Ljava/util/List;
 	public final fun localPrincipal ()Ljava/security/Principal;
@@ -940,6 +945,7 @@ public class okhttp3/OkHttpClient : okhttp3/Call$Factory, okhttp3/WebSocket$Fact
 	public final fun fastFallback ()Z
 	public final fun followRedirects ()Z
 	public final fun followSslRedirects ()Z
+	public final fun getEchModeConfiguration ()Lokhttp3/ech/EchModeConfiguration;
 	public final fun hostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
 	public final fun interceptors ()Ljava/util/List;
 	public final fun minWebSocketMessageToCompress ()J
@@ -954,6 +960,7 @@ public class okhttp3/OkHttpClient : okhttp3/Call$Factory, okhttp3/WebSocket$Fact
 	public final fun proxySelector ()Ljava/net/ProxySelector;
 	public final fun readTimeoutMillis ()I
 	public final fun retryOnConnectionFailure ()Z
+	public final fun setEchModeConfiguration (Lokhttp3/ech/EchModeConfiguration;)V
 	public final fun socketFactory ()Ljavax/net/SocketFactory;
 	public final fun sslSocketFactory ()Ljavax/net/ssl/SSLSocketFactory;
 	public final fun webSocketCloseTimeout ()I
@@ -1312,3 +1319,44 @@ public abstract class okhttp3/WebSocketListener {
 	public fun onOpen (Lokhttp3/WebSocket;Lokhttp3/Response;)V
 }
 
+public final class okhttp3/ech/EchConfig {
+	public fun <init> (Lokio/ByteString;)V
+	public final fun component1 ()Lokio/ByteString;
+	public final fun copy (Lokio/ByteString;)Lokhttp3/ech/EchConfig;
+	public static synthetic fun copy$default (Lokhttp3/ech/EchConfig;Lokio/ByteString;ILjava/lang/Object;)Lokhttp3/ech/EchConfig;
+	public fun equals (Ljava/lang/Object;)Z
+	public final fun getConfig ()Lokio/ByteString;
+	public fun hashCode ()I
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class okhttp3/ech/EchMode : java/lang/Enum {
+	public static final field Companion Lokhttp3/ech/EchMode$Companion;
+	public static final field Disabled Lokhttp3/ech/EchMode;
+	public static final field FailClosed Lokhttp3/ech/EchMode;
+	public static final field Fallback Lokhttp3/ech/EchMode;
+	public static final field Opportunistic Lokhttp3/ech/EchMode;
+	public static final field Strict Lokhttp3/ech/EchMode;
+	public static final field Unspecified Lokhttp3/ech/EchMode;
+	public final fun getAttempt ()Z
+	public static fun getEntries ()Lkotlin/enums/EnumEntries;
+	public final fun getFallback ()Z
+	public final fun getRequire ()Z
+	public static fun valueOf (Ljava/lang/String;)Lokhttp3/ech/EchMode;
+	public static fun values ()[Lokhttp3/ech/EchMode;
+}
+
+public final class okhttp3/ech/EchMode$Companion {
+}
+
+public abstract interface class okhttp3/ech/EchModeConfiguration {
+	public static final field Companion Lokhttp3/ech/EchModeConfiguration$Companion;
+	public abstract fun applyEch (Ljavax/net/ssl/SSLSocket;Lokhttp3/ech/EchMode;Ljava/lang/String;Lokhttp3/Dns;)V
+	public abstract fun echMode (Ljava/lang/String;)Lokhttp3/ech/EchMode;
+	public fun isEchConfigError (Ljavax/net/ssl/SSLException;)Z
+}
+
+public final class okhttp3/ech/EchModeConfiguration$Companion {
+	public final fun getUnspecified ()Lokhttp3/ech/EchModeConfiguration;
+}
+

okhttp/api/jvm/okhttp.api

@@ -485,6 +485,10 @@ public abstract interface class okhttp3/Dns {
 public final class okhttp3/Dns$Companion {
 }
 
+public abstract interface class okhttp3/EchAware {
+	public abstract fun getHostRecords (Ljava/lang/String;)Lokio/ByteString;
+}
+
 public abstract class okhttp3/EventListener {
 	public static final field Companion Lokhttp3/EventListener$Companion;
 	public static final field NONE Lokhttp3/EventListener;
@@ -575,6 +579,7 @@ public final class okhttp3/Handshake {
 	public fun equals (Ljava/lang/Object;)Z
 	public static final fun get (Ljavax/net/ssl/SSLSession;)Lokhttp3/Handshake;
 	public static final fun get (Lokhttp3/TlsVersion;Lokhttp3/CipherSuite;Ljava/util/List;Ljava/util/List;)Lokhttp3/Handshake;
+	public final fun getEchConfig ()Lokhttp3/ech/EchConfig;
 	public fun hashCode ()I
 	public final fun localCertificates ()Ljava/util/List;
 	public final fun localPrincipal ()Ljava/security/Principal;
@@ -939,6 +944,7 @@ public class okhttp3/OkHttpClient : okhttp3/Call$Factory, okhttp3/WebSocket$Fact
 	public final fun fastFallback ()Z
 	public final fun followRedirects ()Z
 	public final fun followSslRedirects ()Z
+	public final fun getEchModeConfiguration ()Lokhttp3/ech/EchModeConfiguration;
 	public final fun hostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
 	public final fun interceptors ()Ljava/util/List;
 	public final fun minWebSocketMessageToCompress ()J
@@ -953,6 +959,7 @@ public class okhttp3/OkHttpClient : okhttp3/Call$Factory, okhttp3/WebSocket$Fact
 	public final fun proxySelector ()Ljava/net/ProxySelector;
 	public final fun readTimeoutMillis ()I
 	public final fun retryOnConnectionFailure ()Z
+	public final fun setEchModeConfiguration (Lokhttp3/ech/EchModeConfiguration;)V
 	public final fun socketFactory ()Ljavax/net/SocketFactory;
 	public final fun sslSocketFactory ()Ljavax/net/ssl/SSLSocketFactory;
 	public final fun webSocketCloseTimeout ()I
@@ -1311,3 +1318,44 @@ public abstract class okhttp3/WebSocketListener {
 	public fun onOpen (Lokhttp3/WebSocket;Lokhttp3/Response;)V
 }
 
+public final class okhttp3/ech/EchConfig {
+	public fun <init> (Lokio/ByteString;)V
+	public final fun component1 ()Lokio/ByteString;
+	public final fun copy (Lokio/ByteString;)Lokhttp3/ech/EchConfig;
+	public static synthetic fun copy$default (Lokhttp3/ech/EchConfig;Lokio/ByteString;ILjava/lang/Object;)Lokhttp3/ech/EchConfig;
+	public fun equals (Ljava/lang/Object;)Z
+	public final fun getConfig ()Lokio/ByteString;
+	public fun hashCode ()I
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class okhttp3/ech/EchMode : java/lang/Enum {
+	public static final field Companion Lokhttp3/ech/EchMode$Companion;
+	public static final field Disabled Lokhttp3/ech/EchMode;
+	public static final field FailClosed Lokhttp3/ech/EchMode;
+	public static final field Fallback Lokhttp3/ech/EchMode;
+	public static final field Opportunistic Lokhttp3/ech/EchMode;
+	public static final field Strict Lokhttp3/ech/EchMode;
+	public static final field Unspecified Lokhttp3/ech/EchMode;
+	public final fun getAttempt ()Z
+	public static fun getEntries ()Lkotlin/enums/EnumEntries;
+	public final fun getFallback ()Z
+	public final fun getRequire ()Z
+	public static fun valueOf (Ljava/lang/String;)Lokhttp3/ech/EchMode;
+	public static fun values ()[Lokhttp3/ech/EchMode;
+}
+
+public final class okhttp3/ech/EchMode$Companion {
+}
+
+public abstract interface class okhttp3/ech/EchModeConfiguration {
+	public static final field Companion Lokhttp3/ech/EchModeConfiguration$Companion;
+	public abstract fun applyEch (Ljavax/net/ssl/SSLSocket;Lokhttp3/ech/EchMode;Ljava/lang/String;Lokhttp3/Dns;)V
+	public abstract fun echMode (Ljava/lang/String;)Lokhttp3/ech/EchMode;
+	public fun isEchConfigError (Ljavax/net/ssl/SSLException;)Z
+}
+
+public final class okhttp3/ech/EchModeConfiguration$Companion {
+	public final fun getUnspecified ()Lokhttp3/ech/EchModeConfiguration;
+}
+

okhttp/build.gradle.kts

@@ -55,9 +55,11 @@ kotlin {
   jvm {
   }
 
-  androidLibrary {
+  android {
     namespace = "okhttp.okhttp3"
-    compileSdk = 36
+    compileSdk {
+      version = preview("CANARY")
+    }
     minSdk = 21
 
     androidResources {
@@ -121,6 +123,9 @@ kotlin {
         compileOnly(libs.conscrypt.openjdk)
         implementation(libs.androidx.annotation)
         implementation(libs.androidx.startup.runtime)
+
+        //noinspection UseTomlInstead
+        implementation("dnsjava:dnsjava:3.6.4")
       }
     }