From c641ea4f9b4f09af34fa7357e130651f39710871 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@irq6.net>
Date: Sun, 30 Nov 2025 09:44:20 +0100
Subject: [PATCH] DOC: configuration: ECH support details

Specify which OpenSSL branch is supported and that AWS-LC is not
supported.

Must be backported to 3.3.
---
 doc/configuration.txt | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5187c67d1..173acf321 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16941,9 +16941,10 @@ ech <dir> [ EXPERIMENTAL ]
   See https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
 
   This is an experimental feature, which requires the
-  "expose-experimental-directives" option in the global section. It also
-  necessitates an OpenSSL version that supports ECH, and HAProxy must be
-  compiled with USE_ECH=1.
+  "expose-experimental-directives" option in the global section.
+  It also necessitates an OpenSSL version that supports ECH
+  ( https://github.com/openssl/openssl/tree/feature/ech), and HAProxy must be
+  compiled with USE_ECH=1. The ECH API of AWS-LC is not supported.
 
   Example:
     $ openssl ech -public_name foobar.com -out /etc/haproxy/echkeydir/foobar.com.ech