ERR_ECH_REQUIRED — rare error (Chrome 123+): server signals it requires ECH (Encrypted Client Hello, RFC 9460) for the connection, but client either does not support it or did not get ECHConfig from DNS HTTPS RR. ECH encrypts SNI + ALPN in TLS 1.3 — privacy of browsing history from corporate proxies.
Below: causes, fixes, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
The ERR_ECH_REQUIRED error indicates that the server requires the use of Encrypted Client Hello (ECH) for secure connections, and your browser does not support this feature. To resolve this issue, ensure that your browser is updated to the latest version, or switch to a different browser that supports ECH, such as recent versions of Chrome or Firefox. If you are managing the server, ensure that ECH is properly configured in your server settings.
Encrypted Client Hello (ECH) is an extension of the TLS protocol that enhances privacy by encrypting the initial handshake data sent from the client to the server. This is crucial in preventing eavesdropping and tampering during the connection setup phase. ECH is particularly relevant as more organizations adopt privacy-focused practices, and it is supported by several modern web browsers.
When a user attempts to establish a secure connection without ECH support, the server may respond with the ERR_ECH_REQUIRED error. This typically occurs when the server is configured to require ECH for all incoming connections, which can be a common practice among websites that prioritize user privacy and data security.
With ECH, the client's initial handshake is encrypted, allowing sensitive information such as the hostname being accessed to remain confidential. Here’s a simplified overview of the ECH handshake process:
Because of this encryption, traditional network monitoring methods cannot easily inspect the contents of the handshake, thus enhancing privacy.
To avoid the ERR_ECH_REQUIRED error and ensure that your server supports ECH, you need to configure your web server appropriately. Below is an example configuration for Nginx, which has been updated to support ECH:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
# Enable ECH
ssl_conf_command ECH on;
location / {
proxy_pass http://backend;
}
}In this example, the `ssl_conf_command ECH on;` directive enables ECH support on your Nginx server. Make sure to replace `/path/to/certificate.crt` and `/path/to/private.key` with the actual paths to your SSL certificate and private key.
For Apache servers, the configuration would look like this:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
# Enable ECH
ECH on;
</VirtualHost>Once you have updated your server configurations, restart the server to apply the changes. Ensure that your clients are also using browsers that support ECH to avoid the ERR_ECH_REQUIRED error.
For testing ECH support, you can use tools like ECH.dev to verify if your server is correctly configured and can handle ECH requests. This proactive approach will help mitigate potential connectivity issues for users accessing your site.
The ERR_ECH_REQUIRED error occurs when a web server requires Encrypted Client Hello (ECH) support, but the client (browser) does not support it. To resolve this issue, ensure that your browser is updated to the latest version that supports ECH, or configure your server to disable ECH if it's not necessary for your use case.
When encountering the ERR_ECH_REQUIRED error, it's essential to identify the browser and its version, as ECH support varies across different platforms. Below are some troubleshooting steps tailored for popular browsers:
chrome://settings/help.about:support.edge://settings/help.If all browsers are updated and the error persists, consider testing in incognito mode to rule out extensions that might interfere with ECH.
To effectively handle the ERR_ECH_REQUIRED error, proper server configuration is crucial. Implementing ECH involves updating your server's TLS settings. Here’s a practical example using Nginx:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/private.key;
ssl_protocols TLSv1.3;
ssl_early_data on;
ssl_ecdh_curve X25519:secp256r1;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
# Enable ECH
ssl_ech on;
}
In this configuration:
ssl_ech directive to on to enable ECH support.After making these changes, test your configuration using tools like SSL Labs to verify ECH support. If the test indicates that ECH is not supported, double-check your server and client configurations.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeCloudflare ECH enabled on millions of sites (default if HTTPS RR present). Chrome 115+ supports. Firefox 118+. Safari 17+.
Traditional TLS leaks SNI (domain) to middleboxes. ECH hides SNI — privacy for https://adult-site or https://politicsafe.
Some countries (Russia, China) block or filter ECH traffic. If domain blocked — ECH helps only partially.
browsers.cloudflare.com/ech — online test. <code>curl --ech</code> in future.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.