Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tlsconfig: Add support for configuring use of PQ KEMs during TLS handshake #294

Closed
wants to merge 3 commits into from

Conversation

hlandau
Copy link

@hlandau hlandau commented Aug 6, 2024

This adds a new option to spiffetls/tlsconfig which enables the opportunistic or mandatory use of a post-quantum-safe TLS KEM to be configured. This leverages the addition of the X25519Kyber768Draft00 TLS KEM to Go 1.23 and depends on that support in order to be useful.

This is useful for SPIFFE Workload API clients, though the intention is also to use this in SPIRE as it is cleaner than simply performing process-global manipulation of GODEBUG.

Signed-off-by: Hugo Landau <[email protected]>
@hlandau
Copy link
Author

hlandau commented Aug 7, 2024

@amartinezfayo Updated. Needs CI approval again. I've run this through CI myself now so hopefully you won't have to keep pressing it.

@hlandau hlandau marked this pull request as ready for review August 8, 2024 08:47
@azdagron
Copy link
Member

azdagron commented Aug 8, 2024

Thank you for the contribution, @hlandau.

The tlsconfig package is considered a fairly "low level" package for covering the basic TLS configuration required for SPIFFE auth. There are many, many ways in which callers might want to customize TLS configuration and adding a knob for each of those ways isn't practical. As such, the bar for adding an option or function to this package is pretty high, generally granted only for SPIFFE-related features and controls, or features that would benefit a large number of users.

Considering this change requires go1.23 to benefit, and considering that go1.23 (by default unless disabled through an ENVVAR) automatically enables the Kyber curve by default (unless SupportedCurves is overridden), this option doesn't feel like it meets the bar.

Typically consumers of the tlsconfig package who need customization write their own routines that invoke the tlsconfig package to get a base configuration and then apply the customizations. Is this sufficient for your use case?

@hlandau
Copy link
Author

hlandau commented Aug 9, 2024

Makes sense & seems reasonable. This PR is supporting work on SPIRE so the code in question can be moved over into a unified PR against https://github.com/spiffe/spire, which is logistically easier in any case.

Thanks.

@hlandau hlandau closed this Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants