Enable the post-quantum x25519+ML-KEM-768 TLS 1.3 ciphersuite by default #4305
Conversation
randombit
force-pushed
the
jack/enable-pqc
branch
from
503d8df to
ee8f6c0
Compare
There was a problem hiding this comment.
🚀 Nice! The PQ-era is here!
As a side note: This points at an open tech debt regarding the management of ciphersuites (also noted for a long time in #2990). As it is now, there's a lot of if {} else if {} else scattered around many places in the TLS implementation. Whenever algorithms are added, there's a lot of potential to miss something.
|
Something is wrong - I know I tested that our client connecting to our server would negotiate Kyber (highly relevant since Botan being on both sides of the connection is very common) but now this doesn't work .... |
|
Oh I see. I tested us<->us in my initial attempt which put Kyber at the absolute top of the preference list. However I realized later this caused us to send a large keyshare that is ignored much of the time, which is non-optimal. But it seems - unlike the stacks in |
|
OK I think we just need to adjust the logic in |
... I was about to say that. Currently, the code there optimizes for round-trips and avoids sending a HelloRetryRequest whenever it can. I.e.: it will go for the non-PQ group if it is offered and fits with our supported groups. |
|
I'll take a look at that BoringSSL and co do here. I expect it looks something like a 2-tier selection
|
Sounds reasonable to me as a default policy. I was thinking to propose an additional policy setting like |
|
|
|
OTOH we already have a lot of fucking policy toggles 😅 |
randombit
force-pushed
the
jack/enable-pqc
branch
from
18b58a2 to
83a05cc
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
3 times, most recently
from
ec0d301 to
a354031
Compare
randombit
changed the title
randombit
force-pushed
the
jack/enable-pqc
branch
2 times, most recently
from
7d241d6 to
9a1a4d8
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
from
9a1a4d8 to
2ea7092
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
from
2ea7092 to
5cd6c61
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
3 times, most recently
from
0956fe7 to
f48192c
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
2 times, most recently
from
75f32bb to
c5fbcba
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
from
d9ca4c6 to
19f3479
Compare
This adjusts the default logic for both which groups to offer and which group to select during negotiation. For offering, we send the first pure ECC group in the preference list. This avoids sending large PQ shares to servers that don't support them. If the client for whatever reason does not have any pure ECC groups, then we send a share of whatever their top preference is. On the server side, if the client indicated support for any mutually supported PQ algorithm, we always select it, even if the client sent some other type of keyshare. Previously we would always prefer to select a group that the client sent a share of, to reduce round trips. This also rearranges the default list, and removes some of the most expensive FFDHE groups. Expose which group was used for key exchange in the Session_Summary, since otherwise there is no way to know if PQ exchange occurred or not. Co-authored-by: René Meusel <[email protected]>
Tested with cloudflare.com, google.com and ourselves.
This adjusts the default logic for both which groups to offer and which group to select during negotiation.
For offering, we send the first pure ECC group in the preference list. This avoids sending large PQ shares to servers that don't support them. If the client for whatever reason does not have any pure ECC groups, then we send a share of whatever their top preference is.
On the server side, if the client indicated support for any mutually supported PQ algorithm, we always select it, even if the client sent some other type of keyshare. Previously we would always prefer to select a group that the client sent a share of, to reduce round trips.