traefik icon indicating copy to clipboard operation
traefik copied to clipboard
Published 1 week ago verified publisher icon traefik

Post-Quantum Key Exchange support for HTTPS

Open fzoli opened this issue 1 year ago • 3 comments

Welcome!

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

There is a new algorithm called X25519Kyber768.

My Chrome browser supports it, but it selects X25519AES128GCM instead. I tested it with Traefik 3.0.1 (Docker version). So I assume Traefik does not support it right now.

It would be cool to support a Post-Quantum safe algorithm. :)

fzoli avatar May 23 '24 20:05 fzoli

Well.

I found this article: https://blog.cloudflare.com/experiment-with-pq/

Cloudflare has a Go fork that supports Kyber.

Relevant code in crypto/tls/cfkem.go:

var (
	X25519Kyber512Draft00    = CurveID(0xfe30)
	X25519Kyber768Draft00    = CurveID(0x6399)
)

I compiled it on my machine to use it to build Traefik.

In the Traefik project there is a certificate.go file in the tls module.

I added the curve IDs:

	CurveIDs = map[string]tls.CurveID{
		`secp256r1`:             tls.CurveP256,
		`CurveP256`:             tls.CurveP256,
		`secp384r1`:             tls.CurveP384,
		`CurveP384`:             tls.CurveP384,
		`secp521r1`:             tls.CurveP521,
		`CurveP521`:             tls.CurveP521,
		`x25519`:                tls.X25519,
		`X25519`:                tls.X25519,
		`X25519Kyber512Draft00`: tls.X25519Kyber512Draft00, // <<-- added
		`X25519Kyber768Draft00`: tls.X25519Kyber768Draft00, // <<-- added
	}

Then I compiled Traefik with cfgo and created a new Docker image based on the alpine one.

It seems to work with Chrome browser. Of course it is not production ready, but at least I can play with it.

fzoli avatar May 24 '24 22:05 fzoli

Hello @fzoli and thanks for your interest in Traefik,

Sure this is something we will likely support as soon as the Go library supports it, see https://github.com/golang/go/issues/64537

kevinpollet avatar May 27 '24 13:05 kevinpollet

Nice work, im looking to test this aswell, now that i know it can be done ill look in to it. X25519 is already supported in 3.0.0 lets see if the Kyber part can be added tooo

Night1 avatar May 28 '24 13:05 Night1

Go 1.24.0 finally introduces native support for a PQ algorithm! We now have support for X25519MLKEM768.

I’ve already tested this locally and can confirm that it works perfectly.

If there's still interest in using a PQ algorithm and we're ready to bump the Go dependency to 1.24.0, I'd be happy to open a PR for it.

Proto1337 avatar Feb 28 '25 16:02 Proto1337

Cool. Yes, I have already tested Traefik using X25519MLKEM768 (with a forked version of Traefik using prebuilt Go from main) in december. It works well :) Finally we will able to use this from the original source. ^^

fzoli avatar Feb 28 '25 18:02 fzoli

Cool, I wasn’t sure if this was already on your radar. Out of curiosity, I tested this today myself on a forked version using Go 1.24.0 and confirmed that it works.

I recently migrated to Traefik. Seeing how quickly PQ cryptography is being adopted now reassures me that I made the right decision. :)

Proto1337 avatar Feb 28 '25 18:02 Proto1337

Hey there,

We're on it, you can follow-up on the evolution on the issue #11532.

nmengin avatar Mar 03 '25 14:03 nmengin