Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-100953

yggdrasil fails TLS connection with a post-quantum key exchange

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.1
    • rhel-10.1
    • yggdrasil
    • None
    • yggdrasil-0.4.8-2.el10
    • No
    • Important
    • subs-client-tools
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Per testing task RHELMISC-11986 post-quantum cryptography in TLS, I discovered that yggdrasil-0.4.6-1.el10.x86_64 failed to connect to a server capable of post-quantum crytography.  Instead of connecting with a desirable X25519MLKEM768 key exhange, x25519:secp256r1:secp384r1:secp521r was the best it could do with an RSA certificate and failed to even parse a ML-DSA certificate key.

      Solution: Rebuild yggdrasil with go version 1.24, as suggested in https://pkg.go.dev/crypto/tls#pkg-overview...

      	// From Go 1.24, the default includes the [X25519MLKEM768] hybrid
	// post-quantum key exchange.

      The steps to reproduce the testing failure are in this RHELMISC-11986 comment.

              rh-ee-jajerome Jason Jerome
              jsefler John Sefler
              CSI Client Tools Bugs Bot CSI Client Tools Bugs Bot
              John Sefler John Sefler
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: