-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
rhel-10.1
-
No
-
Important
-
rhel-virt-core-libvirt-1
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
Use post-quantum TLS 1.3 X25519MLKEM768 signature exchange with Libvirt
What is the impact of this issue to you?
Less secure signature exchange
Please provide the package NVR for which the bug is seen:
libvirt-11.4.0-1.el10.s390x
crypto-policies-20250602-1.gita6d4d0c.el10.noarch
openssl-3.5.0-8.el10.s390x
gnutls-3.8.9-16.el10.s390
How reproducible is this bug?:
100%
Steps to reproduce
- Confirm the default crypto policy is active
server# update-crypto-policies --show DEFAULT - (optional) Confirm ML-KEM signature and TLS 1.3 are supported
server# cat /etc/share/crypto-policies/policies/DEFAULT.pol ... group = X25519-MLKEM768 P256-MLKEM768 P384-MLKEM1024 MLKEM768-X25519 ... protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 - Set up TLS as usual on server side and client side and confirm you can connect the client (virsh) to the server successfully, note the port that's used, e.g. 16514
- Use openssl to establish a client connection
openssl s_client -connect <server_ip>:16514 -CAfile /etc/pki/CA/cacert.pem </dev/null
Expected results
Negotiated TLS1.3 group: X25519MLKEM768
is in the output
Actual results
No such message is in the output, we can see the following lines that apparently confirm that the key exchange is not used
... Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits ...
Additional info
Libvirt uses GnuTLS
