Post-quantum key agreement X25519Kyber768 disabled in Go 1.23 #6540
Comments
|
I agree that it would be good if Caddy could offer post-quantum cryptography support. Ignoring X25519Kyber768 is also not my preferred option. For the benefit of anyone joining the conversation, here is some background information: There is a blog post here explaining why this issue is important, why PQC is being adopted now, and emphasising that adoption is increasingly widespread. Compiling Caddy with Cloudflare's fork of Go results in working PQC, as demonstrated in this walkthrough. This is a result of @bwesterb's PR to Caddy last year. As mentioned at Gophercon UK, it seems that Caddy compiled with Go 1.23 provides no way of accessing the X25519Kyber768 functionality, because it is unexported in the Go runtime. As noted in this issue above, however, it is the default 'curve' for Go 1.23, so allowing a user of Caddy use Go's defaults would give out-of-the-box access to PQC. It seems from looking at the Go source code in 1.22.6 that the Go defaults would be I'm afraid I'm not sure at present what behaviour we should prefer where TLS 1.2 has been specified. Should Caddy's default curves depend on the TLS version in future? In the current implementation the two are not interdependent, but I'm unsure whether that would need to change. |
|
Thanks for opening this discussion!
This sounds logical to me. We currently have a hard-coded default of those which are "fast by design (e.g. X25519) and those for which an optimized assembly implementation exists (e.g. P256)" (so those are the 2 defaults). I think post-quantum key agreements are worth the tradeoff though, especially since it sounds like it will be a temporary restriction where we can't set |
|
Yeah, I assume X25519MLKEM768 when it lands in either 1.24 or 1.25 it'll have a CurveID. I think the current Caddy default is great. P-521 is very much overkill and much slower. But it's not that slow it's a huge DoS vector. I'll fashion a PR. |
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. Cf caddyserver#6540
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf caddyserver#6540
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf caddyserver#6540
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf caddyserver#6540
|
Unfortunately Go 1.23 only enables Kyber if the |
|
We prefer to keep two Go versions supported in Caddy to ease the transition for plugins and users, otherwise users may suddenly be stuck having to upgrade Go before they're otherwise ready to. So I think this should be shelved until 1.24 is out when we can bump Caddy's minimum to 1.23 (i.e. roughly 6 months from now). You can bump it in a fork to 1.23 if you need it though, pretty easy to do and you can still use xcaddy to build. |
You can force it on with The go.mod version just sets the defaults of the GODEBUGs. |
|
Oh nice, if that ^ works, maybe we can accept this change sooner than 1.24. |
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf caddyserver#6540
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf caddyserver#6540
|
Seems to work. Thanks @FiloSottile. |
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf #6540
|
This stopped working as the tlskyber experiment ended. breaks compile with go1.24rc1 |
|
If that's the case, then I guess we can remove the line and just expect 1.23 users to upgrade for the latest features (which is reasonable). I'll commit it soon. |
|
Yeah; we'll just have to do it behind a build tag if we want to continue supporting older versions of Go. @francislavoie @hairyhenderson @carlwgeorge Do we still need to support old versions of Go? It makes cutting edge features tedious, and either we have to deal with that tedium or be 6 months behind. |
|
This will always be a balancing act. The minimum go version determines which platforms can build caddy with the system version of go. The current minimum of 1.22 excludes several prominent distro versions that are still maintained:
Raising that minimum to 1.23 will further exclude:
I understand the desire to raise the minimum go version, my only ask is that the drawbacks are considered and an intentional decision is made. |
Apologies for the drive-by comment, but Go 1.21 shipped a forwards-compatiblity system. In short, if your go.mod says Now, some distributions disable this for ideological reasons (I don't understand why it'd be any different than downloading other go.mod dependencies, but anyway), but it can be reenabled with You could just add that to the build instructions, and enjoy compatibility with any Go 1.21+ system, while picking your schedule to upgrade, and only supporting one version at a time ✨ |
|
Distro build systems typically disable all external downloads during the build process, which limits distro packagers to building with the system version of go. Setting |
|
I think we are talking about two different things: I thought the question was "can people who installed Go through their package manager install Caddy" and I think the answer is yes with I agree that |
|
The question was about setting the minimum version of go allowed to build caddy. I was pointing out that this affects distros that want to ship caddy as a distro package. I'm not talking about people building their own local caddy binary. My comment about I hope distro packages is a target the Caddy project cares about. It's why I participate in Caddy, and likely why @mholt tagged me in this issue. I can't speak for other distros, but in Fedora, CentOS, and RHEL packages are not frozen, there is just care given to how and when they're upgraded. A new minimum version of go sets a hard limit for the distro caddy package. It also causes additional work in the Caddy copr (which I maintain on behalf of the Caddy project). The idea is that the default distro package is pretty current but may lag slightly behind to comply with the update policies of the distro, and users can opt-in to the copr if they absolutely need the latest version without delay. |
|
I see, I think we understand each other now, and I agree My personal opinion is that distros are free to apply the update policies they like, but it should be a given that if the toolchain is old then some of the packages built with it will also be old. Meanwhile backport repos that wish to provide recent packages need some way to use recent toolchains. Otherwise we are pushing extra work (like the work discussed here) onto every upstream project to let non-rolling distros have it both ways. But! This is @mholt's project, not mine, so my opinion is irrelevant and I shall bow out :) |
|
Thanks for chiming in @FiloSottile! I realize I brought this issue off-topic, technically; but I think it's worth finishing the discussion while we're here. We run into this issue (of supporting latest-minus-one Go version) every ~6-12 months, and each time we have to jump through hoops to make the program compile on an older version while releasing new features, which often enhance security/privacy. In this case, the latest Go version offers post-quantum protection, as well as ECH; both are huge privacy benefits that we should start gaining production experience for ASAP. I understand and respect various distro's policies regarding stability and not always jumping into the latest versions of things. Some people consider that a feature. (I do sometimes.) One of our objectives/values is to advance and enhance the state of privacy and security on the Web; so waiting at least 6 months to release features that can do that kind of runs contrary to our objectives. Sure, we can go to extra work to refactor things, put certain code/features behind build tags, try to document that the feature works on the latest versions available at some repositories but not others, then undo it all 6-12 months later... meanwhile having people think they are getting the feature when they're really not because their choice of distro gave them the latest release that ... doesn't have the feature !? After a brief discussion with maintainers on Slack, I think we might just drop the "keep working for 11.9-months-old-Go-versions" thing, and only support the latest version of Go if that's what we need to do in order to efficiently release new features/patches. This means that if someone chooses a distro that values stability and does not offer the latest packages, then they will get a version of Caddy that may be a few months old. But at least it should not look like the latest release since the latest release won't package for those distros until later. Those are the consequences of choosing a distro with those values. One thing I want to do in the future is strive to have more affinity between Caddy version and Go version. I think one step in that process. So, hey, maybe we can get post-quantum and ECH out with 2.9. @francislavoie Are we OK with potentially releasing on a Go RC? (I think I am. That's kind of the point of RC's. We can always release patches later to use the final release.) @carlwgeorge I greatly appreciate your continued maintenance of Caddy packages for our community. We want to continue that, it just might be that in some cases -- and not all, for we don't always use new Go features right away -- Caddy isn't released for a few months on those distros. |
|
@mholt if you mean Caddy RC using Go RC, sure I'm fine with that but if you mean full release of 2.9 I think we should wait until full Go release too. |
|
Fair, I was considering that; the only thing is that very few people, if anyone, use the Caddy pre-releases 😅 I'm actually quite confident in Go's RCs. They recommend using them in production. We can do a 2.9.1 to upgrade to the final Go 1.24 release and include a few of our own fixes with it. But if there is opposition to the idea, then I'm flexible on this. I just know many people (and businesses) waiting for 2.9. Doesn't feel right to stick ECH and post-quantum in 2.9.1... or 2.10, seeing how close it is. |
|
I don't like it because convincing people to use Go RC to make their We have lots of people waiting for 2.9. Do we really need to have this stuff in 2.9? Can't we just do a quick 2.10 once 1.24 is out and we've done enough testing, or something? |
|
That's a good point... Requiring developers, plugin authors, and compiling-from-source users to install a Go RC, which is not a stock Go installation (in package managers, etc), will be surprising and inconvenient to most. We will probably have a lot of pushback in issues and frustrated users who can't build Caddy without upgrading their Go version to a prerelease. Let's go with your idea then. I'll try to get 2.9 out ASAP, and then we can do 2.10 sooner than I had expected. |
Go 1.23 adds support for and enables post-quantum key agreement:
Go 1.23 doesn't expose a CurveID, so setting CurvePreferences (as Caddy does) disables Kyber.
(The reason for not exposing the CurveID, is that X25519Kyber768 is a preliminary key agreement that doesn't use ML-KEM, the final version of Kyber, that wasn't out when X25519Kyber768 was proposed. X25519Kyber768 will be phased out, but that will takes months if not more than a year.)
I see two options.
I prefer the second and am happy to write a PR.
cc @sam-bee @FiloSottile
The text was updated successfully, but these errors were encountered: