Skip to content

disable tls kyber KEX#36791

Merged
jbardin merged 2 commits intov1.11from
jbardin/no-kyber
Mar 28, 2025
Merged

disable tls kyber KEX#36791
jbardin merged 2 commits intov1.11from
jbardin/no-kyber

Conversation

@jbardin
Copy link
Copy Markdown
Member

@jbardin jbardin commented Mar 27, 2025

Disable kyber globally in core. This primarily affects the S3 backend, since the only reported incompatible system was the AWS firewall, and the AWS provider has chosen to disable this option as well. hashicorp/terraform-provider-aws#41740.

There could be other incompatible networks out there still however, and since the X25519Kyber768Draft00 was removed in go1.24, we can just disable it for v1.11 and move on.

Target Release

v1.11

@jbardin jbardin requested a review from a team March 27, 2025 13:44
@jbardin jbardin requested a review from a team as a code owner March 27, 2025 13:44
jar-b
jar-b approved these changes Mar 27, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@jar-b jar-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@jbardin
Copy link
Copy Markdown
Member Author

jbardin commented Mar 27, 2025

This may also require a toolchain directive to not throw off dependabot, but that also means it's another place to track the go version so I don't want to add it yet if we don't have to.

@yovko
Copy link
Copy Markdown

yovko commented Mar 28, 2025

Unfortunately, Go 1.24 removed X25519Kyber768Draft00 but also the tlskyber setting. See https://tip.golang.org/doc/godebug#go-124

Using godebug tlskyber=0 causes a compilation error with Go 1.24.x. See hashicorp/terraform-provider-aws#41898

@jbardin
Copy link
Copy Markdown
Member Author

jbardin commented Mar 28, 2025

@yovko, yes we are aware. This branch is only built from go1.23 however, which uses this flag.

@jbardin jbardin merged commit 8f16c67 into v1.11 Mar 28, 2025
7 checks passed
@jbardin jbardin deleted the jbardin/no-kyber branch March 28, 2025 15:27
mistressxalexis

This comment was marked as spam.

Sign in to view

@dhirschfeld dhirschfeld mentioned this pull request Apr 9, 2025
Closed
3 tasks
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 28, 2025

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 28, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jar-b jar-b jar-b approved these changes

@SarahFrench SarahFrench SarahFrench approved these changes

+1 more reviewer

@mistressxalexis mistressxalexis mistressxalexis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jbardin @yovko @jar-b @SarahFrench @mistressxalexis