Skip to content

Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 in our webserver #1886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 in our webserver #1886

wants to merge 7 commits into from

Conversation

bwbroersma
Copy link
Collaborator

@bwbroersma bwbroersma commented Oct 4, 2025
edited
Loading

Related:

Pull Request:

  • Uses nginx:1.29.1-alpine3.22 for main proxy instead of previous debian based nginx:1.27.3
    • changed healthcheck from service nginx status to curl -kfsSo/dev/null https://$INTERNETNL_DOMAINNAME --resolve $INTERNETNL_DOMAINNAME:443:127.0.0.1
    • added ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:...
  • Upgraded other nginx:1.27.3-alpine images to nginx:1.29.1-alpine3.22

Result:

openssl s_client -connect 127.0.0.1:443 -servername internet.test -groups X25519MLKEM768 |grep group
Connecting to 127.0.0.1
depth=0 CN=internet.test
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=internet.test
verify return:1
Negotiated TLS1.3 group: X25519MLKEM768

Update: there seems to be a bug regarding fetching the wrong env logs, now that is solved I suspect the health-check is not working because of authentication. There are multiple solutions:

  1. Check if the process is running ps -ef | grep nginx
  2. Port is still used netstat -a | grep 443
  3. Testing sectxt curl https://$INTERNETNL_DOMAINNAME/.well-known/security.txt
  4. Remove the -f flag
  5. Adding optional authentication to the health check

Picked nr. 5 one, since it's actually the most 'full' test, with -f it was actually not just testing the webserver health, but also the app container (which is wrong, since restarting the webserver won't solve any app container issues).

@bwbroersma bwbroersma force-pushed the gh1886-add-post-quantum-hybrid-ecdhe-mlkem branch from b0cb66f to c5fcc61 Compare October 4, 2025 02:34
@bwbroersma bwbroersma mentioned this pull request Oct 4, 2025
Draft
@bwbroersma bwbroersma force-pushed the gh1886-add-post-quantum-hybrid-ecdhe-mlkem branch from c5fcc61 to 4cdc10c Compare October 4, 2025 03:31
@bwbroersma bwbroersma force-pushed the gh1886-add-post-quantum-hybrid-ecdhe-mlkem branch from 4cdc10c to 711f42d Compare October 4, 2025 03:35
@bwbroersma bwbroersma marked this pull request as draft October 4, 2025 12:48
@bwbroersma bwbroersma force-pushed the gh1886-add-post-quantum-hybrid-ecdhe-mlkem branch from 938b5e7 to 150d9fb Compare October 4, 2025 15:36
@bwbroersma bwbroersma marked this pull request as ready for review October 4, 2025 15:59
@bwbroersma
Rewrite 'service nginx reload' to 'nginx -s reload'
71be444 
    grep -Rl "service nginx reload" | xargs sed -ir 's/service nginx reload/nginx -s reload/'
    make fix
@bwbroersma
Optimize size with apk add --no-cache
eb05457
@bwbroersma bwbroersma force-pushed the gh1886-add-post-quantum-hybrid-ecdhe-mlkem branch from 1788df9 to eb05457 Compare October 5, 2025 11:59
@mxsasha mxsasha requested a review from aequitas October 7, 2025 08:36
@mxsasha mxsasha changed the title Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 Add post-quantum hybrid ECDHE-MLKEM for TLSv1.3 in our webserver Oct 9, 2025
@bwbroersma
Fixes internetstandards#1884 by overwriting default localhost
a67fb48
@bwbroersma
Fixes internetstandards#1791 by comment out OCSP stapling config
1ba07ae 
- Comment out OCSP stapling.
- Move almost all ssl_ config to one file since OCSP config is also linked to certificate.
  This makes it easier to include this ssl config in a mail-block for a DRY config.
- Change from OpenSSL to IANA cipher naming.
@bwbroersma bwbroersma force-pushed the gh1886-add-post-quantum-hybrid-ecdhe-mlkem branch from f16d2da to 1ba07ae Compare October 9, 2025 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aequitas aequitas Awaiting requested review from aequitas

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bwbroersma