feat(www): optional hybrid PQC key exchange for TLS connections #1004
Conversation
|
Note that the Dockerfile hardcodes liboqs and oqs-provider versions which will fall through the cracks of our usual maintenance/upgrade checks. Not sure how to improve on that. |
|
|
||
| RUN git clone --depth 1 --branch 0.12.0 https://github.com/open-quantum-safe/liboqs.git | ||
| RUN git clone --depth 1 --branch 0.8.0 https://github.com/open-quantum-safe/oqs-provider.git |
There was a problem hiding this comment.
To avoid hard coding these, I would use a build arg. Then you can do something like:
| RUN git clone --depth 1 --branch 0.12.0 https://github.com/open-quantum-safe/liboqs.git | |
| RUN git clone --depth 1 --branch 0.8.0 https://github.com/open-quantum-safe/oqs-provider.git | |
| ARG LIBOQS_VERSION="" | |
| ARG OQSPROVIDER_VERSION="" | |
| RUN if [ -z ${LIBOQS_VERSION} ]; exit 1; fi; | |
| RUN if [ -z ${OQSPROVIDER_VERSION} ]; exit 2; fi; | |
| RUN git clone --depth 1 --branch ${LIBOQS_VERSION} https://github.com/open-quantum-safe/liboqs.git | |
| RUN git clone --depth 1 --branch ${OQSPROVIDER_VERSION} https://github.com/open-quantum-safe/oqs-provider.git |
Then as part of the build step, or if you are using docker compose you can define it in the yaml file, you can define the version you want. The above should cause a build error if the versions aren't defined.
| @@ -1,8 +1,9 @@ | |||
| # According to https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=intermediate&openssl=1.1.1c&guideline=5.4 | |||
| # According to https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=intermediate&openssl=1.1.1c&guideline=5.4 and added PQC hybrids support | |||
There was a problem hiding this comment.
I know this is just a comment pointing to a reference, but it should probably be updated to OpenSSL 3.2 at some point.
| # mountable content for web app (remove default stuff in there) | ||
| RUN rm /usr/share/nginx/html/* | ||
| COPY html/503.html /usr/share/nginx/html | ||
| COPY --from=webapp /usr/src/app/dist /usr/share/nginx/html |
There was a problem hiding this comment.
At least the last thing should run last, because it changes most frequently; no need to redo the OpenSSL config when updating webapp contents
|
|
||
| # configure openssl to use OQS provider | ||
| COPY --from=oqs-provider /oqs-provider/_build/lib/oqsprovider.so / | ||
| RUN cat <<EOF >> /etc/ssl/openssl.cnf |
There was a problem hiding this comment.
This is an append operation. Do we know what's in the file before this?
Enables key agreement for TLS connections of www using hybrid PQC schemes (ECDHE + ML-KEM). Does not remove support for pure classical schemes (ECDHE only). Does not remove support for non-elliptic-curve DHE-RSA key agreement.
Hybrid PQC schemes using ML-KEM are supported from Chrome 131 onward; Firefox from 132 onward.