Update Post Quantum Cryptography (PQC) API#6216
Open
anavarr wants to merge 1 commit into
Open
Conversation
- key exchange groups: the user can specify which key exchange groups they want to use - pqc-enforcement-policy: the user can specify how pqc will be enforced by Vert.x. The policies are: - STRICT: only PQC can be used to establish secure connections. If no ssl engine supports it, application won't start. If clients don't support it, SSL handshake fails - CLIENT_NEGOTIATED: if no ssl engine supports pqc, application won't start. If clients don't support it, falls back to other key exchange group - RELAXED: no enforcement whatsoever, traditional tls negociation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The single
useHybridKeyExchangeis removed in favor of two properties:key-exchange-groups: the user can specify which key exchange groups they want to usepqc-enforcement-policy: the user can specify how PQC will be enforced by Vert.x. The policies are:When PQC is required (STRICT or CLIENT_NEGOTIATED), Vert.x auto-selects a PQC-capable engine (JDK or OpenSSL) if none is explicitly configured. If none is available, application fails to start with a VertxException ("PQC enforcement policy requires X25519MLKEM768 but neither JDK nor OpenSSL supports it".
The resolution of key exchange groups and PQC enforcement policy (selecting an available SSL engine, adding X25519MLKEM768 to the list of supported groups for CLIENT_NEGOTIATED or restricting the list of supported groups for STRICT) is performed once in
SslContextManager.