OSPRH-28889: Horizon: PQC compliance -- enforce TLS 1.3 and block kRSA#590
Conversation
Hardens both TLS surfaces in horizon-operator for post-quantum cryptography (PQC) compliance: - cmd/main.go: Set MinVersion=TLS1.3 on operator webhook/metrics server. Go 1.24+ automatically negotiates X25519MLKEM768 (hybrid classical+ML-KEM) key exchange for TLS 1.3 connections. - ssl.conf: Remove MEDIUM ciphers, add !kRSA to block quantum- vulnerable RSA key exchange, pin protocols to TLS 1.3 + TLS 1.2. Partial-Bug: OSPRH-28889 Topic: osprh-28889-pqc-compliance Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@mcgonago: This pull request references OSPRH-28889 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mcgonago The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@mcgonago: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@mcgonago: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@mcgonago: This pull request references OSPRH-28889 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[AI-GENERATED] Closing this PR as it is superseded by #593, which contains the focused TLS 1.3 minimum version enforcement change for OSPRH-28889. The Apache SSL hardening work (SSLProtocol whitelist, |
Enforce TLS 1.3 as the minimum version in the operator manager
(cmd/main.go) to enable Go 1.24+ hybrid ML-KEM (X25519MLKEM768) key
exchange for quantum-safe TLS connections. Without this, Go defaults to
TLS 1.2 minimum, which only supports classical key exchange vulnerable
to harvest-now-decrypt-later attacks.
Harden the Apache ssl.conf template: drop kRSA cipher suites to
eliminate RSA key exchange (no forward secrecy, quantum-vulnerable) and
replace the ambiguous "all -SSLv2 -SSLv3 -TLSv1" protocol directive
with explicit "-all +TLSv1.3 +TLSv1.2" to guarantee TLS 1.3
availability and remove the TLS 1.1 leak.
Covers OSPRH-28889, OSPRH-28891, OSPRH-28892
Assisted-By: Claude Code (Claude Opus 4.6) noreply@anthropic.com