Skip to content

OSPRH-28889: Horizon: PQC compliance -- enforce TLS 1.3 and block kRSA#590

Closed
mcgonago wants to merge 1 commit into
openstack-k8s-operators:mainfrom
mcgonago:osprh-28889-feature-workflow-for-osprh-28889
Closed

OSPRH-28889: Horizon: PQC compliance -- enforce TLS 1.3 and block kRSA#590
mcgonago wants to merge 1 commit into
openstack-k8s-operators:mainfrom
mcgonago:osprh-28889-feature-workflow-for-osprh-28889

Conversation

@mcgonago

@mcgonago mcgonago commented May 5, 2026

Copy link
Copy Markdown
Contributor

Enforce TLS 1.3 as the minimum version in the operator manager
(cmd/main.go) to enable Go 1.24+ hybrid ML-KEM (X25519MLKEM768) key
exchange for quantum-safe TLS connections. Without this, Go defaults to
TLS 1.2 minimum, which only supports classical key exchange vulnerable
to harvest-now-decrypt-later attacks.

Harden the Apache ssl.conf template: drop kRSA cipher suites to
eliminate RSA key exchange (no forward secrecy, quantum-vulnerable) and
replace the ambiguous "all -SSLv2 -SSLv3 -TLSv1" protocol directive
with explicit "-all +TLSv1.3 +TLSv1.2" to guarantee TLS 1.3
availability and remove the TLS 1.1 leak.

Covers OSPRH-28889, OSPRH-28891, OSPRH-28892

Assisted-By: Claude Code (Claude Opus 4.6) noreply@anthropic.com

Hardens both TLS surfaces in horizon-operator for post-quantum
cryptography (PQC) compliance:

- cmd/main.go: Set MinVersion=TLS1.3 on operator webhook/metrics
  server. Go 1.24+ automatically negotiates X25519MLKEM768 (hybrid
  classical+ML-KEM) key exchange for TLS 1.3 connections.

- ssl.conf: Remove MEDIUM ciphers, add !kRSA to block quantum-
  vulnerable RSA key exchange, pin protocols to TLS 1.3 + TLS 1.2.

Partial-Bug: OSPRH-28889
Topic: osprh-28889-pqc-compliance

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci-robot

openshift-ci-robot commented May 5, 2026

Copy link
Copy Markdown

@mcgonago: This pull request references OSPRH-28889 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

  • Enforce TLS 1.3 minimum in operator manager (cmd/main.go) to enable Go 1.24+ hybrid ML-KEM (X25519MLKEM768) key exchange
  • Harden Apache ssl.conf: drop kRSA cipher suites, restrict protocol to TLS 1.2+1.3
  • Covers OSPRH-28889, OSPRH-28891, OSPRH-28892

Changes

  • cmd/main.go: Add tls.Config.MinVersion = tls.VersionTLS13 to operator manager TLS options
  • templates/horizon/config/ssl.conf: Update SSLCipherSuite to exclude kRSA, update SSLProtocol to -all +TLSv1.3 +TLSv1.2

Test plan

  • go build ./...
  • go test ./...
  • make test
  • Verify TLS 1.3 negotiation with openssl s_client -connect <endpoint>:443

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mcgonago

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label May 5, 2026
@openshift-ci

openshift-ci Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

@mcgonago: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/horizon-operator-build-deploy-kuttl b016f03 link true /test horizon-operator-build-deploy-kuttl

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@mcgonago mcgonago changed the title OSPRH-28889: PQC compliance -- enforce TLS 1.3 and block kRSA Horizon: PQC compliance -- enforce TLS 1.3 and block kRSA May 5, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@mcgonago: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

Enforce TLS 1.3 as the minimum version in the operator manager
(cmd/main.go) to enable Go 1.24+ hybrid ML-KEM (X25519MLKEM768) key
exchange for quantum-safe TLS connections. Without this, Go defaults to
TLS 1.2 minimum, which only supports classical key exchange vulnerable
to harvest-now-decrypt-later attacks.

Harden the Apache ssl.conf template: drop kRSA cipher suites to
eliminate RSA key exchange (no forward secrecy, quantum-vulnerable) and
replace the ambiguous "all -SSLv2 -SSLv3 -TLSv1" protocol directive
with explicit "-all +TLSv1.3 +TLSv1.2" to guarantee TLS 1.3
availability and remove the TLS 1.1 leak.

Covers OSPRH-28889, OSPRH-28891, OSPRH-28892

Assisted-By: Claude Code (Claude Opus 4.6) noreply@anthropic.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@mcgonago mcgonago changed the title Horizon: PQC compliance -- enforce TLS 1.3 and block kRSA OSPRH-28889: Horizon: PQC compliance -- enforce TLS 1.3 and block kRSA May 6, 2026
@openshift-ci-robot

openshift-ci-robot commented May 6, 2026

Copy link
Copy Markdown

@mcgonago: This pull request references OSPRH-28889 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Enforce TLS 1.3 as the minimum version in the operator manager
(cmd/main.go) to enable Go 1.24+ hybrid ML-KEM (X25519MLKEM768) key
exchange for quantum-safe TLS connections. Without this, Go defaults to
TLS 1.2 minimum, which only supports classical key exchange vulnerable
to harvest-now-decrypt-later attacks.

Harden the Apache ssl.conf template: drop kRSA cipher suites to
eliminate RSA key exchange (no forward secrecy, quantum-vulnerable) and
replace the ambiguous "all -SSLv2 -SSLv3 -TLSv1" protocol directive
with explicit "-all +TLSv1.3 +TLSv1.2" to guarantee TLS 1.3
availability and remove the TLS 1.1 leak.

Covers OSPRH-28889, OSPRH-28891, OSPRH-28892

Assisted-By: Claude Code (Claude Opus 4.6) noreply@anthropic.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@mcgonago

mcgonago commented May 10, 2026

Copy link
Copy Markdown
Contributor Author

[AI-GENERATED] Closing this PR as it is superseded by #593, which contains the focused TLS 1.3 minimum version enforcement change for OSPRH-28889. The Apache SSL hardening work (SSLProtocol whitelist, !kRSA cipher blocking) will be handled in a separate follow-up PR.

@mcgonago mcgonago closed this May 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants