Skip to content

OSPRH-28889: PQC: Enforce TLS 1.3 minimum for quantum-safe key exchange#593

Closed
mcgonago wants to merge 1 commit into
openstack-k8s-operators:mainfrom
mcgonago:pqc/tls13-minversion
Closed

OSPRH-28889: PQC: Enforce TLS 1.3 minimum for quantum-safe key exchange#593
mcgonago wants to merge 1 commit into
openstack-k8s-operators:mainfrom
mcgonago:pqc/tls13-minversion

Conversation

@mcgonago

@mcgonago mcgonago commented May 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Enforce tls.VersionTLS13 as the minimum TLS version for the operator's webhook and metrics servers
  • Enables Go 1.24+ to negotiate hybrid X25519MLKEM768 (ML-KEM) post-quantum key exchange by default
  • Prevents fallback to TLS 1.2 which cannot negotiate PQC key exchange, mitigating Harvest Now, Decrypt Later (HNDL) exposure

Context

NIST has standardized ML-KEM (FIPS 203) for post-quantum key encapsulation. Go 1.24+ automatically negotiates the hybrid X25519MLKEM768 key exchange when both endpoints support TLS 1.3. Without setting MinVersion: tls.VersionTLS13, the operator may accept TLS 1.2 connections that cannot use quantum-safe key exchange.

This is PR #1 of the PQC compliance work for horizon-operator (OSPRH-27427).

Changes

cmd/main.go: Added a TLS option function that sets MinVersion to tls.VersionTLS13 on the shared tlsOpts slice, which feeds both the webhook server and metrics server TLS configurations.

Validation

  • go build ./... -- passes
  • go test ./internal/horizon/... -- passes
  • Functional tests require envtest binaries (etcd/kube-apiserver) which are CI-only

Related tickets

  • OSPRH-28889: TLS 1.3 MinVersion in cmd/main.go
  • OSPRH-27427: Parent epic -- PQC compliance for horizon-operator

Post-merge verification

# Verify TLS 1.3 on operator webhook:
openssl s_client -connect <webhook-service>:9443 -tls1_3 2>/dev/null | grep "Protocol"
# Expected: Protocol  : TLSv1.3

Set MinVersion to tls.VersionTLS13 on the operator's TLS configuration
so that Go 1.24+ can negotiate hybrid X25519MLKEM768 (ML-KEM) key
exchange. Without this floor, connections may fall back to TLS 1.2
which cannot negotiate post-quantum key exchange, leaving the operator
vulnerable to Harvest Now, Decrypt Later (HNDL) attacks.

Related: OSPRH-28889
Related: OSPRH-27427

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Owen McGonagle <omcgonag@redhat.com>
@openshift-ci openshift-ci Bot requested review from ashu-011 and deshipu May 10, 2026 03:04
@openshift-ci

openshift-ci Bot commented May 10, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mcgonago

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mcgonago mcgonago changed the title PQC: Enforce TLS 1.3 minimum for quantum-safe key exchange OSPRH-28889: PQC: Enforce TLS 1.3 minimum for quantum-safe key exchange May 11, 2026
@openshift-ci-robot

openshift-ci-robot commented May 11, 2026

Copy link
Copy Markdown

@mcgonago: This pull request references OSPRH-28889 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

  • Enforce tls.VersionTLS13 as the minimum TLS version for the operator's webhook and metrics servers
  • Enables Go 1.24+ to negotiate hybrid X25519MLKEM768 (ML-KEM) post-quantum key exchange by default
  • Prevents fallback to TLS 1.2 which cannot negotiate PQC key exchange, mitigating Harvest Now, Decrypt Later (HNDL) exposure

Context

NIST has standardized ML-KEM (FIPS 203) for post-quantum key encapsulation. Go 1.24+ automatically negotiates the hybrid X25519MLKEM768 key exchange when both endpoints support TLS 1.3. Without setting MinVersion: tls.VersionTLS13, the operator may accept TLS 1.2 connections that cannot use quantum-safe key exchange.

This is PR #1 of the PQC compliance work for horizon-operator (OSPRH-27427).

Changes

cmd/main.go: Added a TLS option function that sets MinVersion to tls.VersionTLS13 on the shared tlsOpts slice, which feeds both the webhook server and metrics server TLS configurations.

Validation

  • go build ./... -- passes
  • go test ./internal/horizon/... -- passes
  • Functional tests require envtest binaries (etcd/kube-apiserver) which are CI-only

Related tickets

  • OSPRH-28889: TLS 1.3 MinVersion in cmd/main.go
  • OSPRH-27427: Parent epic -- PQC compliance for horizon-operator

Post-merge verification

# Verify TLS 1.3 on operator webhook:
openssl s_client -connect <webhook-service>:9443 -tls1_3 2>/dev/null | grep "Protocol"
# Expected: Protocol  : TLSv1.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@mcgonago

mcgonago commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Related to ssl.conf centralized to lib-common (OSPRH-30239). PQC TLS defaults will most likely follow a change in lib-common PR-697. See OSPRH-28889 for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants