Skip to content

[configtls] Hybrid key exchange automatically applies in go version >= 1.24.0 #14343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Geun-Oh wants to merge 9 commits into
base: main
Choose a base branch
from
Open

[configtls] Hybrid key exchange automatically applies in go version >= 1.24.0 #14343

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4c11ee1
[configtls] Set X25519MLKEM768 as const for backward compat
Geun-Oh Jan 2, 2026
9ee9764
[configtls] Add defaultCurvePreferences for both Fips, NoFips
Geun-Oh Jan 2, 2026
c2d390d
[configtls] Use defaultCurvePreferences in default
Geun-Oh Jan 2, 2026
9fbff2c
[docs] Add new configuration guide for setting curve preferences
Geun-Oh Jan 2, 2026
9e110ad
[docs] Add detailed comments for constant X25519MLKEM768
Geun-Oh Jan 2, 2026
9e4cf77
[configtls/test] Change tls.X25519MLKEM768 into new const value
Geun-Oh Jan 2, 2026
71da754
[test] Add test for checking wheter X25519MLKEM768 const matches with…
Geun-Oh Jan 2, 2026
902834e
[configtls] Rename X25519MLKEM768 validation test file from curves_id…
Geun-Oh Jan 2, 2026
16234b8
[configtls/test] Reconfigure test with specified test cases
Geun-Oh Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions config/configtls/curves_fips.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,11 @@ var tlsCurveTypes = map[string]tls.CurveID{
//"X25519": tls.X25519,
//"X25519MLKEM768": tls.X25519MLKEM768,
}

// defaultCurvePreferences defines the default order of curve preferences for FIPS builds.
// Only NIST P-curves are available in FIPS mode.
var defaultCurvePreferences = []tls.CurveID{
Copy link
Contributor

@atoulme atoulme Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's the same set as tlsCurveTypes right above

tls.CurveP256, // FIPS approved, widely supported
tls.CurveP384, // FIPS approved, higher security
tls.CurveP521, // FIPS approved, highest security
}
12 changes: 11 additions & 1 deletion config/configtls/curves_nofips.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,15 @@ var tlsCurveTypes = map[string]tls.CurveID{
"P384": tls.CurveP384,
"P521": tls.CurveP521,
"X25519": tls.X25519,
"X25519MLKEM768": tls.X25519MLKEM768,
"X25519MLKEM768": X25519MLKEM768,
Copy link

@Brent-Durham Brent-Durham Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you breaking convention?

}

// defaultCurvePreferences defines the default order of curve preferences.
// X25519MLKEM768 is prioritized for post-quantum security when compiled with Go 1.24+.
var defaultCurvePreferences = []tls.CurveID{
X25519MLKEM768, // Post-quantum hybrid key exchange
tls.X25519, // Modern, fast elliptic curve
tls.CurveP256, // Widely supported
tls.CurveP384, // Higher security margin
tls.CurveP521, // Highest security margin
}