Remove PQ TLS 1.2 Support #4991
Open
+303
−2,781
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexw91
commented
Dec 30, 2024
| @@ -1000,6 +1000,34 @@ impl Connection { | |||
| } | |||
| } | |||
|
|
|||
| pub fn kem_group_name(&self) -> Option<&str> { | |||
There was a problem hiding this comment.
Copy/Paste of kem_name function a few lines above, but with a call to s2n_connection_get_kem_group_name() instead of s2n_connection_get_kem_name().
alexw91
force-pushed
the
remove-pq-tls12
branch
from
600d533 to
9cf4622
Compare
alexw91
commented
Dec 30, 2024
Comment on lines
+154
to
+155
| /* Ensure that PQ enabled Policies support TLS 1.3 since TLS 1.3 is now required for PQ support. */ | ||
| EXPECT_TRUE(has_tls_13_cipher); |
There was a problem hiding this comment.
Moved "TLS 1.3 + PQ checks" further down in the function so that this code has access to the has_tls_13_cipher variable, so that a check that requires TLS 1.3 support for all PQ policies could be added.
alexw91
force-pushed
the
remove-pq-tls12
branch
from
9cf4622 to
61b66e5
Compare
alexw91
force-pushed
the
remove-pq-tls12
branch
from
61b66e5 to
6d988ce
Compare
…nd it results in a smaller diff
alexw91
commented
Jan 2, 2025
| } | ||
|
|
||
| const struct s2n_security_policy *security_policy = NULL; | ||
|
|
||
| /* Test Deprecated Security Policies*/ |
There was a problem hiding this comment.
New unit tests for deprecated security policies.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release Summary:
Removes draft support for post-quantum TLS 1.2 (draft-campagna-tls-bike-sike-hybrid) from s2n-tls. Support for post-quantum TLS 1.3 (draft-ietf-tls-hybrid-design) is kept.
Resolved issues:
None.
Description of changes:
Removes draft support for post-quantum TLS 1.2 (draft-campagna-tls-bike-sike-hybrid) from s2n-tls. Support for post-quantum TLS 1.3 (draft-ietf-tls-hybrid-design) is kept.
Call-outs:
TLS_ECDHE_KYBER_RSA_WITH_AES_256_GCM_SHA384cipher entirely from s2n-tls.s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384was removed from all cipher preference lists. If this removal made the cipher preference list identical to an already existing cipher preference list, then the entire cipher preference list was deleted and security policies migrated to use the other already existing cipher preference list. Otherwise, if no equivalent cipher preference list existed thens2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384was removed in-place (eg forcipher_suites_pq_tls_1_0_2021_05_24).s2n_connection_get_kem_name()is kept, but now hardcoded to always returnNONEin all circumstances so as to not break customers.Testing:
S2N_ERR_DEPRECATED_SECURITY_POLICYwhen requested.Remember:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.