Post-Quantum Key Exchange support for HTTPS

[fzoli]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

There is a new algorithm called X25519Kyber768.

My Chrome browser supports it, but it selects X25519AES128GCM instead.
I tested it with Traefik 3.0.1 (Docker version).
So I assume Traefik does not support it right now.

It would be cool to support a Post-Quantum safe algorithm. :)

[fzoli]

Well.

I found this article:
https://blog.cloudflare.com/experiment-with-pq/

Cloudflare has a Go fork that supports Kyber.

Relevant code in crypto/tls/cfkem.go:

var (
	X25519Kyber512Draft00    = CurveID(0xfe30)
	X25519Kyber768Draft00    = CurveID(0x6399)
)

I compiled it on my machine to use it to build Traefik.

In the Traefik project there is a certificate.go file in the tls module.

I added the curve IDs:

	CurveIDs = map[string]tls.CurveID{
		`secp256r1`:             tls.CurveP256,
		`CurveP256`:             tls.CurveP256,
		`secp384r1`:             tls.CurveP384,
		`CurveP384`:             tls.CurveP384,
		`secp521r1`:             tls.CurveP521,
		`CurveP521`:             tls.CurveP521,
		`x25519`:                tls.X25519,
		`X25519`:                tls.X25519,
		`X25519Kyber512Draft00`: tls.X25519Kyber512Draft00, // <<-- added
		`X25519Kyber768Draft00`: tls.X25519Kyber768Draft00, // <<-- added
	}

Then I compiled Traefik with cfgo and created a new Docker image based on the alpine one.

It seems to work with Chrome browser.
Of course it is not production ready, but at least I can play with it.

[kevinpollet]

Hello @fzoli and thanks for your interest in Traefik,

Sure this is something we will likely support as soon as the Go library supports it, see golang/go#64537

[Night1]

Nice work, im looking to test this aswell, now that i know it can be done ill look in to it. X25519 is already supported in 3.0.0 lets see if the Kyber part can be added tooo