Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable experimental post-quantum key exchange mechanism X25519Kyber768Draft00 #4583

Merged
merged 1 commit into from
Sep 30, 2024
Merged

Disable experimental post-quantum key exchange mechanism X25519Kyber768Draft00 #4583

merged 1 commit into from
Sep 30, 2024

Conversation

flostadler
Copy link
Contributor

The AWS Provider was upgraded to Go 1.23 in v6.51.0, which introduced a change
to the crypto/tls standard library package. It enabled the post-quantum
key exchange mechanism X25519Kyber768Draft00 by default. This experimental key
exchange mechanism is causing errors in the AWS firewall.
As a short term workaround this change disables the experimental key exchange mechanism.

Upstream maintainers and AWS are in touch to work on a long-term fix.

Fixes #4573
Relates to #4582

@flostadler
Disable experimental post-quantum key exchange mechanism X25519Kyber7…
7b3bd47 
…68Draft00

The AWS Provider was upgraded to Go 1.23 in v6.51.0, which introduced a change
to the crypto/tls standard library package. It enabled the post-quantum
key exchange mechanism `X25519Kyber768Draft00` by default. This experimental key
exchange mechanism is causing errors in the AWS firewall.
As a short term workaround this change disables the experimental key exchange mechanism.

Upstream maintainers and AWS are in touch to work on a long-term fix.
@flostadler flostadler requested review from t0yv0, corymhall and a team September 30, 2024 09:56
@flostadler flostadler self-assigned this Sep 30, 2024
@flostadler flostadler changed the title Disable experimental post-quantum key exchange mechanism X25519Kyber768Draft00 Disable experimental post-quantum key exchange mechanism X25519Kyber768Draft00 Sep 30, 2024
@flostadler flostadler mentioned this pull request Sep 30, 2024
Closed
iwahbe
iwahbe approved these changes Sep 30, 2024
View reviewed changes
Copy link
Member

@iwahbe iwahbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to get a test in here?

@flostadler
Copy link
Contributor Author

Is it possible to get a test in here?

I was not able to trigger it myself. Our existing test didn't catch it either.

This is a tricky issue because it seems to be triggered by the length of the TLS ClientHello message. This new key-exchange mechanism causes the length to increase, in certain circumstances this seems to trigger an error in the AWS firewalls.

@github-actions GitHub Actions
Copy link

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

Maintainer note: consult the runbook for dealing with any breaking changes.

@flostadler
Copy link
Contributor Author

/release patch

@github-actions github-actions bot added the needs-release/patch When a PR with this label merges, it initiates a release of vX.Y.Z+1 label Sep 30, 2024
@flostadler flostadler merged commit 0808d68 into master Sep 30, 2024
31 checks passed
@flostadler flostadler deleted the flostadler/post-quantum-tls-fix branch September 30, 2024 12:05
@t0yv0
Copy link
Member

t0yv0 commented Sep 30, 2024

Thank you for a quick turnaround on #4573 !

@pulumi-bot
Copy link
Contributor

This PR has been shipped in release v6.54.1.

zemnmez-renovate-bot added a commit to zemn-me/monorepo that referenced this pull request Sep 30, 2024
@zemnmez-renovate-bot
chore(deps): update dependency @pulumi/aws to v6.54.1
3f7dce3 
##### [`v6.54.1](https://github.com/pulumi/pulumi-aws/releases/tag/v6.54.1)

##### Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

#### What's Changed

-   Disable experimental post-quantum key exchange mechanism `X25519Kyber768Draft00` by [@flostadler](https://github.com/flostadler) in pulumi/pulumi-aws#4583

**Full Changelog**: pulumi/pulumi-aws@v6.54.0...v6.54.1
@github-actions github-actions bot removed the needs-release/patch When a PR with this label merges, it initiates a release of vX.Y.Z+1 label Sep 30, 2024
github-merge-queue bot pushed a commit to zemn-me/monorepo that referenced this pull request Sep 30, 2024
@zemnmez-renovate-bot
chore(deps): update dependency @pulumi/aws to v6.54.1
ebccbaf 
##### [`v6.54.1](https://github.com/pulumi/pulumi-aws/releases/tag/v6.54.1)

##### Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

#### What's Changed

-   Disable experimental post-quantum key exchange mechanism `X25519Kyber768Draft00` by [@flostadler](https://github.com/flostadler) in pulumi/pulumi-aws#4583

**Full Changelog**: pulumi/pulumi-aws@v6.54.0...v6.54.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iwahbe iwahbe iwahbe approved these changes

@t0yv0 t0yv0 Awaiting requested review from t0yv0

@corymhall corymhall Awaiting requested review from corymhall

Assignees

@flostadler flostadler

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS IAM and other services don´t work anymore (TLS issue)
4 participants
@flostadler @t0yv0 @pulumi-bot @iwahbe