[Feature Request] Add support for post quantum KEM (Kyber)

[SkanderHelali]

Howdy,

This is a feature request - for enabling Post Quantum Key Agreement in the provided nginx image - particularly support for Kyber - and tweaking the default ssl ciphers to give it preference.

Example of an NPM image with Kyber support: https://github.com/olokelo/nginx-proxy-manager-bssl-brotli
And as a resource: https://blog.aegrel.ee/kyber-nginx.html

[Zoey2936]

the repo you sent just has brotli support and uses boringssl? There is no Kyber mentioned in the patch files

[SkanderHelali]

the repo you sent just has brotli support and uses boringssl? There is no Kyber mentioned in the patch files

Link 1 context:
https://oloke.xyz/posts/npm-boringssl-brotli-build/

It uses boringssl to enable the use of Kyber - which is one approach.

The second link uses a second approach with oqs-provider instead.

[Zoey2936]

It needs to be supported in OpenSSL: openssl/openssl#24622 and the be merged into QuicTLS. BoringSSL is very limited supported in nginx/freenginx and https://github.com/open-quantum-safe/oqs-provider does not look like a useable implementation

[Zoey2936]

It can stay open if you want, I will add it as soon as it is there

[SkanderHelali]

It can stay open if you want, I will add it as soon as it is there

Up to you :)

[Zoey2936]

I think I maybe get it working with oqs, do you know which chippers exactly need to be added?

[SkanderHelali]

I think I maybe get it working with oqs, do you know which chippers exactly need to be added?

I have been running it on vanilla nginx+oqs with the following for TLS 1.2/1.3, Kyber, and prioritized ChaCha - adjust as you see fit:

#ciphers
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
#kyber
ssl_ecdh_curve x25519_kyber768:p384_kyber768:x25519:secp384r1;

#optional PrioritizeChaCha
ssl_conf_command Options PrioritizeChaCha;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;

[SkanderHelali]

News:

In addition to the ones above (hybrid draft-kyber - FIPS 203 draft) that are currently supported by browsers and used by Cloudflare:

These should be added and prioritized:
x25519_mlkem768, p384_mlkem768(?)

They are already in oqs-provider as well (and I tested adding them).

which will use the NIST approved version (ML-KEM - FIPS 203 final) , and browsers are expected to move to this soon: https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html

So:

ssl_ecdh_curve x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768:x25519:secp384r1;

With "x25519_kyber768:p384_kyber768" being currently used/supported in browsers/cloudflare/implementations - but going to be dropped in the future and "x25519_mlkem768:p384_mlkem768" becoming implemented in the future as a replacement.

Quoted from the link above:
"Server operators can temporarily support both algorithms at the same time to maintain post-quantum security with a broader set of clients, as they update over time. We do not want to regress any clients’ post-quantum security, so we are waiting until Chrome 131 to make this change so that server operators have a chance to update their implementations. "

[Zoey2936]

I've compiled it in and merged it, so the only thing missing is changing the nginx config, can you maybe give me a full configuration how it sould look based on this: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf

[SkanderHelali]

I've compiled it in and merged it, so the only thing missing is changing the nginx config, can you maybe give me a full configuration how it sould look based on this: https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf

It's a one-liner.

ssl_early_data on;

ssl_stapling on;
ssl_stapling_verify on;

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768:x25519:secp384r1;

With the only change being the last line from the configuration you linked.

Optionally, if you'd like since we're here - you can PrioritizeChaCha and explicitly disable less safe CCM TLSv1.3 suites, but this is unrelated to this post quantum KEM / issue - by adding the following as well:

ssl_conf_command Options PrioritizeChaCha;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256;

With the resulting full config being:

ssl_early_data on;

ssl_stapling on;
ssl_stapling_verify on;

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768:x25519:secp384r1;
ssl_conf_command Options PrioritizeChaCha;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256;

Edit: changed ciphersuite order

[SkanderHelali]

I just noticed that the "ssl_prefer_server_ciphers" is set to on (#281), so we actually need to order the ciphers properly and not just as generated by the mozilla. Otherwise we're server-preferring weaker ciphers for no reason.

ssl_early_data on;

ssl_stapling on;
ssl_stapling_verify on;

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/tls/dhparam;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768:x25519:secp384r1;
#optional, see previous reply
ssl_conf_command Options PrioritizeChaCha;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256;

[Zoey2936]

can you maybe explain why you use x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768:x25519:secp384r1 ?

[Zoey2936]

so nginx uses by default "auto" to select this curve, which of the listed chipers are the "auto" ones and which the oqs ones?

[SkanderHelali]

can you maybe explain why you use x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768:x25519:secp384r1 ?

x25519_mlkem768 is a hybrid of x25519 and the final ML-KEM - will replace the draft in browsers and implementations.
x25519_kyber768 is a hybrid of x25519 and the draft ML-KEM (Kyber) - currently supported.

same concept for the p384 hybrid variants.

and the vanilla non quantum safe x25519 and secp384r1 at the end.

so nginx uses by default "auto" to select this curve, which of the listed chipers are the "auto" ones and which the oqs ones?

So:

OQS: x25519_mlkem768:p384_mlkem768:x25519_kyber768:p384_kyber768
Default: x25519:secp384r1 (from the defaults, covers all the ciphers in use when tested with ssllabs)

I only added x25519:secp384r1 and did not explore if there are other defaults that can be used instead, only that this is enough.

[Zoey2936]

so would you say this file looks good now? https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf

[SkanderHelali]

so would you say this file looks good now? https://github.com/ZoeyVid/NPMplus/blob/develop/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf

Looks good to me, and matches my current test setup;
With the only omission being explicitly disabling the two weaker CCM suites for TLSv1.3 but that is unrelated to PQ KEM (ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256;)

I have tested with the linked conf as-is and it works as expected, with Kyber being used and ssllabs passing as usual.
Test host: https://testing.helali.me

[Zoey2936]

With the only omission being explicitly disabling the two weaker CCM suites for TLSv1.3 but that is unrelated to PQ KEM (ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256;)

They are disabled by default in openssl, at least in my openssl build, which is included in NPMplus

[Zoey2936]

will release tommorow