Skip to content

ROX-33133: Enable post-quantum crypto-policies for fact#349

Open
vladbologa wants to merge 1 commit intomainfrom
vb/enable-pqc
Open

ROX-33133: Enable post-quantum crypto-policies for fact#349
vladbologa wants to merge 1 commit intomainfrom
vb/enable-pqc

Conversation

@vladbologa
Copy link

@vladbologa vladbologa commented Mar 3, 2026
edited
Loading

Description

This change enables post-quantum key-exchange algorithms for OpenSSL. As fact uses the image crypto libraries and does not hardcode TLS settings, this should enable ML-KEM key exchanges it.

See also: stackrox/collector#2977

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

In the fact container (before this PR):

sh-5.1# cat /etc/crypto-policies/config
DEFAULT
sh-5.1# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep Groups
Groups = *X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192

In the sensor logs:

pkg/grpc: 2026/03/03 13:40:14.694690 endpoints.go:190: Info: TLS handshake from "10.129.2.30:49354": TLS 1.3, cipher TLS_AES_128_GCM_SHA256, 
key exchange X25519, ALPN "h2"

❌ X25519 is not a PQC key exchange algorithm

In the fact container (after this PR):

sh-5.1# cat /etc/crypto-policies/config
DEFAULT:PQ
sh-5.1# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep Groups
Groups = *?X25519MLKEM768:?x25519_mlkem768:?SecP256r1MLKEM768:?p256_mlkem768:?SecP384r1MLKEM1024:?p384_mlkem1024/*X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192

In the sensor logs:

pkg/grpc: 2026/03/03 13:47:33.437976 endpoints.go:190: Info: TLS handshake from "10.130.0.89:42434": TLS 1.3, cipher TLS_AES_128_GCM_SHA256, 
key exchange X25519MLKEM768, ALPN "h2"

✅ X25519MLKEM768 is a PQC key exchange algorithm

@vladbologa vladbologa requested review from a team and rhacs-bot as code owners March 3, 2026 10:23
@Molter73
Copy link
Contributor

Molter73 commented Mar 3, 2026

As fact uses the image crypto libraries and does not hardcode TLS settings, this should enable ML-KEM key exchanges it.

Have you done any manual testing to validate this? I know a few months back I tried capturing some packets with tcpdump and inspecting them with WireShark. If so, mind updating the Testing Performed section in the PR description?

@vladbologa
Copy link
Author

vladbologa commented Mar 3, 2026

As fact uses the image crypto libraries and does not hardcode TLS settings, this should enable ML-KEM key exchanges it.

Have you done any manual testing to validate this? I know a few months back I tried capturing some packets with tcpdump and inspecting them with WireShark. If so, mind updating the Testing Performed section in the PR description?

Yes, I wasn't finished with the testing, now it's done.

@vladbologa vladbologa requested a review from kurlov March 3, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kurlov kurlov kurlov approved these changes

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot is a code owner

@Molter73 Molter73 Awaiting requested review from Molter73

@tommartensen tommartensen Awaiting requested review from tommartensen

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vladbologa @Molter73 @kurlov