Skip to content

Instantly share code, notes, and snippets.

@bwesterb

bwesterb/pq-caddy.md

Last active November 7, 2024 14:44
Show Gist options
  • Save bwesterb/2f7bfa7ae689de0d242b56ea3ecac424 to your computer and use it in GitHub Desktop.
Save bwesterb/2f7bfa7ae689de0d242b56ea3ecac424 to your computer and use it in GitHub Desktop.
Download ZIP
Compile Caddy with support for post-quantum key agreement (X25519+Kyber)
Raw
pq-caddy.md

Post-quantum Caddy

Caddy now supports post-quantum key agreement, when you compile it with Go 1.23 or later, such that visitors whose browser supports it (such as Chrome on Desktop and Edge), will be secure against the threat of store-now/decrypt-later.

Instructions

With xcaddy

Compile caddy from source with Go 1.23+. This is easiest with xcaddy.

$ go version # make sure you got Go 1.23 or later!
go version go1.23.0 darwin/arm64
$ go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
[ ... ]
$ xcaddy build master
[ ... ]
$ ./caddy version # PQ caddy ready to Go!

By hand

It's also straightforward without xcaddy:

$ git clone https://github.com/caddyserver/caddy/
$ cd caddy/cmd/caddy
$ go build
[...]
$ ./caddy version

What's enabled

Caddy will support the post-quantum key agreement X25519Kyber768Draft00 which is enabled by default.

References

For client support, see for instance pq.cloudflareresearch.com

This also enables post-quantum for Caddy to upstream, when operating as a reverse proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment