Caddy now supports post-quantum key agreement,
when you compile it with Cloudflare's fork of Go (see below),
such that visitors whose browser supports it (such as Chrome 116+ with
enable-tls13-kyber
enabled in chrome://flags
), will be secure
against the threat of store-now/decrypt-later.
First compile Cloudflare's fork of Go:
$ git clone https://github.com/cloudflare/go
[...]
$ cd go/src
$ ./make.bash
[...]
$ cd ../..
Now we compile Caddy from source with it:
$ git clone https://github.com/caddyserver/caddy/
$ cd caddy/cmd/caddy
$ ../../../go/bin/go build
[...]
$ ./caddy version
0e204b730aa2b1fa0835336b1117eff8c420f713 (11 Oct 23 20:24 UTC)
This adds the post-quantum key agreement X25519Kyber768Draft00 which is enabled by default.
For client support, see for instance pq.cloudflareresearch.com
This does not enable post-quantum for Caddy to upstream, when operating as a reverse proxy. There is a patch for that, which when applied allows you to configure upstream key agreements:
localhost {
reverse_proxy https://pq.cloudflareresearch.com {
header_up Host {upstream_hostport}
transport http {
tls_curves X25519Kyber768Draft00 x25519 secp256r1
}
}
}