Skip to content

Instantly share code, notes, and snippets.

@bwesterb

bwesterb/pq-caddy.md

Created October 11, 2023 21:52
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bwesterb/2f7bfa7ae689de0d242b56ea3ecac424 to your computer and use it in GitHub Desktop.
Save bwesterb/2f7bfa7ae689de0d242b56ea3ecac424 to your computer and use it in GitHub Desktop.
Download ZIP
Compile Caddy with support for post-quantum key agreement (X25519+Kyber)
Raw
pq-caddy.md

Post-quantum Caddy

Caddy now supports post-quantum key agreement, when you compile it with Cloudflare's fork of Go (see below), such that visitors whose browser supports it (such as Chrome 116+ with enable-tls13-kyber enabled in chrome://flags), will be secure against the threat of store-now/decrypt-later.

Instructions

First compile Cloudflare's fork of Go:

$ git clone https://github.com/cloudflare/go
[...]
$ cd go/src
$ ./make.bash
[...]
$ cd ../..

Now we compile Caddy from source with it:

$ git clone https://github.com/caddyserver/caddy/
$ cd caddy/cmd/caddy
$ ../../../go/bin/go build
[...]
$ ./caddy version
0e204b730aa2b1fa0835336b1117eff8c420f713 (11 Oct 23 20:24 UTC)

This adds the post-quantum key agreement X25519Kyber768Draft00 which is enabled by default.

References

For client support, see for instance pq.cloudflareresearch.com

This does not enable post-quantum for Caddy to upstream, when operating as a reverse proxy. There is a patch for that, which when applied allows you to configure upstream key agreements:

localhost {
    reverse_proxy https://pq.cloudflareresearch.com {
        header_up Host {upstream_hostport}
        transport http {
            tls_curves X25519Kyber768Draft00 x25519 secp256r1
        }
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment