Feature #14430
closed
Post-quantum cryptography in pfSense(+)
0%
Description
Hello,
As you likely know very well OpenSSL 1.1.1 will hit end of life support on 11th Sept 2023. (To my knowledge) That OpenSSL branch is not going to receive any post-quantum cryptography support/features.
I would like to ask what is the plan for OpenSSL 3.x support. It is a time to build pfSense(+) against OpenSSL 3.1 or something else I think.
Post-quantum cryptography is not another buzzword, but truly important problem for everyone running "trusted" services (postquantum crypto will become reality on production systems of my customers and I am sure it will be part of official regulations in some business areas). I think that this subject is hot in USA too (see some acts signed by president Biden)
So via this ticket I would like to ask pfSense Team about plans for supporting quantum resistant ciphers and related/new hashing algorithms.
Cryptography is essential part of pfSense() and significant changes will come within next 6-8 months I believe. According to OpenSSL roadmap (https://www.openssl.org/roadmap.html) we may expect post-quantum ciphers implementation around early 2024 (only in OpenSSL 3.x branch). Having in mind that NIST should announce their recommendation for quantum resistant ciphers in 2024 (CRYSTALS-Kyber?):
- could you announce official post-quantum crypto plan/roadmap for pfSense()?
- could you confirm whether you will go OpenSSL 3.x route or will try to look for other SSL libs such as LibreSSL or WolfSSL.
I have my own opinion on the subject, but would like to see yours :)
BTW. I would link to link this ticket to the haproxy related ticket I raised (https://redmine.pfsense.org/issues/14423). Currently haproxy is built against OpenSSL 1.1.1t and I would like to see post-quantum ciphers support first in haproxy component (I guess it will not be an easy replacement of 1.1.1 with 3.1.x for example)
BTW2. I think haproxy will require build updates (you are using also linking haproxy against old PCRE lib).
Many thanks and greetings to the Team.
I am sure pfSense(+) will stay on top :) and that you will provide your thoughts officialy (related to post-quantum crypto subject)
Cheers
Updated by Jim Pingle 12 months ago
- Status changed from New to Not a Bug
We plan on moving to OpenSSL 3.x once it's integrated into FreeBSD base, which is already in the works for FreeBSD 14.
We build everything against the base OpenSSL version in FreeBSD, which includes base components as well as ports/packages.
As new algorithms get added to OpenSSL, FreeBSD, and/or relevant daemons/packages we try to add them as soon as it's feasible -- for example we recently added ChaCha20-Poly1305 support into IPsec. We're always keeping an eye on such things.
That said, this task isn't in need of a separate Redmine issue like this, we'll make our own planning issues when the time comes.