Project

General

Profile

Actions

Feature #14430

closed

Post-quantum cryptography in pfSense(+)

Added by Pawel Piaskowy over 1 year ago. Updated over 1 year ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Hello,

As you likely know very well OpenSSL 1.1.1 will hit end of life support on 11th Sept 2023. (To my knowledge) That OpenSSL branch is not going to receive any post-quantum cryptography support/features.
I would like to ask what is the plan for OpenSSL 3.x support. It is a time to build pfSense(+) against OpenSSL 3.1 or something else I think.
Post-quantum cryptography is not another buzzword, but truly important problem for everyone running "trusted" services (postquantum crypto will become reality on production systems of my customers and I am sure it will be part of official regulations in some business areas). I think that this subject is hot in USA too (see some acts signed by president Biden)

So via this ticket I would like to ask pfSense Team about plans for supporting quantum resistant ciphers and related/new hashing algorithms.

Cryptography is essential part of pfSense() and significant changes will come within next 6-8 months I believe. According to OpenSSL roadmap (https://www.openssl.org/roadmap.html) we may expect post-quantum ciphers implementation around early 2024 (only in OpenSSL 3.x branch). Having in mind that NIST should announce their recommendation for quantum resistant ciphers in 2024 (CRYSTALS-Kyber?):
- could you announce official post-quantum crypto plan/roadmap for pfSense(
)?
- could you confirm whether you will go OpenSSL 3.x route or will try to look for other SSL libs such as LibreSSL or WolfSSL.

I have my own opinion on the subject, but would like to see yours :)

BTW. I would link to link this ticket to the haproxy related ticket I raised (https://redmine.pfsense.org/issues/14423). Currently haproxy is built against OpenSSL 1.1.1t and I would like to see post-quantum ciphers support first in haproxy component (I guess it will not be an easy replacement of 1.1.1 with 3.1.x for example)
BTW2. I think haproxy will require build updates (you are using also linking haproxy against old PCRE lib).

Many thanks and greetings to the Team.
I am sure pfSense(+) will stay on top :) and that you will provide your thoughts officialy (related to post-quantum crypto subject)

Cheers

Actions

Also available in: Atom PDF