-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use features to set default key exchange preference
Overwrite boringSSL's default key exchange preferences with safe defaults. The defaults can be overwritten in the usual way (by calling `SslConnector::set_curves()`). They can also be controlled by feature flags: * "pq-supported" (introduced by this commit) enables support for PQ key exchange algorithms by default. Classical key exchange is still preferred, but will be upgraded to PQ if requested. * "pq-preferred" (introduced by this commit) enables preference for PQ key exchange by default, with fallback to classical key exchange if requested. " "fips(-link-precompiled)" disables support for X25519 by default. While at it, add `SslCurve::X25519_KYBER768_DRAFT00` to the default feature set. Previously this was gated to builds that don't have include the "fips" flag. There are two motivations for this change: 1. For consistency: no other X25519 hybrids (nor `SslCurve::X22519` itself) were gated in the same way. 2. The FIPS flags now control default preferences, but these can be overwritten by the user if necessary.
- Loading branch information
Showing
2 changed files
with
80 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters