>Yes, not only enabled, but preferred, with servers sending an HRR when a
>client reports support for X25519MLKEM768, but does not send a
>corresponding keyshare.
That is truly excellent news! Thank you!
>Similarly, the most preferred sigalgs are ML-DSA-65, ML-DSA-87, and
>ML-DSA-44. Of course these don't take effect unless the server is
>actually configured with a key+cert of that type.
How does negotiation of ML-DSA work in TLS? I thought there was no code points
registered in the TLS SignatureScheme registry yet?
Cheers,
John
From: Viktor Dukhovni <ietf-d...@dukhovni.org>
Date: Friday, 7 March 2025 at 05:05
To: tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: ML-KEM IANA and draft-connolly-tls-mlkem-key-agreement
codepoint and inconsistencies
On Thu, Mar 06, 2025 at 09:01:13PM +0100, Bas Westerbaan wrote:
> This is indeed fantastic—congratulations!
>
> Will X25519MLKEM768 be enabled by default?
Yes, not only enabled, but preferred, with servers sending an HRR when a
client reports support for X25519MLKEM768, but does not send a
corresponding keyshare.
Similarly, the most preferred sigalgs are ML-DSA-65, ML-DSA-87, and
ML-DSA-44. Of course these don't take effect unless the server is
actually configured with a key+cert of that type.
$ posttls-finger -Lsummary -c dukhovni.org
posttls-finger: Verified TLS connection established
to mx1.imrryr.org[144.6.86.210]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519MLKEM768
server-signature ML-DSA-65 (raw public key)
--
Viktor.
$ openssl s_server -accept [::1]:12345 -cert ./apps/server.pem -naccept 1
-groups x25519mlkem768/x25519 -trace
[ ... Client runs: openssl s_client -connect [::1]:12345 -groups
x25519:X25519MLKEM768 -brief ... ]
Received TLS Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 287
ClientHello, Length=283
...
extensions, length = 150
...
extension_type=supported_groups(10), length=6
ecdh_x25519 (29)
X25519MLKEM768 (4588)
...
extension_type=key_share(51), length=38
NamedGroup: ecdh_x25519 (29)
key_exchange: (len=32): ...
Sent TLS Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 88
ServerHello, Length=84
server_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0xCF21AD74
random_bytes (len=28): ...
session_id (len=32): ...
cipher_suite {0x13, 0x02} TLS_AES_256_GCM_SHA384
compression_method: No Compression (0x00)
extensions, length = 12
extension_type=supported_versions(43), length=2
TLS 1.3 (772)
extension_type=key_share(51), length=2
NamedGroup: X25519MLKEM768 (4588)
Sent TLS Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
change_cipher_spec (1)
Received TLS Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
change_cipher_spec (1)
Received TLS Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 1471
ClientHello, Length=1467
client_version=0x303 (TLS 1.2)
...
extensions, length = 1334
...
extension_type=supported_groups(10), length=6
ecdh_x25519 (29)
X25519MLKEM768 (4588)
...
extension_type=key_share(51), length=1222
NamedGroup: X25519MLKEM768 (4588)
key_exchange: (len=1216): ...
...
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
