Go 1.23 PQC Quantum-Safe TLS

Getting Help
1

Hello, I’m trying to get an example TLS server using PQC from this Medium article - Go Developers, Get Ready for Quantum-Safe TLS | by Gil Adda | CyberArk Engineering | Jul, 2024 | Medium

Connecting with Chrome or curl with the code below I was hoping to see it mention x25519Kyber768Draft00, but it just shows:

2024/09/02 09:06:34 TLS cipher suite: TLS_AES_128_GCM_SHA256, TLS 1.3

What am i doing wrong?

package main

import (
	"crypto/tls"
	"io"
	"log"
	"net/http"
)

func helloHandler(w http.ResponseWriter, r *http.Request) {

	connState := r.TLS
	if connState != nil {
		cipherSuiteName := tls.CipherSuiteName(connState.CipherSuite)
		tlsVersionName := tls.VersionName(connState.Version)
		log.Printf("TLS cipher suite: %s, %s", cipherSuiteName, tlsVersionName)

	}

	io.WriteString(w, "Hello, world!\n")
}

func main() {
	http.HandleFunc("/hello", helloHandler)

	serverConfig := &tls.Config{
		MinVersion: uint16(tls.VersionTLS13),
		MaxVersion: uint16(tls.VersionTLS13),
	}

	server := &http.Server{
		Addr:      ":8443",
		TLSConfig: serverConfig,
	}

	log.Fatal(server.ListenAndServeTLS("cert.pem", "key.pem"))
}
2

oh, actually looking in a debugger i can see the curvid is using x25519Kyber768Draft00. Cool! Sorry for the noise.

image
image1270×838 113 KB

Updated code to access that private field:

package main

import (
	"crypto/tls"
	"io"
	"log"
	"net/http"
	"reflect"
	"unsafe"
)

func curveID(conn *tls.ConnectionState) string {
	value := reflect.ValueOf(conn).Elem().FieldByName("testingOnlyCurveID")

	if !value.IsValid() {
		return "???"
	}

	value = reflect.NewAt(value.Type(), unsafe.Pointer(value.UnsafeAddr())).Elem()
	return value.Interface().(tls.CurveID).String()
}

func helloHandler(w http.ResponseWriter, r *http.Request) {
	connState := r.TLS
	if connState != nil {
		cipherSuiteName := tls.CipherSuiteName(connState.CipherSuite)
		tlsVersionName := tls.VersionName(connState.Version)
		curveName := curveID(connState)
		log.Printf("TLS cipher suite: %s, %s, %s", cipherSuiteName, tlsVersionName, curveName)

	}

	io.WriteString(w, "Hello, world!\n")
}

func main() {
	http.HandleFunc("/hello", helloHandler)

	serverConfig := &tls.Config{
		MinVersion: uint16(tls.VersionTLS13),
		MaxVersion: uint16(tls.VersionTLS13),
	}

	server := &http.Server{
		Addr:      ":8443",
		TLSConfig: serverConfig,
	}

	log.Fatal(server.ListenAndServeTLS("cert.pem", "key.pem"))
}
3

a new post with more examples is here:
https://medium.com/cyberark-engineering/a-post-quantum-cryptography-web-server-in-go-1-23-9f7e98db7b39