Skip to content

ROX-33133: Enable post-quantum crypto-policies for Collector#2977

Open
vladbologa wants to merge 1 commit intomasterfrom
vb/enable-pqc
Open

ROX-33133: Enable post-quantum crypto-policies for Collector#2977
vladbologa wants to merge 1 commit intomasterfrom
vb/enable-pqc

Conversation

@vladbologa
Copy link
Contributor

@vladbologa vladbologa commented Feb 25, 2026
edited
Loading

Description

This change enables post-quantum key-exchange algorithms for OpenSSL. As Collector and Fact use the image crypto libraries and do not hardcode TLS settings, this should enable ML-KEM key exchanges for them.

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

In the collector container:

sh-5.1# cat /etc/crypto-policies/config
DEFAULT:PQ
sh-5.1# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep Groups
Groups = *?X25519MLKEM768:?x25519_mlkem768:?SecP256r1MLKEM768:?p256_mlkem768:?SecP384r1MLKEM1024:?p384_mlkem1024/*X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192

compared to latest master build:

sh-5.1# cat /etc/crypto-policies/config
DEFAULT
sh-5.1# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep Groups
Groups = *X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192

Showing that it adds ML-KEM key exchange algorithm support to OpenSSL.

@vladbologa vladbologa requested review from a team and rhacs-bot as code owners February 25, 2026 19:30
@rhacs-bot rhacs-bot requested a review from a team February 25, 2026 19:30
@codecov-commenter
Copy link

codecov-commenter commented Feb 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.38%. Comparing base (264019f) to head (29f3d16).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2977   +/-   ##
=======================================
  Coverage   27.38%   27.38%           
=======================================
  Files          95       95           
  Lines        5427     5427           
  Branches     2548     2548           
=======================================
  Hits         1486     1486           
  Misses       3214     3214           
  Partials      727      727
Flag Coverage Δ
collector-unit-tests 27.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@vladbologa vladbologa force-pushed the vb/enable-pqc branch 2 times, most recently from 431f495 to fc02c85 Compare February 26, 2026 10:12
tommartensen
tommartensen approved these changes Feb 26, 2026
View reviewed changes
Copy link
Contributor

@tommartensen tommartensen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, pending @stackrox/collector-team approval

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kurlov kurlov kurlov approved these changes

@tommartensen tommartensen tommartensen approved these changes

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vladbologa @codecov-commenter @kurlov @tommartensen