-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go 1.23: Additional key exchange mechanism X25519Kyber768Draft00
causes AWS Network Firewall to drop packets
#39311
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
X25519Kyber768Draft00
causes AWS Network Firewall to drop packets
Warning This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
This functionality has been released in v5.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
v5.65.0 of the Terraform AWS Provider upgraded to Go 1.23.0, which introduced a minor change to the
crypto/tls
standard library package:This additional key exchange mechanism causes the length of the TLS ClientHello message to increase, as seen in these packet captures:
v5.64.0 go1.22.6
v5.66.0 go1.23.0
The increased message length leads to AWS Network Firewall blocking the message:
AWS Network Firewall drops the message (causing the TLS handshake to timeout) because its stateful rule capability currently uses Suricata version 6.0.9, and this version of Suricata is known to drop TLS packets beyond a certain length.
v5.67.0 of the Terraform AWS Provider restored use of Go 1.22.6, but we need to have a solution to this problem.
Immediately, the
GODEBUG
environment variable can be set totlskyber=0
.Longer-term, our HTTP client can be configured to use the Go 1.22 default key exchange mechanisms (see https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/crypto/tls/defaults.go).
An alternative approach is to use recent
go.mod
enhancements to set defaultGODEBUG
values.See https://go.dev/doc/godebug#history, golang/go#65573.
Relates #38999.
Relates #39256.
Relates #39110.
Relates #39115.
Relates #39125.
Relates #39141.
Relates #39173.
The text was updated successfully, but these errors were encountered: