Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Go 1.23: Additional key exchange mechanism X25519Kyber768Draft00 causes AWS Network Firewall to drop packets #4582

Open
flostadler opened this issue Sep 30, 2024 · 2 comments
Assignees
Labels
kind/engineering Work that is not visible to an external user

Comments

@flostadler
Copy link
Contributor

flostadler commented Sep 30, 2024

The AWS Provider was upgraded to Go 1.23 in v6.51.0, which introduced a minor change to the crypto/tls standard library package:

The experimental post-quantum key exchange mechanism X25519Kyber768Draft00 is now enabled by default when Config.CurvePreferences is nil. The default can be reverted by adding tlskyber=0 to the GODEBUG environment variable.

This experimental key exchange mechanism seems to trip up the AWS firewall.

The upstream provider was affected by this same problem. They fixed it by disabling this experimental key exchange mechanism.

We should do the same on our end as a short term workaround.
The upstream maintainers are already in touch with AWS for a long-term fix.

@flostadler flostadler added the kind/bug Some behavior is incorrect or out of spec label Sep 30, 2024
@flostadler flostadler self-assigned this Sep 30, 2024
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Sep 30, 2024
@flostadler
Copy link
Contributor Author

Causes #4573

@flostadler flostadler removed the needs-triage Needs attention from the triage team label Sep 30, 2024
flostadler added a commit that referenced this issue Sep 30, 2024
…768Draft00` (#4583)

The AWS Provider was upgraded to Go 1.23 in v6.51.0, which introduced a
change
to the crypto/tls standard library package. It enabled the post-quantum
key exchange mechanism `X25519Kyber768Draft00` by default. This
experimental key
exchange mechanism is causing errors in the AWS firewall.
As a short term workaround this change disables the experimental key
exchange mechanism.

Upstream maintainers and AWS are in touch to work on a long-term fix.

Fixes #4573
Relates to #4582
@flostadler
Copy link
Contributor Author

This is now fixed in https://github.com/pulumi/pulumi-aws/releases/tag/v6.54.1. I'm gonna keep the issue open to keep an eye on a possible long term fix that upstream is working on with AWS.

@flostadler flostadler added kind/engineering Work that is not visible to an external user and removed kind/bug Some behavior is incorrect or out of spec labels Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/engineering Work that is not visible to an external user
Projects
None yet
Development

No branches or pull requests

2 participants