tls: Rename TLS groups preferences flag#151
Conversation
kubevirt-bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request updates the naming convention for the TLS configuration flag responsible for key-exchange algorithm groups. By shifting from 'curve' to 'group' terminology, the codebase now more accurately reflects the broader support for non-elliptic curve groups introduced in newer TLS versions, ensuring consistency with current industry standards and Go's cryptographic library. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request renames TLS curve preference variables and the CLI flag to use 'group' terminology, aligning with modern TLS standards and adding support for the X25519MLKEM768 group. Feedback suggests maintaining backward compatibility by keeping the old flag as a deprecated alias and further updating internal helper functions and error messages to use 'group' instead of 'curve' for consistency.
| flag.StringVar(&tlsGroupPreferencesRaw, "tls-group-preferences", "", | ||
| `Comma-separated list of TLS group preference names. | ||
| Supported values are tls package constants names (e.g. X25519MLKEM768, CurveP256) |
There was a problem hiding this comment.
Renaming the CLI flag --tls-curve-preferences to --tls-group-preferences is a breaking change for users and automation. To maintain backward compatibility, consider keeping the old flag name as a deprecated alias that points to the same variable. This allows for a smoother transition.
There was a problem hiding this comment.
This is safe because we are still in a middle of development cycle, this is not expected to be used by anyone.
Lets see what the maintainers think.
There was a problem hiding this comment.
@gemini-code-assist this is safe. We can break this unreleased API - if we move now.
There was a problem hiding this comment.
Understood. Since this is an unreleased API and the change is intentional for better alignment with TLS terminology, proceeding without a deprecated alias is acceptable in this context.
The flag 'tls-curve-preferences' controls which key-exchange algorithm group to use for TLS session. Its name follows the legacy 'curves' terminology. Initially the TLS parameter for the key-exchange algorithm groups used to support elliptic curves only; a specific groups of algorithms. In newer versions (1.3) it was extended to support other groups (non-elliptic curve) [1] [2]. Although Go crypto use the same field for non-elliptic curve groups [3]. Rename the flag and releted components to follow the correct TLS terminology. [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 (see "Renamed from" note) [2] https://www.rfc-editor.org/rfc/rfc8446.html#section-4.2.7 [3] https://pkg.go.dev/crypto/tls@go1.25.9#CurveID Signed-off-by: Or Mergi <ormergi@redhat.com>
|
@qinqon could you please have a look? |
3 participants
What this PR does / why we need it:
The flag 'tls-curve-preferences' controls which key-exchange algorithm group
to use for TLS session. Its name follows the legacy 'curves' terminology.
Initially the TLS parameter for the key-exchange algorithm groups used to
support elliptic curves only; a specific groups of algorithms.
In newer versions (1.3) it was extended to support other groups
(non-elliptic curve) [1] [2].
Although Go crypto use the same field for non-elliptic curve groups [3].
Rename the flag to follow the correct TLS terminology.
[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 (see "Renamed from" note)
[2] https://www.rfc-editor.org/rfc/rfc8446.html#section-4.2.7
[3] https://pkg.go.dev/crypto/tls@go1.25.9#CurveID
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: