Bug 294305 - security/strongswan: enable ML plugin to allow Post-Quantum Key Exchange Methods
Summary: security/strongswan: enable ML plugin to allow Post-Quantum Key Exchange Methods
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL: https://docs.strongswan.org/docs/late...
Keywords:
Depends on:
Blocks:
 
Reported: 2026-04-07 15:31 UTC by Mike Bressem
Modified: 2026-04-08 15:51 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (strongswan)

Attachments
Enable ML Plugin (141 bytes, patch)
2026-04-08 07:08 UTC, Mike Bressem 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Bressem 2026-04-07 15:31:22 UTC 
To use PQC key exchange methods please enable the ML plugin by deffault.

Please see also CSNA 2.0 which superseded Suite-B cryptographic suite.

Kind regards
Mike
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2026-04-07 17:24:07 UTC 
> To use PQC key exchange methods please enable the ML plugin by deffault.
Waiting maintainer approval or 2 weeks timeout.

> Please see also CSNA 2.0 which superseded Suite-B cryptographic suite.
Can you provide patch?
Comment 2 Mike Bressem 2026-04-08 07:08:52 UTC 
Created attachment 269484 [details]
Enable ML Plugin

I hope this is sufficient...
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2026-04-08 14:39:55 UTC 
(In reply to Mike Bressem from comment #2)
I requested a patch for "CSNA 2.0 which superseded Suite-B cryptographic suite".
Patch for ML is obvious. :-D
Comment 4 Mike Bressem 2026-04-08 15:51:25 UTC 
I had a little typo here. It's CNSA 2.0 (not CSNA).

Currently ML-DSA (used for Digital Signatures) is a draft in strongswan (ETA Version 6.1.0 or later). So CNSA 2.0 cannot be fully supported yet.

https://linux-ipsec.org/slides/2025/steffen-pqc-auth-for-ikev2.pdf

But most firewalls (Palo Alto / Fortigate) already support ML-KEM Key Exchange in addition to standard proposals. E.g. aes128gcm16-ecp256-ke1_mlkem512

For now, no other patch needed except enabling the ML plugin ;)