caddytls: Support post-quantum key exchange mechanism X25519MLKEM768

Also bump minimum Go version to 1.24.

go.mod

@@ -1,8 +1,6 @@
 module github.com/caddyserver/caddy/v2
 
-go 1.22.3
+go 1.24
-
-toolchain go1.23.0
 
 require (
 	github.com/BurntSushi/toml v1.4.0

modules/caddytls/connpolicy.go

@@ -884,19 +884,17 @@ func setDefaultTLSParams(cfg *tls.Config) {
 	cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
 
 	if len(cfg.CurvePreferences) == 0 {
-		// We would want to write
+		cfg.CurvePreferences = defaultCurves
-		//
-		//	cfg.CurvePreferences = defaultCurves
-		//
-		// but that would disable the post-quantum key agreement X25519Kyber768
-		// supported in Go 1.23, for which the CurveID is not exported.
-		// Instead, we'll set CurvePreferences to nil, which will enable PQC.
-		// See https://github.com/caddyserver/caddy/issues/6540
-		cfg.CurvePreferences = nil
 	}
 
 	if cfg.MinVersion == 0 {
-		cfg.MinVersion = tls.VersionTLS12
+		// crypto/tls docs:
+		// "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13."
+		if cfg.EncryptedClientHelloKeys == nil {
+			cfg.MinVersion = tls.VersionTLS12
+		} else {
+			cfg.MinVersion = tls.VersionTLS13
+		}
 	}
 	if cfg.MaxVersion == 0 {
 		cfg.MaxVersion = tls.VersionTLS13

modules/caddytls/values.go

@@ -81,13 +81,15 @@ func getOptimalDefaultCipherSuites() []uint16 {
 	return defaultCipherSuitesWithoutAESNI
 }
 
-// SupportedCurves is the unordered map of supported curves.
+// SupportedCurves is the unordered map of supported curves
+// or key exchange mechanisms ("curves" traditionally).
 // https://golang.org/pkg/crypto/tls/#CurveID
 var SupportedCurves = map[string]tls.CurveID{
-	"x25519":    tls.X25519,
+	"X25519mlkem768": tls.X25519MLKEM768,
-	"secp256r1": tls.CurveP256,
+	"x25519":         tls.X25519,
-	"secp384r1": tls.CurveP384,
+	"secp256r1":      tls.CurveP256,
-	"secp521r1": tls.CurveP521,
+	"secp384r1":      tls.CurveP384,
+	"secp521r1":      tls.CurveP521,
 }
 
 // supportedCertKeyTypes is all the key types that are supported
@@ -100,20 +102,16 @@ var supportedCertKeyTypes = map[string]certmagic.KeyType{
 	"ed25519": certmagic.ED25519,
 }
 
-// defaultCurves is the list of only the curves we want to use
+// defaultCurves is the list of only the curves or key exchange
-// by default, in descending order of preference.
+// mechanisms we want to use by default. The order is irrelevant.
 //
-// This list should only include curves which are fast by design
+// This list should only include mechanisms which are fast by
-// (e.g. X25519) and those for which an optimized assembly
+// design (e.g. X25519) and those for which an optimized assembly
 // implementation exists (e.g. P256). The latter ones can be
 // found here:
 // https://github.com/golang/go/tree/master/src/crypto/elliptic
-//
-// Temporily we ignore these default, to take advantage of X25519Kyber768
-// in Go's defaults (X25519Kyber768, X25519, P-256, P-384, P-521), which
-// isn't exported. See https://github.com/caddyserver/caddy/issues/6540
-// nolint:unused
 var defaultCurves = []tls.CurveID{
+	tls.X25519MLKEM768,
 	tls.X25519,
 	tls.CurveP256,
 }