Your message dated Sun, 07 Dec 2025 00:06:25 +0100
with message-id <[email protected]>
and subject line Re: Bug#1121988: strongswan: Please enable the ML-KEM plugin
has caused the Debian Bug report #1121988,
regarding strongswan: Please enable the ML-KEM plugin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121988
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: strongswan
Version: 6.0.1-6+deb13u2
Severity: wishlist
X-Debbugs-Cc: [email protected]
Dear Maintainer,
commencing upstream version 6.0, strongSwan comes with support for
intermediary key exchange in IKE handshakes, as well as a plugin for the
ML-KEM PQC algorithm, named "ml".
Enabling this plugin is possible by adding the "--enable-ml" option to
./configure. According to the upstream documentation, strongSwan's
OpenSSL plugin does not support ML-KEM (yet), even if the OpenSSL
library present would do so.
Therefore, it is currently not possible to establish IPsec connections
with a post-quantum key exchange on Debian systems using packaged
strongSwan.
If possible, it would be great to have the "ml" strongSwan plugin be
available as well, so existing IPsec setups can be migrated towards
PQC-resistant faster, without incurring the delay of strongSwan's
OpenSSL plugin adding support for ML-KEM.
Thank you for your time and efforts!
Best regards,
Tobias
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan depends on:
ii strongswan-charon 6.0.1-6+deb13u2
ii strongswan-starter 6.0.1-6+deb13u2
strongswan recommends no packages.
strongswan suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Version: 6.0.2-1
On Fri, 2025-12-05 at 17:28 +0100, Tobias Brunner wrote:
> Hi Tobias,
>
> > According to the upstream documentation, strongSwan's
> > OpenSSL plugin does not support ML-KEM (yet), even if the OpenSSL
> > library present would do so.
>
> Which documentation are you referring to? The plugin supports ML-KEM
> via OpenSSL 3.5+ since 6.0.2. Obviously, doesn't help if you use Debian
> stable as that ships 6.0.1, but it's definitely supported upstream and
> in Debian testing.
I'm closing the bug with the 6.0.2 version then.
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmk0tvEACgkQ3rYcyPpX
RFv4Xgf8DCoKM0e1JQwtBUuRSBz9R4yEbwvrUS+q9rAbtLuuv6T+SfEixgaFD8Qc
CBf0085mF9AtecLzzFEEaPBt6XimCNPJaUng+lFs2uAauq/Xm69kGtzUItcTs3MQ
pchjfTe9YbKrwirQRF+YEOwJ/d0Fh1Lft37kdVQQyqXMSQQsxVRfYo2ghPj8POzN
D4yfDcsq8Bhogu5X+Fowi5ROiTMB+bjpIRbVNAN3cC7w7PVHTv0OidSDVHlkl/KM
najSXMmC4qVA8F0vn5ItbbUZO2fgLAkRo83I1O2XKMHNFTjON604TnHma1JdvDIn
+nZGudMQLfLeql/DLU+h/O4nhN9VqA==
=mdvC
-----END PGP SIGNATURE-----
--- End Message ---
