From 0d5616b7cc14104caf7e6cb58b98ba980c2aff4b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 27 Jan 2025 16:59:15 -0600 Subject: [PATCH 1/3] Add table --- .../policies/gateway/http-policies/tls-decryption.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 99024250c9deaa..6a29e8e9d30292 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -95,6 +95,13 @@ Websites that adhere to [ESNI or ECH standards](https://blog.cloudflare.com/encr You can still apply all [network policy filters](/cloudflare-one/policies/gateway/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. +## Post-quantum support + +| Key Exchange Algorithm | Status | FIPS-compliant | Notes | +| ---------------------- | ---------------- | -------------- | --------------------------------------------- | +| X25519MLKEM768 | Supported | ❌ | Hybrid approach combining X25519 and MLKEM768 | +| X25519 | Standard support | ✅ | Widely used elliptic curve key exchange | + ## FIPS compliance By default, TLS decryption can use both TLS version 1.2 and 1.3. However, some environments such as FedRAMP may require cipher suites and TLS versions compliant with FIPS 140-2. FIPS compliance currently requires TLS version 1.2. From 95a55a6e5070155d755e880e3c2c5e09949c1e2c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 28 Jan 2025 16:28:26 -0600 Subject: [PATCH 2/3] Remove unnecessary cells --- .../policies/gateway/http-policies/tls-decryption.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 6a29e8e9d30292..790a771b534593 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -97,10 +97,10 @@ You can still apply all [network policy filters](/cloudflare-one/policies/gatewa ## Post-quantum support -| Key Exchange Algorithm | Status | FIPS-compliant | Notes | -| ---------------------- | ---------------- | -------------- | --------------------------------------------- | -| X25519MLKEM768 | Supported | ❌ | Hybrid approach combining X25519 and MLKEM768 | -| X25519 | Standard support | ✅ | Widely used elliptic curve key exchange | +| Key Exchange Algorithm | FIPS-compliant | +| ---------------------- | -------------- | +| X25519MLKEM768 | ❌ | +| X25519 | ✅ | ## FIPS compliance From 823eaf1c3b66aea71a5ab7517cd307d86f580319 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 14:32:07 -0600 Subject: [PATCH 3/3] Add PQ note --- .../policies/gateway/http-policies/tls-decryption.mdx | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 790a771b534593..559c9db42f1a56 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -97,10 +97,7 @@ You can still apply all [network policy filters](/cloudflare-one/policies/gatewa ## Post-quantum support -| Key Exchange Algorithm | FIPS-compliant | -| ---------------------- | -------------- | -| X25519MLKEM768 | ❌ | -| X25519 | ✅ | +Gateway supports post-quantum cryptography using a hybrid key exchange with X25519 and MLKEM768 over TLS 1.3. Once the key exchange is complete, Gateway uses AES-128-GCM to encrypt traffic. ## FIPS compliance