[Backport 7.63.x] [AGENTRUN-162] Disable X25519Kyber768Draft00 in the…

… agent (#34503) Co-authored-by: Pierre Gimalac <[email protected]>
DataDog · Feb 27, 2025 · d0481fd · d0481fd
1 parent e908c4d
commit d0481fd
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -2,6 +2,14 @@ module github.com/DataDog/datadog-agent
 
 go 1.23.0
 
+toolchain go1.23.5
+
+// Disable experimental post-quantum key exchange mechanism X25519Kyber768Draft00
+// This was causing errors with AWS Network Firewall
+// See https://github.com/DataDog/datadog-agent/issues/34323 for details.
+// This will be revisited once we update to 1.24.x
+godebug tlskyber=0
+
 // v0.8.0 was tagged long ago, and appared on pkg.go.dev.  We do not want any tagged version
 // to appear there.  The trick to accomplish this is to make a new version (in this case v0.9.0)
 // that retracts itself and the previous version.

diff --git a/releasenotes/notes/fix-kyber-firewall-1d38f83a241208f7.yaml b/releasenotes/notes/fix-kyber-firewall-1d38f83a241208f7.yaml
@@ -0,0 +1,12 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+fixes:
+  - |
+    Disable the X25519Kyber768Draft00 key exchange mechanism to avoid issues with
+    firewalls not supporting it, in particular AWS Network Firewall.