caption: CECPQ2 post-quantum key-agreement enabled for TLS
deprecated: true
default: true
desc: |-
This policy was removed in M114. It served to disable CECPQ2, but CECPQ2 has been disabled by default. A separate policy will be introduced to control the rollout of the replacement of CECPQ2. That replacement will be a combination of the standard key-agreement X25519 with NIST's chosen post-quantum KEM, called "Kyber".
If this policy is not configured, or is set to enabled, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will follow the default rollout process for CECPQ2, a post-quantum key-agreement algorithm in TLS.
CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. This policy can be set to False to disable CECPQ2 while networking issues are resolved.
This policy is a temporary measure and will be removed in future versions of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
example_value: true
features:
dynamic_refresh: true
per_profile: false
items:
- caption: Enable default CECPQ2 rollout process
value: true
- caption: Disable CECPQ2
value: false
owners:
- file://crypto/OWNERS
schema:
type: boolean
supported_on:
- chrome.*:91-113
- chrome_os:91-113
- android:91-113
tags:
- system-security
type: main
Codebase Browser
chromium