fix: add vulnerability suppressions for CVE-2026-2673 in libcrypto3 and libssl3 with justification and review timeline

.trivyignore

@@ -14,3 +14,13 @@ CVE-2026-25793
 # Charon does not use untgz or process untrusted tar archives. Review by: 2026-03-14
 # See also: .grype.yaml for full justification
 CVE-2026-22184
+
+# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3)
+# Severity: HIGH (CVSS 7.5) — Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 in Alpine base image
+# No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
+# When DEFAULT is in TLS 1.3 group config, server may select a weaker key exchange group.
+# Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
+# Review by: 2026-04-18
+# See also: .grype.yaml for full justification
+# exp: 2026-04-18
+CVE-2026-2673