Enable post-quantum crypto key exchange mainly in Apache#559
Merged
Conversation
…ported. Can be tested e.g. with Qualys SSL Labs.
Contributor
Author
|
Example results where enabled: |
jonasbardino
added
the
WiP
…to make sure it is possible. Rework cipher and curve selection in tlsserver module to use AUTO keyword by default with automatic selection of strongest supported values. Acknowledge that Python is not there yet regarding PQC support in the native ssl module or pyopenssl. In effect limit PQC to Apache and only include TODOs about extending support to Python later (3.15+). Minor polish to clarify and sync structure between ssl and pyopenssl hardened context helpers.
jonasbardino
force-pushed
the
add/httpd-post-quantum-crypto-key-exchange
branch
from
586c8dd to
cf6b875
Compare
jonasbardino
modified the milestones:
Python3 support for sensitive data sites,
Network service crypto hardening and modernization
jonasbardino
removed
the
WiP
jonasbardino
changed the title
jonasbardino
added
the
battle-tested
Martin-Rehr
reviewed
May 26, 2026
Martin-Rehr
reviewed
May 26, 2026
jonasbardino
added
the
follow-up pending
Contributor
Author
|
Added the follow-up tag for the python TLS service work and proceeding with the merge to get Apache support in. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enable post-quantum crypto key exchange in Apache and prepare for the same in TLS network services once supported.
Based on Mozilla recommendations for Rocky 9 software stack as in
https://ssl-config.mozilla.org/#server=apache&version=2.4.62&config=modern&openssl=3.5.1&hsts&guideline=6.0
Can be tested e.g. with
testssl.shor Qualys SSL Labs which confirm it to work on Rocky 9 Apache.Python support for selecting PQC curves / KEMs is not in yet so our other TLS-based network services will have to wait until Python 3.15+. Preliminary work on that started in the
adjust/grid-x-post-quantum-crypto-key-exchangebranch but it won't be ready for production deployments anytime soon.