Thursday, September 11, 2025
Playing with Apache httpd and PQC
At the time of the writing browsers like Firefox and Google Chrome only support PQC for key exchange, curl when compiling with openssl 3.5.x supports the exchange and the cert/key.
Based on my previous post, create a RSA key/cert pair for the browsers.
Create an MLDSA-65 for curl tests:
openssl req \
-x509 \
-newkey mldsa65 \
-keyout localhost-mldsa-65.key \
-subj /CN=localhost \
-addext subjectAltName=DNS:localhost \
-days 30 \
-nodes \
-out localhost-mldsa-65.crt
Configure httpd.conf:
Listen 4433
<VirtualHost *:4433>
SSLEngine on
SSLCertificateFile localhost.crt
SSLCertificateKeyFile localhost.key
# PQC cert/key
SSLCertificateFile localhost-mldsa-65.crt
SSLCertificateKeyFile localhost-mldsa-65.key
</VirtualHost>
Start Apache httpd.
Test with Firefox, accept the self-signed certificate and you will get the "It works!" page.
Test with curl:
curl -k -v https://localhost:4433/
you get:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65
Use a curl that doesn't support PQC (compiled with a 3.2.x openssl for example):
curl -k -v https://localhost:4433/
you get:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
You can also tell a PQC curl to use x25519 and ask for an RSA key/cert:
curl -k -v --curves X25519 --sigalgs RSA-PSS+SHA256 https://localhost:4433/
Or X25519MLKEM768 and ask for an RSA key/cert:
curl -k -v --curves X25519MLKEM768 --sigalgs RSA-PSS+SHA256 https://localhost:4433/