westurner
6 hours ago
How to configure optional or only mlkem768 with openssl.cnf and oqsprovider?
OPENSSL_CONF=/path/to/your/openssl.cnf
Still working on rebasing this branch of mozilla/ssl-config-generator at copilot/add-pq-ciphers-support onto tlsref/: https://github.com/westurner/ssl-config-generator/tree/copil...I added a table of tools and which versions support PQ ciphers.
I had working before this merge: full test coverage, a table of versions with PQ support, e2e tests to screenshot the table working, and MLKEM768 but there's not yet a PQ revision to the TLSref guideline.
LetsEncrypt is working on having PQ Merkle Tree Certificates (MTC) ready this fall early next year:
"A Post-Quantum Future for Let's Encrypt - Let's Encrypt" (2026) https://letsencrypt.org/2026/06/03/pq-certs
"Google’s timeline for PQC migration" ; 2029 https://blog.google/innovation-and-ai/technology/safety-secu...
"Cloudflare targets 2029 for full post-quantum security" https://blog.cloudflare.com/post-quantum-roadmap/
ameliaquining
an hour ago
The blog post is actually a bit imprecise; when it says "almost every Python program that touches cryptography goes through pyca/cryptography", that's only true if you don't count TLS. TLS in Python is usually done through the standard library's ssl module, which is mostly just a wrapper around OpenSSL. So that's basically an entirely separate workstream that doesn't really have anything to do with this post.
westurner
an hour ago
Brand new PQ in pyca is cool too.
When you make an https request in Python, which library does it use for the TLS TCP socket wrapper?
OpenSSL.
The TLS PEP was never accepted or implemented.
There's a rustls PQ issue.
Only certain things in Python use pyca/cryptography.