Skip to content

Port new PQC API and tests#6239

Merged
vietj merged 2 commits into
4.xfrom
pqc_new_api-4.x
Jul 9, 2026
Merged

Port new PQC API and tests#6239
vietj merged 2 commits into
4.xfrom
pqc_new_api-4.x

Conversation

@vietj

@vietj vietj commented Jul 9, 2026

Copy link
Copy Markdown
Member

The single useHybridKeyExchange is removed in favor of two properties:

  • key-exchange-groups: the user can specify which key exchange groups they want to use
  • pqc-enforcement-policy: the user can specify how PQC will be enforced by Vert.x. The policies are:
    • STRICT: only PQC can be used to establish secure connections. If no SSL engine supports it, application won't start. If clients don't support it, SSL handshake fails
    • CLIENT_NEGOTIATED: if no SSL engine supports PQC, application won't start. If clients don't support it, falls back to other key exchange group
    • RELAXED: no enforcement whatsoever, traditional TLS negotiation

When PQC is required (STRICT or CLIENT_NEGOTIATED), Vert.x auto-selects a PQC-capable engine (JDK or OpenSSL) if none is explicitly configured. If none is available, application fails to start with a VertxException ("PQC enforcement policy requires X25519MLKEM768 but neither JDK nor OpenSSL supports it".

The resolution of key exchange groups and PQC enforcement policy (selecting an available SSL engine, adding X25519MLKEM768 to the list of supported groups for CLIENT_NEGOTIATED or restricting the list of supported groups for STRICT) is performed once in SslContextManager.

@vietj vietj added this to the 4.5.30 milestone Jul 9, 2026
@vietj vietj merged commit 0c7a7e2 into 4.x Jul 9, 2026
10 of 13 checks passed
@vietj vietj deleted the pqc_new_api-4.x branch July 9, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant