Linux
Is PQC enabled? — quick check
Linux shell
# 1) No-dependency check — identify this Linux system first.
. /etc/os-release; echo "$PRETTY_NAME"
# 1) No-dependency check — identify this machine first.
uname -a 2>/dev/null || true
# 2) Dependency check — prompt before installing anything.
if ! command -v openssl >/dev/null 2>&1; then
echo 'OpenSSL was not found. A local PQC proof needs OpenSSL 3.5+.'
printf 'Install OpenSSL now? [y/N] '
read answer
case "$answer" in
[Yy]*)
if command -v brew >/dev/null 2>&1; then brew install openssl@3
elif command -v apt-get >/dev/null 2>&1; then sudo apt-get update && sudo apt-get install -y openssl
elif command -v dnf >/dev/null 2>&1; then sudo dnf install -y openssl
elif command -v yum >/dev/null 2>&1; then sudo yum install -y openssl
else echo 'No supported package manager found. Install OpenSSL 3.5+ and retry.'; exit 1
fi ;;
*) echo 'Install OpenSSL 3.5+ and retry for a local PQC proof.'; exit 1 ;;
esac
fi
OPENSSL=openssl
if command -v brew >/dev/null 2>&1; then
BREW_OPENSSL="$(brew --prefix openssl@3 2>/dev/null)/bin/openssl"
[ -x "$BREW_OPENSSL" ] && OPENSSL="$BREW_OPENSSL"
fi
$OPENSSL version
if ! $OPENSSL list -tls-groups 2>/dev/null | grep -qiE 'X25519MLKEM768|MLKEM|Kyber'; then
echo 'This OpenSSL does not advertise ML-KEM groups. Upgrade to OpenSSL 3.5+ or load oqsprovider, then retry.'
exit 1
fi
$OPENSSL list -kem-algorithms 2>/dev/null | grep -iE 'mlkem|kyber' || echo 'no native ML-KEM KEM listing, but TLS group support was found above'
$OPENSSL list -providers 2>/dev/null | grep -i oqs || true
# 3) Live handshake — fully local. checkpqc.app is a known-PQ target;
# swap it for any host you want to test.
$OPENSSL s_client -connect checkpqc.app:443 -tls1_3 -groups X25519MLKEM768 </dev/null 2>&1 | grep -E 'Negotiated TLS1\.3 group|Cipher is|alert'Expected when PQC is ON
Fedora Linux 41 (Workstation Edition)
OpenSSL 3.5.0 8 Apr 2025
X25519MLKEM768 @ default
Negotiated TLS1.3 group: X25519MLKEM768
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384What you'll see when PQC is OFF
Ubuntu 24.04.1 LTS
OpenSSL 3.0.13 30 Jan 2024
no native ML-KEM
# (no oqsprovider line) — install OpenSSL 3.5+ or oqsproviderLinux is the easiest desktop/server target for PQC TLS, because almost everything delegates TLS to the system OpenSSL. The question is which OpenSSL your distro ships.
Debian / Ubuntu
- Ubuntu 24.04 LTS — OpenSSL 3.0.13. No native ML-KEM; install
oqsprovider and
wire it via
/etc/ssl/openssl.cnf, or pullopensslfrom 24.10 / sid. - Ubuntu 24.10 / 25.04 — OpenSSL 3.3 / 3.4. Hybrid PQC works once oqsprovider is loaded.
- Debian sid — OpenSSL 3.5+ as it lands.
RHEL / Fedora
- Fedora 41+ — OpenSSL 3.5; native
X25519MLKEM768inSSL_CONFdefaults. - RHEL 9 — OpenSSL 3.0.x; backports of ML-KEM tracked in
Red Hat Jira.
Build
oqsproviderfrom EPEL or source. - RHEL 10 — OpenSSL 3.5 baseline.
Arch / openSUSE Tumbleweed
- Rolling-release distros track upstream OpenSSL closely. Both have shipped 3.5 since mid-2025 — hybrid PQC is on by default.
Build your own OpenSSL 3.5
curl -fsSL https://www.openssl.org/source/openssl-3.5.0.tar.gz | tar xz
cd openssl-3.5.0
./Configure --prefix=/opt/openssl-pqc enable-mlkem
make -j$(nproc) && sudo make install_sw
# Pin it for one shell
export PATH=/opt/openssl-pqc/bin:$PATH
openssl versionWire oqsprovider for distro OpenSSL 3.0/3.3
sudo apt install liboqs-dev
git clone https://github.com/open-quantum-safe/oqs-provider
cd oqs-provider && cmake -S . -B build && cmake --build build
sudo cp build/lib/oqsprovider.so /usr/lib/x86_64-linux-gnu/ossl-modules/
# /etc/ssl/openssl.cnf
# [provider_sect]
# default = default_sect
# oqsprovider = oqsprovider_sect
# [oqsprovider_sect]
# activate = 1What inherits PQC for free
curl, wget, Python ssl, PHP, Apache, nginx (with the right
ssl_conf_command), Postfix, Dovecot, OpenVPN, Postgres TLS, MySQL TLS,
etcd, MinIO — anything that links libssl picks up new groups once OpenSSL is upgraded
and groups are configured.