macOS
Is PQC enabled? — quick check
macOS Terminal
# 1) No-dependency check — identify this Mac first.
sw_vers
# 2) Dependency check — prompt before installing anything.
if ! command -v brew >/dev/null 2>&1; then
echo 'Homebrew was not found. Install Homebrew or pre-stage OpenSSL 3.5+ and retry.'
exit 1
fi
if ! brew list --versions openssl@3 >/dev/null 2>&1; then
echo 'Homebrew openssl@3 was not found. macOS system /usr/bin/openssl is LibreSSL and cannot prove ML-KEM.'
printf 'Install openssl@3 now? [y/N] '
read answer
case "$answer" in
[Yy]*) brew install openssl@3 ;;
*) echo 'Install or pre-stage OpenSSL 3.5+ and retry.'; exit 1 ;;
esac
fi
brew list --versions openssl@3 2>/dev/null
OPENSSL=/opt/homebrew/opt/openssl@3/bin/openssl
[ -x "$OPENSSL" ] || OPENSSL=/usr/local/opt/openssl@3/bin/openssl
$OPENSSL version
if ! $OPENSSL list -tls-groups 2>/dev/null | grep -qiE 'X25519MLKEM768|MLKEM|Kyber'; then
echo 'This openssl@3 does not advertise ML-KEM groups yet. Upgrade to OpenSSL 3.5+ and retry.'
exit 1
fi
$OPENSSL list -kem-algorithms 2>/dev/null | grep -iE 'mlkem|kyber' || echo 'no native ML-KEM KEM listing, but TLS group support was found above'
# 3) Live handshake — fully local. checkpqc.app is a known-PQ host you
# can swap for any target you want to test.
$OPENSSL s_client -connect checkpqc.app:443 -tls1_3 -groups X25519MLKEM768 \
</dev/null 2>&1 | grep -E 'Negotiated TLS1\.3 group|Cipher is|alert'Expected when PQC is ON
ProductName: macOS
ProductVersion: 14.4
openssl@3 3.5.0
OpenSSL 3.5.0 8 Apr 2025
X25519MLKEM768 @ default
Negotiated TLS1.3 group: X25519MLKEM768
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384What you'll see when PQC is OFF
ProductName: macOS
ProductVersion: 13.6
(openssl@3 not installed)
LibreSSL 3.3.6
no native ML-KEM
# system /usr/bin/openssl can't speak ML-KEM — brew install openssl@3
macOS bundles LibreSSL at /usr/bin/openssl. LibreSSL has
not adopted ML-KEM, so the system openssl command can't negotiate
X25519MLKEM768. The Apple Network framework / Security framework also do not
yet expose hybrid PQC to apps. Practical PQC on macOS today comes from third-party
stacks installed via Homebrew or a language runtime.
What's PQ-ready on stock macOS 14+
- iMessage PQ3 — enabled automatically on macOS 14.4+.
- Chrome / Edge / Firefox / Brave on macOS — all bundle their own TLS stack and ship hybrid PQC. Chrome, Firefox.
- Signal / WhatsApp apps — PQXDH for new chats.
What's not
- Safari — TLS HTTPS still classical. Safari.
- System curl, /usr/bin/openssl, system Python — LibreSSL-backed.
- iCloud sync, Apple Mail TLS — Apple has not advertised TLS PQC for these.
Get PQC TLS into your shell & scripts
sw_vers
if ! command -v brew >/dev/null 2>&1; then
echo 'Homebrew was not found. Install Homebrew or pre-stage OpenSSL 3.5+ and curl.'
exit 1
fi
if ! brew list --versions openssl@3 >/dev/null 2>&1 || ! brew list --versions curl >/dev/null 2>&1; then
printf 'Install/upgrade openssl@3 and curl now? [y/N] '; read answer
case "$answer" in [Yy]*) brew install openssl@3 curl ;; *) exit 1 ;; esac
fi
# Add modern openssl ahead of the LibreSSL stub
echo 'export PATH="/opt/homebrew/opt/openssl@3/bin:$PATH"' >> ~/.zshrc
echo 'export PATH="/opt/homebrew/opt/curl/bin:$PATH"' >> ~/.zshrc
exec zsh
openssl version # OpenSSL 3.5.x
curl -V | head -1 # curl ... OpenSSL/3.5.x