NSS (Network Security Services)

Is PQC enabled? — quick check

macOS / Linux / Windows

nss-config --version 2>/dev/null || echo "no nss-config (Firefox bundles its own NSS)"
# In Firefox URL bar:
#   about:config
#   security.tls.enable_kyber  -> should be true

Expected when PQC is ON

3.108
security.tls.enable_kyber = true   (Firefox 135+ default)

What you'll see when PQC is OFF

3.101
security.tls.enable_kyber = false

NSS powers Firefox, Thunderbird, and several enterprise products. It added X25519MLKEM768 in NSS 3.108 (2025) and Firefox 135 enabled it by default for Release.

Confirm your version

certutil --build-flags
nss-config --version

Enable hybrid groups

NSS exposes group preference via SSL_NamedGroupConfig:

SSLNamedGroup groups[] = {
    ssl_grp_kem_xyber768d00, // legacy alias for hybrid
    ssl_grp_kem_mlkem768x25519,
    ssl_grp_ec_curve25519,
    ssl_grp_ec_secp256r1,
};
SSL_NamedGroupConfig(fd, groups, sizeof(groups)/sizeof(*groups));

Application notes

Firefox 135+ ships hybrid PQC enabled by default.
Thunderbird inherits the same NSS build.
Enterprise tooling (Red Hat Directory Server, NSS-based agents) needs NSS 3.108+ and a config update to advertise the new groups.

Run the check on your client →