Rustls

Is PQC enabled? — quick check

macOS / Linux / Windows

# 1) No-dependency check — identify this machine first.
uname -a 2>/dev/null || true

# 2) Dependency check — prompt before installing anything.
if ! command -v rustc >/dev/null 2>&1; then
  echo 'Rust toolchain was not found.'
  printf 'Install or enable Rust toolchain now? [y/N] '
  read answer
  case "$answer" in
    [Yy]*) echo 'Install Rust with rustup, then rerun this snippet.' ;;
    *) echo 'Skipping Rust toolchain-based check.'; exit 1 ;;
  esac
fi
# 1) No-dependency check — identify this machine first.
uname -a 2>/dev/null || true

# 2) Dependency check — prompt before installing anything.
if ! command -v cargo >/dev/null 2>&1; then
  echo 'Cargo was not found.'
  printf 'Install or enable Cargo now? [y/N] '
  read answer
  case "$answer" in
    [Yy]*) echo 'Install Rust with rustup so cargo is available, then rerun this snippet.' ;;
    *) echo 'Skipping Cargo-based check.'; exit 1 ;;
  esac
fi

rustc --version
cargo tree -p rustls-post-quantum 2>/dev/null || echo "not in dep graph"

Expected when PQC is ON

rustc 1.84.0 (...)
rustls-post-quantum v0.2.0
└── rustls v0.23.x

What you'll see when PQC is OFF

rustc 1.78.0 (...)
not in dep graph

Add `rustls-post-quantum = "0.2"` and install it as the first kx_group in your provider.

Rustls is the modern Rust TLS stack. Hybrid post-quantum key agreement is provided by the rustls-post-quantum crate, which adds an X25519MLKEM768 key exchange algorithm to the default provider.

Add to Cargo.toml

[dependencies]
rustls = "0.23"
rustls-post-quantum = "0.2"

Wire it into your provider

use rustls::crypto::aws_lc_rs;
use rustls_post_quantum::X25519MLKEM768;

fn main() {
    let mut provider = aws_lc_rs::default_provider();
    provider.kx_groups.insert(0, &X25519MLKEM768);
    provider.install_default().unwrap();
}

Servers built on Rustls

Hyper / Axum / Actix: configure the rustls provider as above.
nginx-rustls module — experimental, follow upstream.
Pingora (Cloudflare): uses BoringSSL, see BoringSSL.

Verify

if ! command -v openssl >/dev/null 2>&1; then
  echo 'OpenSSL was not found.'
  printf 'Install OpenSSL now? [y/N] '; read answer
  case "$answer" in [Yy]*) sudo apt-get update && sudo apt-get install -y openssl ;; *) exit 1 ;; esac
fi
openssl s_client -connect example.com:443 -tls1_3 \
  -groups X25519MLKEM768 </dev/null 2>&1 | grep "Cipher is\|alert"

Run the check on your service →