wolfSSL

Is PQC enabled? — quick check

On the device / build host

# 1) No-dependency check — identify this machine first.
uname -a 2>/dev/null || true

# 2) Dependency check — prompt before installing anything.
if ! command -v wolfssl-config >/dev/null 2>&1; then
  echo 'wolfSSL development tools was not found.'
  printf 'Install or enable wolfSSL development tools now? [y/N] '
  read answer
  case "$answer" in
    [Yy]*) echo 'Install wolfSSL built with --enable-mlkem --enable-experimental, then rerun this snippet.' ;;
    *) echo 'Skipping wolfSSL development tools-based check.'; exit 1 ;;
  esac
fi

wolfssl-config --version
wolfssl-config --options | tr ' ' '\n' | grep -iE "mlkem|kyber|curve25519"

Expected when PQC is ON

5.7.6
-DHAVE_MLKEM
-DWOLFSSL_MLKEM_KYBER
-DHAVE_CURVE25519

What you'll see when PQC is OFF

5.5.4
-DHAVE_CURVE25519
# no -DHAVE_MLKEM — rebuild with --enable-mlkem --enable-experimental

wolfSSL is a small-footprint TLS stack used in embedded systems and IoT. Recent releases ship native ML-KEM and the hybrid group X25519MLKEM768.

Build with PQC

./configure \
  --enable-tls13 \
  --enable-mlkem \
  --enable-curve25519 \
  --enable-experimental
make && sudo make install

Negotiate the hybrid group

WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
wolfSSL_CTX_set_groups(ctx,
    (int[]){ WOLFSSL_X25519_ML_KEM_768, WOLFSSL_X25519, WOLFSSL_ECC_SECP256R1 },
    3);

Embedded notes

ML-KEM-768 ciphertext is ~1.1 KB; ensure your TLS record buffers can hold it.
RAM hit on Cortex-M4: ~12 KB peak during keygen+decap. Plan accordingly.
Use WOLFSSL_NO_TLS12 if you don't need 1.2 fallback to save flash.

Run the check on your device →