This is an automated archive.
The original was posted on /r/openssl by /u/Inevitable_Ad8679 on 2023-05-29 21:28:35+00:00.
Hi everyone! I am currently trying to modify some settings within OpenSSL. My goal is to change the default algorithms that OpenSSL uses for generating certificates and signatures, as well as the key exchange method. Specifically, I want OpenSSL to default to the ones provided by OQS (https://openquantumsafe.org/), Dilithium and Kyber.
I have already added the OQS version of OpenSSL to my computer and respective Docker containers. I have also confirmed that I can establish test connections between a client and server using Post-Quantum Cryptography (PQC) algorithms.
Here’s what I used:
openssl s_server -key key.pem -cert cert.pem -tls1_3 -accept 443 (certificates are made with dilithium)
openssl s_client -groups kyber512 -connect 127.0.0.1:443 -tls1_3
However, if I do not explicitly mention ‘-groups kyber512’, OQS defaults to using elliptic curves for the key exchange, which is not what I want because it is not quantum safe.
Ultimately, I plan to use this customized list (featuring Dilithium and Kyber) to establish a connection between a web server (equipped with OQS OpenSSL) and my computer (also with OQS OpenSSL), and hopefully to using dilithium and kyber as the default preferred options. Does anyone have any suggestions on how to accomplish this?
For context, to avoid breaking anything, both the web server and “my computer” are implemented in Docker containers, where I replace the default OpenSSL library.
As a result, if I inspect the communications with Wireshark, I expect to see that the algorithms I selected (Dilithium and Kyber) are indeed used for both signatures and key exchange.
Unfortunately, I haven’t had any luck so far. Does anyone have any experience with this or any ideas on how to proceed?
Thank you in advance!