This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 0e15dce689 Add simple PQC example
0e15dce689 is described below
commit 0e15dce6895357e58b702025a70ca1983d7fe282
Author: remm <[email protected]>
AuthorDate: Thu Mar 5 10:55:31 2026 +0100
Add simple PQC example
---
webapps/docs/ssl-howto.xml | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 12db991c4e..8ef5c0dad7 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -272,7 +272,7 @@ loaded or not, use one of the following:</p>
<source><![CDATA[<!-- Define an HTTP/1.1 Connector on port 8443, JSSE NIO
implementation -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
- port="8443" .../>
+ port="8443" .../>]]></source>
<p>The OpenSSL JSSE implementation can also be configured explicitly if needed.
If the Tomcat Native library or Java 22 is installed, using the
@@ -286,7 +286,7 @@ element.</p>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
.../>]]></source>
-<p>With Java 22 FFM API:</p>
+<p>With Java FFM API:</p>
<source><![CDATA[<!-- Define an HTTP/1.1 Connector on port 8443, JSSE NIO
implementation and OpenSSL -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
sslImplementationName="org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation"
@@ -297,7 +297,7 @@ OpenSSL on all connectors without having to add the
<code>sslImplementationName</code> attribute on each.</p>
<p>With Tomcat Native:</p>
<source><![CDATA[<Listener
className="org.apache.catalina.core.AprLifecycleListener"/>]]></source>
-<p>With Java 22 FFM API:</p>
+<p>With Java FFM API:</p>
<source><![CDATA[<Listener
className="org.apache.catalina.core.OpenSSLLifecycleListener"/>]]></source>
<p>
The <code>SSLRandomSeed</code> attribute of the listeners allows specifying a
@@ -526,12 +526,45 @@ nsComment="Testing OCSP Certificate"
</section>
+<section name="Post Quantum Cryptography">
+
+<p>Use of PQC functionality requires OpenSSL 3.5 or newer.</p>
+
+<p>Setting up a hybrid PQC configuration involves generating two certificates.
+A traditional RSA one will handle non PQC clients, while a MLDSA certificate
+will be used for PQC. This kind of hybrid setup allows transitioning to PQC
+while still maintaining support for existing clients.</p>
+
+<p>A pure PQC configuration needs only a MLDSA certificate.</p>
+
+<p>Example hybrid configuration, assuming two certificates generated with
+OpenSSL and protected with a password:</p>
+
+<source><![CDATA[<Connector port="8443" protocol="HTTP/1.1"
+ SSLEnabled="true" scheme="https" secure="true">
+ <SSLHostConfig>
+ <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+ certificateKeystorePassword="changeit"
+ type="RSA" />
+ <Certificate certificateKeystoreFile="conf/localhost-mldsa.jks"
+ certificateKeystorePassword="changeit"
+ type="MLDSA" />
+ </SSLHostConfig>
+</Connector>]]>
+</source>
+
+<p>PQC support can then be verified by connecting using curl:</p>
+
+<source><![CDATA[curl -k -v --curves X25519MLKEM768 --sigalgs ML-DSA-65
https://localhost:8443/]]></source>
+
+</section>
+
<section name="Troubleshooting">
<p>Additional information may be obtained about TLS handshake failures by
configuring the dedicated TLS handshake logger to log debug level messages by
adding the following to <code>$CATALINA_BASE/conf/logging.properties</code>:
-<source>org.apache.tomcat.util.net.NioEndpoint.handshake.level=FINE</source>.
+<source>org.apache.tomcat.util.net.NioEndpoint.handshake.level=FINE</source>
</p>
<p>Here is a list of common problems that you may encounter when setting up
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
