(tomcat) branch 10.1.x updated: Add simple PQC example

Thu, 05 Mar 2026 02:05:21 -0800 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 2504c6d06c Add simple PQC example
2504c6d06c is described below

commit 2504c6d06c278dcc147d5b281accb487cc3d1c78
Author: remm <[email protected]>
AuthorDate: Thu Mar 5 10:55:31 2026 +0100

    Add simple PQC example
---
 webapps/docs/ssl-howto.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index df8fcbba25..7d40b57f3f 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -537,6 +537,39 @@ nsComment="Testing OCSP Certificate"
 
 </section>
 
+<section name="Post Quantum Cryptography">
+
+<p>Use of PQC functionality requires OpenSSL 3.5 or newer.</p>
+
+<p>Setting up a hybrid PQC configuration involves generating two certificates.
+A traditional RSA one will handle non PQC clients, while a MLDSA certificate
+will be used for PQC. This kind of hybrid setup allows transitioning to PQC
+while still maintaining support for existing clients.</p>
+
+<p>A pure PQC configuration needs only a MLDSA certificate.</p>
+
+<p>Example hybrid configuration, assuming two certificates generated with
+OpenSSL and protected with a password:</p>
+
+<source><![CDATA[<Connector port="8443" protocol="HTTP/1.1"
+    SSLEnabled="true" scheme="https" secure="true">
+    <SSLHostConfig>
+        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+            certificateKeystorePassword="changeit"
+            type="RSA" />
+        <Certificate certificateKeystoreFile="conf/localhost-mldsa.jks"
+            certificateKeystorePassword="changeit"
+            type="MLDSA" />
+    </SSLHostConfig>
+</Connector>]]>
+</source>
+
+<p>PQC support can then be verified by connecting using curl:</p>
+
+<source><![CDATA[curl -k -v --curves X25519MLKEM768 --sigalgs ML-DSA-65 
https://localhost:8443/]]></source>
+
+</section>
+
 <section name="Troubleshooting">
 
 <p>Additional information may be obtained about TLS handshake failures by


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to