(tomcat) branch 9.0.x updated: Add simple PQC example

Thu, 05 Mar 2026 02:06:05 -0800 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 4d9fad0981 Add simple PQC example
4d9fad0981 is described below

commit 4d9fad09819316ebeec2e5b41e169beadc1f2541
Author: remm <[email protected]>
AuthorDate: Thu Mar 5 10:55:31 2026 +0100

    Add simple PQC example
---
 webapps/docs/ssl-howto.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index a674d22808..5cbaba0d8d 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -581,6 +581,39 @@ for more information about installation of APR. A basic 
OCSP-enabled connector
 
 </section>
 
+<section name="Post Quantum Cryptography">
+
+<p>Use of PQC functionality requires OpenSSL 3.5 or newer.</p>
+
+<p>Setting up a hybrid PQC configuration involves generating two certificates.
+A traditional RSA one will handle non PQC clients, while a MLDSA certificate
+will be used for PQC. This kind of hybrid setup allows transitioning to PQC
+while still maintaining support for existing clients.</p>
+
+<p>A pure PQC configuration needs only a MLDSA certificate.</p>
+
+<p>Example hybrid configuration, assuming two certificates generated with
+OpenSSL and protected with a password:</p>
+
+<source><![CDATA[<Connector port="8443" protocol="HTTP/1.1"
+    SSLEnabled="true" scheme="https" secure="true">
+    <SSLHostConfig>
+        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+            certificateKeystorePassword="changeit"
+            type="RSA" />
+        <Certificate certificateKeystoreFile="conf/localhost-mldsa.jks"
+            certificateKeystorePassword="changeit"
+            type="MLDSA" />
+    </SSLHostConfig>
+</Connector>]]>
+</source>
+
+<p>PQC support can then be verified by connecting using curl:</p>
+
+<source><![CDATA[curl -k -v --curves X25519MLKEM768 --sigalgs ML-DSA-65 
https://localhost:8443/]]></source>
+
+</section>
+
 <section name="Troubleshooting">
 
 <p>Additional information may be obtained about TLS handshake failures by


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to