On Mon, Jun 29, 2026 at 03:53:41AM +0000, Peter Gutmann wrote:

> It's an FYI, not a you-must-do-this-or-else, so everyone's free to
> ignore it at their leisure.

Yes, entirely optional, but not universally ignored, for example:

    $ printf "QUIT\r\n" |
        openssl s_client -brief -ignore_unexpected_eof \
            -starttls smtp -CAfile /etc/pki/tls/cert.pem \
            -connect smtp.gmail.com:587 -groups mlkem1024
    Connecting to 2404:6800:4003:c06::6d
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_AES_256_GCM_SHA384
    Requested Signature Algorithms: 
ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256:rsa_pkcs1_sha256:ecdsa_secp384r1_sha384:rsa_pss_rsae_sha384:rsa_pkcs1_sha384:rsa_pss_rsae_sha512:rsa_pkcs1_sha512:rsa_pkcs1_sha1
    Peer certificate: CN=smtp.gmail.com
    Hash used: SHA256
    Signature type: ecdsa_secp256r1_sha256
    Verification: OK
    Negotiated TLS1.3 group: MLKEM1024
    250 SMTPUTF8
    DONE

Or:

    $ posttls-finger -c -Lsummary -o tls_config_file=<(
            printf "%s\n[c]\n%s\n[s]\n%s\n[d]\n%s\n" \
                client=c ssl_conf=s system_default=d Groups=mlkem768
        ) dukhovni.org
    posttls-finger: Verified TLS connection established
        to mx1.imrryr.org[144.6.86.210]:25: TLSv1.3 with
        cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange MLKEM768
        server-signature ML-DSA-65 (raw public key)

The hybrid group is unsurprisingly the one selected by default (in
Postfix after HRR if mutually supported, with X25519 for the first
flight):

    $ posttls-finger -c -Lsummary,trace dukhovni.org
    posttls-finger: TLS protocol trace saved to
        posttls-finger-20260629160007.334267-144.6.86.210-m802H7
    posttls-finger: Verified TLS connection established
        to mx1.imrryr.org[144.6.86.210]:25: TLSv1.3 with
        cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange X25519MLKEM768
        server-signature ML-DSA-65 (raw public key)

    $ cat posttls-finger-20260629160007.334267-144.6.86.210-m802H7
    Sent TLS Record
    Header:
      Version = TLS 1.0 (0x301)
      Content Type = Handshake (22)
        ClientHello, Length=508
          ...
          extensions, length = 323
            extension_type=supported_groups(10), length=18
              X25519MLKEM768 (4588)
              MLKEM768 (513)
              ecdh_x25519 (29)
              ...
            ...
            extension_type=key_share(51), length=38
                NamedGroup: ecdh_x25519 (29)
                key_exchange:  (len=32): ...
            extension_type=server_cert_type(20), length=3
              rpk (2)
              x509 (0)
            extension_type=padding(21), length=147
    
    Received TLS Record
    Header:
      (HRR)
      ...
            extension_type=key_share(51), length=2
                NamedGroup: X25519MLKEM768 (4588)
    
    Sent TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = Handshake (22)
      ...
        ClientHello, Length=1541
          ...
          extensions, length = 1356
            extension_type=supported_groups(10), length=18
              X25519MLKEM768 (4588)
              MLKEM768 (513)
              ecdh_x25519 (29)
              ...
            ...
            extension_type=key_share(51), length=1222
                NamedGroup: X25519MLKEM768 (4588)
                key_exchange:  (len=1216): ...
            ...
            extension_type=server_cert_type(20), length=3
              rpk (2)
              x509 (0)
    
    Received TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = Handshake (22)
      ...
        ServerHello, Length=1206
          ...
          extensions, length = 1134
            extension_type=key_share(51), length=1124
                NamedGroup: X25519MLKEM768 (4588)
                key_exchange:  (len=1120): ...
    
    Received TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 28
      Inner Content Type = Handshake (22)
        EncryptedExtensions, Length=7
          extensions, length = 5
            extension_type=server_cert_type(20), length=1
              rpk (2)
    
    Received TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 2004
      Inner Content Type = Handshake (22)
        Certificate, Length=1983
          context (len=0): 
          raw_public_key, length=1974
            ML-DSA-65 Public-Key:
                ...
            No extensions
    
    Received TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 3334
      Inner Content Type = Handshake (22)
        CertificateVerify, Length=3313
          Signature Algorithm: mldsa65 (0x0905)
          Signature (len=3309): ...
    
    Received TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 69
      Inner Content Type = Handshake (22)
        Finished, Length=48
          verify_data (len=48): ...
    
    Sent TLS Record
    Header:
      Version = TLS 1.2 (0x303)
      Content Type = ApplicationData (23)
      Length = 69
      Inner Content Type = Handshake (22)
        Finished, Length=48
          verify_data (len=48): ...
    
    ...

-- 
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to