Post-Quantum Cryptography (PQC) Support in Nginx
2 days ago
- #NGINX security
- #quantum computing
- #PQC migration
- Konstantinos Karagiannis at DEF CON 33 suggests usable quantum capabilities may arrive sooner than expected.
- NIST, NSA, and CISA recommend starting PQC migrations now to mitigate 'harvest now, decrypt later' (HNDL) risks.
- NGINX relies on OpenSSL for TLS support; OpenSSL 3.5 (April 2025) enables NIST-approved PQC algorithms by default.
- PQC availability in NGINX depends on the OpenSSL version (≥3.5) used during compilation, varying by Linux distribution.
- Debian 13 'Trixie' and Alpine Linux 3.22 support PQC with OpenSSL 3.5, while others like Debian 12 and Ubuntu 24.04 do not.
- F5 NGINX Ingress Controller's default image (Debian 12) lacks PQC, but Alpine-based images (e.g., 5.2.1-alpine) support it.
- F5 NGINX Gateway Fabric 2.2.1, based on Alpine 3.22, is already PQC-enabled.
- Users can validate PQC ciphers using OpenSSL CLI with commands like `openssl s_client -groups "X25519MLKEM768" -tls1_3 -connect community.f5.com:443`.
- Compiling NGINX from source with OpenSSL ≥3.5 is an option for PQC support, as detailed in NGINX documentation.