[pfx-dev] [PATCH] defaults: Add X25519MLKEM768 to tls_eecdh_auto_curves

Fri, 17 Oct 2025 09:18:46 -0700 

tls_eecdh_auto_curves contains various groups for key exchange. With
OpenSSL 3.5+ X25519MLKEM768 is available for a hybrid MLKEM-768+X25519
key exchange. Since X25519MLKEM768 isn't part of group, this is key
exchange is not possible.

Add X25519MLKEM768 to the default list for tls_eecdh_auto_curves.

Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
---

After adding X25519MLKEM768 to tls_eecdh_auto_curves into the config it
appears to work and I saw in log:

| smtpd[…]: Anonymous TLS connection established from […]: TLSv1.3 with cipher 
TLS_AES_256_ GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768 
server-signature ECDSA (prime256v1) server-digest SHA256

so I figured updating the defaults would be reasonable. Since this is a
hybrid, SN_ML_KEM_768 corresponds just to the ML-KEM part not including
the EC-curve. But it should be enough to not specifify it if not
provided by OpenSSL.

 src/global/mail_params.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 28a879f1c9159..6eb0b7b763e4b 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -3416,6 +3416,12 @@ extern char *var_tls_export_ignored;
 #define DEF_TLS_NULL_CLIST     "eNULL" TLS_EXCL_REST ":!aNULL"
 extern char *var_tls_null_clist;
 
+#if defined(SN_ML_KEM_768) && defined(NID_ML_KEM_768)
+#define DEF_TLS_EECDH_AUTO_0 "X25519MLKEM768 "
+#else
+#define DEF_TLS_EECDH_AUTO_0 ""
+#endif
+
 #if defined(SN_X25519) && defined(NID_X25519)
 #define DEF_TLS_EECDH_AUTO_1 SN_X25519 " "
 #else
@@ -3447,7 +3453,8 @@ extern char *var_tls_null_clist;
 #endif
 
 #define VAR_TLS_EECDH_AUTO     "tls_eecdh_auto_curves"
-#define DEF_TLS_EECDH_AUTO      DEF_TLS_EECDH_AUTO_1 \
+#define DEF_TLS_EECDH_AUTO      DEF_TLS_EECDH_AUTO_0 \
+                                DEF_TLS_EECDH_AUTO_1 \
                                 DEF_TLS_EECDH_AUTO_2 \
                                 DEF_TLS_EECDH_AUTO_3 \
                                 DEF_TLS_EECDH_AUTO_4 \
-- 
2.51.0

_______________________________________________
Postfix-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to