On Sat, Nov 29, 2025 at 05:16:12AM +0100, Bas Westerbaan wrote:
> John, I'm curious: how well is the HelloRetryRequest flow supported in your
> environment? That is: advertise support for X25519MLKEM768 but don't send
> it, and then have the server ask for it using HelloRetryRequest. In our
> experiments to origins, we didn't see any issues with this flow and enabled
> it by default.
FWIW, I haven't encountered, or read reports of, any issues with
X25519MLKEM768 after HRR in SMTP STARTTLS
The default supported groups setting in the upcoming Postfix 3.11 (when
compiled against OpenSSL 3.5 or later) is:
tls_eecdh_auto_curves = ?X25519MLKEM768:DEFAULT
which amounts to a small tweak to the OpenSSL default (which has clients
send both X25519MLKEM768 and X25519 keyshares):
?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 /
?ffdhe2048:?ffdhe3072
as a result of which a keyshare for X25519MLKEM768 is sent only in
response to HRR from a server that prefers it over the remaining non-PQ
kexes.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
