OpenSSL post-quantum support

OpenSSL, the most widely deployed open source TLS and cryptography library, gained native post-quantum support in version 3.5, released in April 2025 as a long-term support (LTS) release. It implements the NIST standards ML-KEM, ML-DSA, and SLH-DSA directly and enables hybrid post-quantum key exchange in TLS by default, making a large share of internet infrastructure post-quantum capable without third-party modules.

Native algorithm support in OpenSSL 3.5

OpenSSL 3.5 ships built-in implementations of the three algorithms NIST finalized in August 2024, exposed through the standard EVP API and the command-line tools, as recorded in the OpenSSL release notes:

Standard Algorithm Parameter sets
FIPS 203 ML-KEM (key encapsulation) ML-KEM-512, ML-KEM-768, ML-KEM-1024
FIPS 204 ML-DSA (signatures) ML-DSA-44, ML-DSA-65, ML-DSA-87
FIPS 205 SLH-DSA (hash-based signatures) 12 sets (SHA2 or SHAKE, 3 [[security-levels

Because the algorithms live behind the generic EVP interfaces, existing applications can generate post-quantum keys, create and verify signatures, and handle the corresponding X.509 objects with largely unchanged code, a practical payoff of cryptographic agility in the library's design.

TLS: hybrid key exchange on by default

For TLS 1.3, OpenSSL 3.5 supports the hybrid groups X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024, which combine an elliptic-curve key exchange with an ML-KEM encapsulation so that the session is protected if either component remains secure. The release also changed the default TLS group list to include X25519MLKEM768, so an out-of-the-box OpenSSL 3.5 client or server negotiates post-quantum key exchange whenever its peer supports it. This matched the choice already deployed across major browsers and CDNs (browser post-quantum adoption), and directly addresses the harvest now, decrypt later threat to recorded traffic.

Prior art: oqs-provider and the OQS forks

Native support arrived on a path prepared by the Open Quantum Safe project. OpenSSL 3.0 introduced a provider architecture that lets external modules supply algorithms, and oqs-provider used it to expose the full liboqs algorithm collection inside stock OpenSSL, covering TLS hybrid groups and post-quantum certificates. Before OpenSSL 3, the same team maintained a patched OQS-OpenSSL 1.1.1 fork. Most early post-quantum TLS pilots and interoperability tests ran on these components, and oqs-provider remains relevant for algorithms OpenSSL does not ship, such as Falcon (the planned FN-DSA / Falcon) and HQC.

What remains missing

As of early 2026, several pieces are still open:

  • FN-DSA and HQC. NIST has not yet published final standards for Falcon (FIPS 206) or HQC, and OpenSSL does not implement either natively.
  • Post-quantum authentication in practice. ML-DSA keys and certificates work at the library level, but the public web PKI does not yet issue post-quantum certificates; protocol codepoints, CA/Browser Forum policy, and composite certificate formats were still being finalized in the IETF, so TLS deployments as of early 2026 combine post-quantum key exchange with classical authentication (PKI migration to post-quantum).
  • Stateful hash-based signatures. Support for LMS and XMSS, used mainly in firmware signing, is limited; later releases in the 3.x line have been adding verification support incrementally, per the release notes.
  • FIPS validation lag. Shipping an algorithm and having it inside a FIPS 140 validated module are different milestones, and validated post-quantum coverage trails the code itself.
  • The installed base. Native support helps only systems that upgrade; large fleets still run 1.1.1 or the 3.0 to 3.4 series without native post-quantum algorithms.

Significance

OpenSSL underpins operating system packages, web servers, language runtimes, and embedded systems, so its defaults move the whole ecosystem. Version 3.5's LTS designation gives it a multi-year support window per the OpenSSL release policy, which means post-quantum key exchange will be the baseline in Linux distributions and appliances built on it for years. Together with native support in other stacks cataloged at post-quantum cryptography libraries, OpenSSL 3.5 marks the point where post-quantum cryptography in TLS shifted from an add-on to default infrastructure.

Frequently asked questions

Does OpenSSL use post-quantum cryptography by default?

For TLS key exchange, yes since version 3.5: the default group list includes the hybrid X25519MLKEM768 group, so connections to compatible peers negotiate it automatically. Certificates and signatures still default to classical algorithms.

Is oqs-provider still needed?

Not for ML-KEM, ML-DSA, or SLH-DSA on OpenSSL 3.5 or later. It remains useful for algorithms OpenSSL does not ship natively and for research and interoperability testing.

Sources

  1. OpenSSL releases (OpenSSL Project, 2025)
  2. OpenSSL project site (OpenSSL Project, 2025)
  3. OpenSSL library news and downloads (OpenSSL Project, 2025)
  4. oqs-provider source repository (Open Quantum Safe project, 2025)
  5. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
Cite this entry
"OpenSSL post-quantum support." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/openssl-pqc@misc{pqwiki-openssl-pqc, title = {OpenSSL post-quantum support}, howpublished = {\url{https://postquantum.wiki/openssl-pqc}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }