OpenSSL post-quantum support
OpenSSL, the most widely deployed open source TLS and cryptography library, gained native post-quantum support in version 3.5, released in April 2025 as a long-term support (LTS) release. It implements the NIST standards ML-KEM, ML-DSA, and SLH-DSA directly and enables hybrid post-quantum key exchange in TLS by default, making a large share of internet infrastructure post-quantum capable without third-party modules.
Native algorithm support in OpenSSL 3.5
OpenSSL 3.5 ships built-in implementations of the three algorithms NIST finalized in August 2024, exposed through the standard EVP API and the command-line tools, as recorded in the OpenSSL release notes:
| Standard | Algorithm | Parameter sets |
|---|---|---|
| FIPS 203 | ML-KEM (key encapsulation) | ML-KEM-512, ML-KEM-768, ML-KEM-1024 |
| FIPS 204 | ML-DSA (signatures) | ML-DSA-44, ML-DSA-65, ML-DSA-87 |
| FIPS 205 | SLH-DSA (hash-based signatures) | 12 sets (SHA2 or SHAKE, 3 [[security-levels |
Because the algorithms live behind the generic EVP interfaces, existing applications can generate post-quantum keys, create and verify signatures, and handle the corresponding X.509 objects with largely unchanged code, a practical payoff of cryptographic agility in the library's design.
TLS: hybrid key exchange on by default
For TLS 1.3, OpenSSL 3.5 supports the hybrid groups X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024, which combine an elliptic-curve key exchange with an ML-KEM encapsulation so that the session is protected if either component remains secure. The release also changed the default TLS group list to include X25519MLKEM768, so an out-of-the-box OpenSSL 3.5 client or server negotiates post-quantum key exchange whenever its peer supports it. This matched the choice already deployed across major browsers and CDNs (browser post-quantum adoption), and directly addresses the harvest now, decrypt later threat to recorded traffic.
Prior art: oqs-provider and the OQS forks
Native support arrived on a path prepared by the Open Quantum Safe project. OpenSSL 3.0 introduced a provider architecture that lets external modules supply algorithms, and oqs-provider used it to expose the full liboqs algorithm collection inside stock OpenSSL, covering TLS hybrid groups and post-quantum certificates. Before OpenSSL 3, the same team maintained a patched OQS-OpenSSL 1.1.1 fork. Most early post-quantum TLS pilots and interoperability tests ran on these components, and oqs-provider remains relevant for algorithms OpenSSL does not ship, such as Falcon (the planned FN-DSA / Falcon) and HQC.
What remains missing
As of early 2026, several pieces are still open:
- FN-DSA and HQC. NIST has not yet published final standards for Falcon (FIPS 206) or HQC, and OpenSSL does not implement either natively.
- Post-quantum authentication in practice. ML-DSA keys and certificates work at the library level, but the public web PKI does not yet issue post-quantum certificates; protocol codepoints, CA/Browser Forum policy, and composite certificate formats were still being finalized in the IETF, so TLS deployments as of early 2026 combine post-quantum key exchange with classical authentication (PKI migration to post-quantum).
- Stateful hash-based signatures. Support for LMS and XMSS, used mainly in firmware signing, is limited; later releases in the 3.x line have been adding verification support incrementally, per the release notes.
- FIPS validation lag. Shipping an algorithm and having it inside a FIPS 140 validated module are different milestones, and validated post-quantum coverage trails the code itself.
- The installed base. Native support helps only systems that upgrade; large fleets still run 1.1.1 or the 3.0 to 3.4 series without native post-quantum algorithms.
Significance
OpenSSL underpins operating system packages, web servers, language runtimes, and embedded systems, so its defaults move the whole ecosystem. Version 3.5's LTS designation gives it a multi-year support window per the OpenSSL release policy, which means post-quantum key exchange will be the baseline in Linux distributions and appliances built on it for years. Together with native support in other stacks cataloged at post-quantum cryptography libraries, OpenSSL 3.5 marks the point where post-quantum cryptography in TLS shifted from an add-on to default infrastructure.
Frequently asked questions
Does OpenSSL use post-quantum cryptography by default?
For TLS key exchange, yes since version 3.5: the default group list includes the hybrid X25519MLKEM768 group, so connections to compatible peers negotiate it automatically. Certificates and signatures still default to classical algorithms.
Is oqs-provider still needed?
Not for ML-KEM, ML-DSA, or SLH-DSA on OpenSSL 3.5 or later. It remains useful for algorithms OpenSSL does not ship natively and for research and interoperability testing.
Sources
- OpenSSL releases (OpenSSL Project, 2025)
- OpenSSL project site (OpenSSL Project, 2025)
- OpenSSL library news and downloads (OpenSSL Project, 2025)
- oqs-provider source repository (Open Quantum Safe project, 2025)
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
Cite this entry
"OpenSSL post-quantum support." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/openssl-pqc@misc{pqwiki-openssl-pqc,
title = {OpenSSL post-quantum support},
howpublished = {\url{https://postquantum.wiki/openssl-pqc}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}