tls.keyexchangegroups

Key exchange group preference list, enabling post-quantum hybrid KEMs.

This parameter applies to omelasticsearch: Elasticsearch Output Module.

Name:

tls.keyexchangegroups

Scope:

action

Type:

word

Default:

none (libcurl/OpenSSL default)

Required?:

no

Introduced:

8.2606.0

Description

Passes a colon-separated list of named key-exchange groups to libcurl (CURLOPT_SSL_EC_CURVES). Groups are advertised in order of preference in the TLS ClientHello.

This is the primary knob for post-quantum cryptography (PQC) readiness. Setting it to X25519MLKEM768:X25519 requests the hybrid ML-KEM / X25519 group first, falling back to classical X25519 if the server does not support it. For a hard PQC-only policy, omit the :X25519 suffix — connections to non-PQC servers will then fail.

PQC key exchange requires:

  • libcurl 7.73.0 or later (CURLOPT_SSL_EC_CURVES support)

  • OpenSSL 3.x with the OQS provider installed

If rsyslog was built against libcurl older than 7.73, configuring this parameter has no effect and a warning is logged at configuration load.

Action usage

action(type="omelasticsearch"
       usehttps="on"
       tls.cacert="/etc/pki/tls/certs/ca-bundle.crt"
       tls.tlsversion="TLSv1.3"
       tls.keyexchangegroups="X25519MLKEM768:X25519")

YAML usage

actions:
  - type: omelasticsearch
    usehttps: "on"
    tls.cacert: "/etc/pki/tls/certs/ca-bundle.crt"
    tls.tlsversion: "TLSv1.3"
    tls.keyexchangegroups: "X25519MLKEM768:X25519"

See also

See also omelasticsearch: Elasticsearch Output Module, tls.tlsversion, tls.ciphersuites.


Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.