tls.keyexchangegroups¶
Key exchange group preference list, enabling post-quantum hybrid KEMs.
This parameter applies to omelasticsearch: Elasticsearch Output Module.
- Name:
tls.keyexchangegroups
- Scope:
action
- Type:
word
- Default:
none (libcurl/OpenSSL default)
- Required?:
no
- Introduced:
8.2606.0
Description¶
Passes a colon-separated list of named key-exchange groups to libcurl
(CURLOPT_SSL_EC_CURVES). Groups are advertised in order of preference
in the TLS ClientHello.
This is the primary knob for post-quantum cryptography (PQC) readiness.
Setting it to X25519MLKEM768:X25519 requests the hybrid ML-KEM / X25519
group first, falling back to classical X25519 if the server does not support
it. For a hard PQC-only policy, omit the :X25519 suffix — connections to
non-PQC servers will then fail.
PQC key exchange requires:
libcurl 7.73.0 or later (
CURLOPT_SSL_EC_CURVESsupport)OpenSSL 3.x with the OQS provider installed
If rsyslog was built against libcurl older than 7.73, configuring this parameter has no effect and a warning is logged at configuration load.
Action usage¶
action(type="omelasticsearch"
usehttps="on"
tls.cacert="/etc/pki/tls/certs/ca-bundle.crt"
tls.tlsversion="TLSv1.3"
tls.keyexchangegroups="X25519MLKEM768:X25519")
YAML usage¶
actions:
- type: omelasticsearch
usehttps: "on"
tls.cacert: "/etc/pki/tls/certs/ca-bundle.crt"
tls.tlsversion: "TLSv1.3"
tls.keyexchangegroups: "X25519MLKEM768:X25519"
See also¶
See also omelasticsearch: Elasticsearch Output Module, tls.tlsversion, tls.ciphersuites.
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.