Native Post-Quantum TLS¶
This tutorial shows how to run native post-quantum TLS with rsyslog on supported newer distros using the existing TLS configuration surface. It covers the support policy, OpenSSL 3.5 hybrid groups, GnuTLS hybrid groups, and basic verification steps.
Post-quantum support in rsyslog currently follows a native-only policy:
Use PQ or hybrid TLS only where the distro already ships the required OpenSSL or GnuTLS support in regular packages.
Do not expect rsyslog to load external PQ providers for older distro versions.
If you need PQ support, move to a distro baseline that already ships it.
Supported baseline¶
At the time this tutorial was written, the intended native baselines were:
Fedora 43 or newer for native OpenSSL 3.5 hybrid groups.
Debian 13 or newer for native OpenSSL 3.5 hybrid groups.
Supported native GnuTLS builds that expose
GROUP-X25519-MLKEM768in priority strings.
Older distro versions are intentionally out of scope for this first phase. If there is a real need, older-version support can be revisited later.
OpenSSL example¶
This example keeps classical X.509 certificates and enables a native OpenSSL hybrid TLS 1.3 group on supported distros.
Server:
global(
defaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.pem"
defaultNetstreamDriverCertFile="/etc/rsyslog.d/server-cert.pem"
defaultNetstreamDriverKeyFile="/etc/rsyslog.d/server-key.pem"
)
module(
load="imtcp"
gnutlsPriorityString="MinProtocol=TLSv1.3
MaxProtocol=TLSv1.3
Groups=X25519MLKEM768"
)
input(
type="imtcp"
port="6514"
StreamDriver.Name="ossl"
StreamDriver.Mode="1"
StreamDriver.AuthMode="x509/certvalid"
)
Client:
action(
type="omfwd"
target="logs.example.net"
port="6514"
protocol="tcp"
StreamDriver="ossl"
StreamDriverMode="1"
StreamDriverAuthMode="x509/certvalid"
StreamDriver.CAFile="/etc/rsyslog.d/ca.pem"
StreamDriver.CertFile="/etc/rsyslog.d/client-cert.pem"
StreamDriver.KeyFile="/etc/rsyslog.d/client-key.pem"
gnutlsPriorityString="MinProtocol=TLSv1.3
MaxProtocol=TLSv1.3
Groups=X25519MLKEM768"
)
GnuTLS example¶
This example uses the native GnuTLS hybrid group syntax on supported native GnuTLS builds.
Server:
global(
defaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.pem"
defaultNetstreamDriverCertFile="/etc/rsyslog.d/server-cert.pem"
defaultNetstreamDriverKeyFile="/etc/rsyslog.d/server-key.pem"
defaultNetstreamDriver="gtls"
)
module(
load="imtcp"
gnutlsPriorityString="NORMAL:-GROUP-ALL:+GROUP-X25519-MLKEM768:+GROUP-X25519"
)
input(
type="imtcp"
port="6514"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.AuthMode="x509/certvalid"
)
Client:
action(
type="omfwd"
target="logs.example.net"
port="6514"
protocol="tcp"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/certvalid"
StreamDriver.CAFile="/etc/rsyslog.d/ca.pem"
StreamDriver.CertFile="/etc/rsyslog.d/client-cert.pem"
StreamDriver.KeyFile="/etc/rsyslog.d/client-key.pem"
gnutlsPriorityString="NORMAL:-GROUP-ALL:+GROUP-X25519-MLKEM768:+GROUP-X25519"
)
How to verify¶
Check the native library baseline first.
OpenSSL:
openssl version openssl list -tls-groups | grep X25519MLKEM768
GnuTLS:
gnutls-cli --version gnutls-cli --priority 'NORMAL:-GROUP-ALL:+GROUP-X25519-MLKEM768:+GROUP-X25519' --list
Start the server and client configuration.
Send a test message.
If rsyslog logs an error that the priority string option or OpenSSL command is unsupported, the native distro library does not provide the requested PQ group on that system.
Notes¶
This tutorial targets hybrid key exchange first. It does not promise native PQ certificates or signatures.
The same
gnutlsPriorityStringparameter is used for both OpenSSL and GnuTLS, but the string format is TLS-library specific.If you operate older distro versions, stay on classical TLS for now or plan a distro upgrade before enabling PQ.
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.