Post-Quantum Cryptography (PQC)
To protect against future quantum computing threats, nevisProxy (version 8.2511.2.0 and above) supports Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for key exchange and Module-Lattice-Based Digital Signature Algorithm (ML-DSA) for certificate signatures.
Frontend Configuration (Client to Proxy)
Enforcing PQC-safe Key Exchanges
By default, nevisProxy supports ML-KEM but still allow traditional key exchange methods. To disable non-PQC safe key exchange methods, you have to limit the OpenSSL Curves in navajo.xml within the SSL tag:
<SSL
...
SSLProtocol="-all +TLSv1.3"
>
<SSLOpenSSLConfCmd value="Curves MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024"/>
</SSL>
Note that X448MLKEM1024 is currently not supported and will prevent the proxy from starting.
Using ML-DSA Certificate Signatures
To use post-quantum signatures, you must provide a certificate signed with an ML-DSA algorithm (e.g., ML-DSA-65). Update your <SSL> configuration in navajo.xml to point to these files:
<SSL
SSLCACertificateFile="/path/to/ca-mldsa87.crt"
SSLCertificateFile="/path/to/server-mldsa65.crt"
SSLCertificateKeyFile="/path/to/server-mldsa65.key"
...
/>
Backend Configuration
The communication between nevisProxy and your backend services can also be secured using PQC by configuring the relevant servlets.
Enforcing PQC on Backend Connections
To ensure that nevisProxy uses post-quantum key exchange when connecting to a backend, add the SSLOpenSSLConfCmd parameter to the servlet configuration in web.xml:
<servlet>
<servlet-name>PostQuantumBackendServlet</servlet-name>
<servlet-class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>
...
<init-param>
<param-name>SSLOpenSSLConfCmd</param-name>
<param-value>Curves MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024</param-value>
</init-param>
</servlet>
To use ML-DSA certificate signatures, you must provide a certificate signed with an ML-DSA algorithm to the servlet.