Luna PQC FM

Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

Create a partition that will be later on used by OpenSSL.

Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

Initialize Crypto Officer and Crypto User roles for the registered partition.

Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved.
Available HSMs:
Slot Id ->                           0
Label ->                             TPA-FM
Serial Number ->                     1578912774253
Model ->                             LunaSA 7.8.0
Firmware Version ->                  7.8.0
Bootloader Version ->                1.1.5   
Configuration ->                     Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->                  Net Token Slot
FM HW Status ->                      FM
Current Slot Id:                     0

For PED-authenticated HSMs, enable Partition Policies 22 and 23 to support activation and auto-activation.

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Access the Thales Support Portal and download the Luna Post Quantum Cryptography (PQC) FM Toolkit Version 3.1. Refer to the README file included with the FM Toolkit for detailed installation instructions.

Unzip the downloaded toolkit from the Thales Support Portal.

Copy the lunapqc.fm and fmsign.cer files to the Luna SA using the following commands:

scp [FM_TOOLKIT_DIRECTORY]/fm/lunapqc.fm admin@[LUNA_SA_IP]:
scp [FM_TOOLKIT_DIRECTORY]/fm/fmsign.cer admin@[LUNA_SA_IP]:

Connect to the Luna SA as admin via SSH, then perform a Security Officer (SO) login. An HSM login is required to load the FM modules.

Execute the following command in the lunash shell to load the FM module:

hsm fm load -c fmsign.cer -f lunapqc.fm

Ensure the HSM is in the FM Enabled state; otherwise, the command will fail to load the FM module.

Run the hsm restart command within lunash to reboot the Luna SA.

This restart will activate all existing partitions and enable SMFS. Any new partitions created after this point will require an additional HSM restart for activation.

After the restart, confirm that the Secure Multi-Factor Services (SMFS) is activated by executing the command:

hsm fm status

If SMFS is not activated, enable it by running the following command:

hsm fm smfs activate

Ensure that HSM Policy 52 (Restrict FM Privilege Level) is disabled on the Luna Security Appliance (SA) to allow proper functionality.

On the client system where the Luna Client is installed, replace the existing libshim.so file in the Luna Client library folder with the version provided in the FM Toolkit.

Both the FM Toolkit and FM SDK must be installed alongside the Luna Client to utilize the PQC FM Toolkit. The libshim.so included with the Luna PQC FM Toolkit is designed to function only when the FM Toolkit and FM SDK are properly installed with the Luna SDK.

Modify the Luna Client configuration file to include the following entries in the Chrystoki.conf file:

   Chrystoki2 = {
      LibUNIX = /usr/safenet/lunaclient/lib/libshim.so;
      LibUNIX64 = /usr/safenet/lunaclient/lib/libshim.so;
   }

   Shim2 = {
      LibUNIX = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
      LibUNIX64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
   }

Ensure that the following line is included in the Misc section of the /etc/Chrystoki.conf file:

ApplicationInstance = LUNA_PQC;

After implementing all configuration changes, confirm that the Luna Partition is accessible through LunaCM. Execute the following command:

/usr/safenet/lunaclient/bin/lunacm

The expected output should resemble the following:

lunacm (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved.

Available HSMs:

Slot Id ->              0
Label ->                TPA-FM
Serial Number ->        1578912774253
Model ->                LunaSA 7.8.0
Firmware Version ->     7.8.0
Bootloader Version ->   1.1.5
Configuration ->        Luna User Partition With SO (PW) 
                        Key Export With Cloning Mode
Slot Description ->     Net Token Slot
FM HW Status ->         FM

Current Slot Id: 0

Clone the Luna Crypto Provider Toolkit from the official Thales GitHub repository using the following command:

git clone https://github.com/ThalesGroup/luna-openssl-4-pqc

Download and extract the OpenSSL source tarball from <https://www.openssl.org/source/>. It is required to download the version that is closest to your existing OpenSSL installation. For example, if you have OpenSSL v3.2.0 installed, you can download any OpenSSL v3.2.x where x can be any number.

tar xvfz openssl-x.x.x.tar.gz

Download the liboqs, a C library for quantum-safe cryptographic algorithms.

git clone -b main https://github.com/open-quantum-safe/liboqs

Navigate to the Luna Crypto Provider Toolkit directory and locate the modules location for the existing OpenSSL.

./gembuild locate-providers

Note the OpenSSL modules directory that will be used as input for the next command.

Run gembuild config and provide the inputs required to compile the provider.

./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --openssl-providers=<Path to providers directory from step 3> --liboqs-source=<Path to liboqs source downloaded in step 2> --config-bits=64

Example:

./gembuild config --openssl-source=/home/marif/openssl-3.2.2 --openssl-providers=/usr/lib64/openssl/ossl-modules --liboqs-source=/home/marif/liboqs --config-bits=64

If the OpenSSL development package is not available, you need to install it on the system. In this example, it is assumed that the OpenSSL headers and libraries are in their default locations, i.e., /usr/include and /usr/lib64, respectively. If the header and library files are installed in a custom location, use the --openssl-includes and --openssl-libs options to specify the location of the OpenSSL headers and library directory where libcrypto.so is available. All paths need to be absolute.

Build and install the liboqs.

./gembuild liboqs-build
./gembuild liboqs-install

Build and install the Luna Provider.

./gembuild provider-build
./gembuild provider-install

Verify that the Luna Crypto Provider support is available and active.

openssl list -provider lunaprov -provider default -providers

Example output:

       Providers:
       default
         name: OpenSSL Default Provider
         version: 3.2.2
         status: active
       lunaprov
         name: Thales Luna Provider
         version: 1.6.2
         status: active

Build and install sautil. By default, this will install the sautil utility to /usr/local/bin/sautil. If a customized location is desired, use the --sautil-prefix option in Step 4 to specify the location, or use the --sautil-prefix option with the ./gembuild sautil-install command.

./gembuild sautil-build
./gembuild sautil-install

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Clone the Luna Crypto Provider Toolkit from the official Thales GitHub repository using the following command:

git clone https://github.com/ThalesGroup/luna-openssl-4-pqc

Download openssl-x.x.xx.tar.gz from OpenSSL Source.

tar xvfz openssl-x.x.xx.tar.gz

Download the liboqs, a C library for quantum-safe cryptographic algorithms.

git clone -b main https://github.com/open-quantum-safe/liboqs

Extract the Luna Crypto Provider Toolkit and navigate to the toolkit directory. Run the gembuild config command using the --prefix option.

./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --liboqs-source=<Path to the liboqs directory> --prefix=/usr/local --config-bits=64

Example:

# ./gembuild config --openssl-source=/home/marif/openssl-3.2.2 --liboqs-source=/home/marif/liboqs --prefix=/usr/local --config-bits=64

Build and install the liboqs.

./gembuild liboqs-build
./gembuild liboqs-install

Build and install OpenSSL.

./gembuild openssl-build
./gembuild openssl-install

Execute the following commands to build and install the Luna Crypto Provider:

./gembuild provider-build
./gembuild provider-install

Check that the Luna Crypto Provider support is available and active by running:

openssl list -provider lunaprov -provider default -providers

Example output:

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.2
    status: active
  lunaprov
    name: Thales Luna Provider
    version: 1.6.2
    status: active

If the output matches the example above, the Luna Crypto Provider has been successfully installed.

Run the following commands to build and install the sautil utility:

./gembuild sautil-build
./gembuild sautil-install

The sautil utility will be installed in the directory specified by the --prefix option in Step 3, located at <prefix>/sautil/bin/sautil.

Add the locations of OpenSSL and sautil to the PATH environment variable:

export PATH=/usr/local/ssl/bin:/usr/local/sautil/bin:$PATH

Add the OpenSSL library location to the LD_LIBRARY_PATH environment variable:

export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Identify the location of the OpenSSL configuration file, openssl.cnf, where the provider configuration is defined. Use the following command:

openssl version -d

Example output:

OPENSSLDIR: "/usr/local/ssl"

The above command will indicate the OpenSSL version set via the PATH environment variable. To verify that you are accessing the correct configuration file, run which openssl.

Modify the openssl.cnf file as follows:

• At the beginning of the openssl.cnf file, add the following line:

openssl_conf = openssl_init

• Scroll down a few lines to find the section in the file and update it to include the following:

[ openssl_init ]
providers = provider_sect

[provider_sect]
lunaprov = lunaprov_sect
default = default_sect

[default_sect]
activate = 1

[lunaprov_sect]
activate = 1

If a section is added to explicitly activate any other provider (for example, the Luna Crypto provider), it is essential to also explicitly activate the default provider. Failing to do so may render the default provider unavailable in OpenSSL, potentially causing applications dependent on OpenSSL to malfunction. This can lead to significant system issues, including loss of remote access to the system.

Confirm that the Luna Crypto Provider is loading by default without the need to specify any provider. Execute the following command:

 openssl list -providers

Example output:

   Providers:
     default
       name: OpenSSL Default Provider
       version: 3.2.2
       status: active
     lunaprov
       name: Thales Luna Provider
       version: 1.6.2
       status: active

If the output resembles the example above, the Luna Provider is configured as the default provider for OpenSSL.

Generate a certificate request without specifying the provider parameter to test the application. Run the following command:

 openssl req -out CSR.csr -new -newkey dilithium3 -nodes -keyout privateKey.key

Example output:

HSM Label is "TPA-FM".
Enter Crypto-Officer Password: ***********************************************************************
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: IN
State or Province Name (full name) [Some-State]: Uttar Pradesh
Locality Name (eg, city) []: Noida
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Thales
Organizational Unit Name (eg, section) []: PQC FM 3.1
Common Name (e.g. server FQDN or YOUR name) []: localhost.localdomain
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If the private key and certificate request are successfully created on the Luna HSM without explicitly mentioning the specific provider, it confirms that the Luna Crypto Provider is now active by default.

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Edit the /etc/Chrystoki.conf file to include the GemEngine configuration, as shown below:

GemEngine = {
   LibPath64 = /usr/safenet/lunaclient/lib/libshim.so;
   LibPath = /usr/safenet/lunaclient/lib/libshim.so;
   DisableEcdsa = 0;
   DisablePqc = 0;
   IncludePqc = ALL;
   ExcludePqc = NONE;
   EnableEcGenKeyPair = 1;
   EnableEdGenKeyPair = 1;
   EnablePqcGenKeyPair = 1;
   EnableRsaGenKeyPair = 1;
   DisableCheckFinalize = 1;
   IntermediateProcesses = 0;
   DisableSessionCache = 0;
   EngineInit = <slot_id>:10:11;
}

Replace <slot_id> with the actual identifier of the physical or virtual slot on your Luna HSM.

To establish a persistent session with the specified slot on the Luna HSM, use the sautil utility as follows:

/usr/local/sautil/bin/sautil -v -s <slot_id> -i 10:11 -o -q

If a persistent session is not required, refer to the README-GEM-CONFIG file located in the <Luna Crypto Provider Toolkit directory>/docs folder. This document includes alternative login methods for partition access.

Verify the version of the Luna Crypto Provider by executing the following command:

openssl list -provider lunaprov -providers -verbose

Expected output:

Providers:
     lunaprov
       name: Thales Luna Provider
       version: 1.6.2
       status: active
       build info: 1.6.2
       gettable provider parameters:
         name: pointer to a UTF8 encoded string (arbitrary size)
         version: pointer to a UTF8 encoded string (arbitrary size)
         buildinfo: pointer to a UTF8 encoded string (arbitrary size)
         status: integer (arbitrary size)

Use the following command to view the quantum-safe signature algorithms supported by the Luna Crypto Provider:

openssl list -signature-algorithms -provider lunaprov

Expected output:

{ 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ lunaprov
{ 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ lunaprov
{ 1.3.101.112, ED25519 } @ lunaprov
{ 1.3.101.113, ED448 } @ lunaprov
ECDSA @ lunaprov
dilithium2 @ lunaprov
p256_dilithium2 @ lunaprov
rsa3072_dilithium2 @ lunaprov
dilithium3 @ lunaprov
p384_dilithium3 @ lunaprov

The list of available algorithms is truncated for brevity. Execute the command to view the complete list of supported algorithms.

Check the quantum-safe KEM algorithms supported by the Luna Crypto Provider:

openssl list -kem-algorithms -provider lunaprov

Expected output:

kyber512 @ lunaprov
p256_kyber512 @ lunaprov
x25519_kyber512 @ lunaprov
kyber768 @ lunaprov
p384_kyber768 @ lunaprov

The list of available algorithms is truncated for clarity. Please execute the command to see the full list of supported algorithms.

Open the <OPENSSLDIR>/openssl.cnf configuration file in a text editor.

In the [CA_default] section, update the following entries:

dir              = /usr/local/ssl
new_certs_dir    = $dir/certs

You can specify any directory, but ensure the path is consistent throughout the following steps.

If the directory for storing certificates does not already exist, create it with the following command:

mkdir -p /usr/local/ssl/certs

Create the necessary files for OpenSSL operations:

touch /usr/local/ssl/index.txt
touch /usr/local/ssl/serial

Open the /usr/local/ssl/serial file, enter 01 at the top, press Enter, and save the file. This initializes the serial number for certificates.

Generate the CA key and certificate using Post-Quantum Cryptography (PQC) algorithms as follows:

• Option 1: Generate the CA key and certificate in separate commands:

openssl genpkey -provider lunaprov -algorithm dilithium5 -out /usr/local/ssl/certs/dilithium5_CA.key
openssl req -provider lunaprov -new -x509 -days 730 -key /usr/local/ssl/certs/dilithium5_CA.key -out /usr/local/ssl/certs/dilithium5_CA.crt

• Option 2: Generate the CA key and certificate in a single command:

openssl req -provider lunaprov -x509 -new -newkey dilithium5 -keyout /usr/local/ssl/certs/dilithium5_CA.key -out /usr/local/ssl/certs/dilithium5_CA.crt

The example above uses the dilithium5 PQC algorithm, but you can substitute it with any PQC signature algorithm supported by the Luna Crypto Provider.

List the generated key pairs using the cmu utility:

[LunaClient_Installation_Directory]/bin/cmu list

Example:

/usr/safenet/lunaclient/bin/cmu list

When prompted, enter the partition password.

Create separate directories to store certificate requests for the server and user:

mkdir /usr/local/ssl/certs/server
mkdir /usr/local/ssl/certs/user

Generate a Certificate Signing Request (CSR) for the server by executing the following command:

openssl req -provider lunaprov -new -newkey dilithium3 -keyout /usr/local/ssl/certs/server/server.key -out /usr/local/ssl/certs/server/server.csr

This CSR can be used to create the server’s certificate, which is signed by the CA.

The example above uses the PQC dilithium3 signature algorithm. You may substitute this with any other PQC signature algorithm supported by the Luna Crypto Provider.

Sign the server’s certificate request using the CA certificate generated in step 5:

openssl x509 -provider lunaprov -req -in /usr/local/ssl/certs/server/server.csr -out /usr/local/ssl/certs/server/server.crt -CA /usr/local/ssl/certs/dilithium5_CA.crt -CAkey /usr/local/ssl/certs/dilithium5_CA.key -CAcreateserial -days 365

Generate a CSR for a user:

openssl req -provider lunaprov -new -newkey dilithium2 -keyout /usr/local/ssl/certs/user/user1.key -out /usr/local/ssl/certs/user/user1.csr

This CSR can be used to create the user’s certificate, which is also signed by the CA.

This example uses the dilithium2 PQC signature algorithm, but you can select any supported PQC signature algorithm for generating user certificates.

Sign the user’s certificate request using the CA certificate created previously:

openssl x509 -provider lunaprov -req -in /usr/local/ssl/certs/user/user1.csr -out /usr/local/ssl/certs/user/user1.crt -CA /usr/local/ssl/certs/dilithium5_CA.crt -CAkey /usr/local/ssl/certs/dilithium5_CA.key -CAcreateserial -days 365

Verify the newly generated key pairs, using the cmu utility:

<LunaClient_Installation_Directory>/bin/cmu list

/usr/safenet/lunaclient/bin/cmu list

When prompted, enter the partition password.

Start a simple TLS server with quantum-safe KEM algorithms and certificates by running the following command:

openssl s_server -provider lunaprov -cert /usr/local/ssl/certs/server/server.crt -key /usr/local/ssl/certs/server/server.key -www -tls1_3 -groups kyber768:x25519_kyber768:mlkem1024

The example specifies kyber768:x25519_kyber768:mlkem1024, but you can select any supported KEM algorithms by listing them with the -groups option. The TLS server will attempt to connect to the client using any of the specified algorithms.

Open a new terminal window and initiate a client connection to the TLS server using a quantum-safe KEM algorithm by running the following command:

openssl s_client -provider lunaprov -groups kyber768

This example uses the kyber768 KEM algorithm. You may select any quantum-safe KEM algorithm supported by the Luna Crypto Provider by specifying it with the -groups option. For a full list of supported KEM algorithms, refer to the Luna Crypto Provider documentation.

[root@tpa01-intg ~]# openssl s_client -provider lunaprov -groups kyber768
Connecting to ::1
CONNECTED(00000003)
depth=0 C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
verify return:1
---
Certificate chain
 0 s:C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
   i:C=IN, ST=Uttar Pradesh, L=Noida, O=Thales-PQC, OU=PQC Integration, CN=dilithium5_CA
   a:PKEY: UNDEF, 192 (bit); sigalg: dilithium5
   v:NotBefore: Aug 16 05:06:58 2024 GMT; NotAfter: Aug 16 05:06:58 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIbRjCCCTugAwIBAgIUJm2Yh7wbtUCSo/e0KoPHBUOZxXcwDQYLKwYBBAECggsH
CAcwfDELMAkGA1UEBhMCSU4xFjAUBgNVBAgMDVV0dGFyIFByYWRlc2gxDjAMBgNV
BAcMBU5vaWRhMRMwEQYDVQQKDApUaGFsZXMtUFFDMRgwFgYDVQQLDA9QUUMgSW50
ZWdyYXRpb24xFjAUBgNVBAMMDWRpbGl0aGl1bTVfQ0EwHhcNMjQwODE2MDUwNjU4
WhcNMjUwODE2MDUwNjU4WjB1MQswCQYDVQQGEwJJTjEWMBQGA1UECAwNVXR0YXIg
UHJhZGVzaDEOMAwGA1UEBwwFTm9pZGExDzANBgNVBAoMBlRoYWxlczEYMBYGA1UE
CwwPUFFDIEludGVncmF0aW9uMRMwEQYDVQQDDApTZXJ2ZXJfVExTMIIHtDANBgsr
BgEEAQKCCwcGBQOCB6EANIyyMsyn6fRP3ZQEp976ghZA5bNbkivkeeIPzAPS409T
fEoDJ18HHMhD4BXKiD6Qa6v8ofTWtiPwRNvi3QKC2yX5MnIJqRbP3ZhTVMuuo0I+
HEd0AG5/K1nimpEaAeg0ts8PkqMa3nsag8X42umUAAxTjx4foAzwQwKVDh0azVCz
b8pL2dSAqM5DlAMQtxO0U1fsG2dCbwvrDI5tjbUqcQMhE5cvJEml8fq5BOLncizr
ZEU5fHUWGAxbcgM7ivMrlhfwsCTjdaikJlIrTIsqrV0GhXxDRdNMTeKWQojBq9W4
vaMdqciryDLvkjX0XOEqmKiEGBpm2dbrDy6INOSG0+zsI5vmS26UyTB2VBdRX6PG
nTalL0uMXVB8J0nyZTPU4NT7gcllyfUldG3ji5n7o79Q+q0ZVXUmtXZf3QN9ehAA
yar1zCEGtilpRH1oJySl5ySaLPm4QMEC0HYZ4LnCpB2KswZ8l+GQhGvohgmAC57j
i1hpw8i7FhwmBRG+6dMqhNBihscqE7TZfxkYThzli9te4cveTQ57JjQomJPHk22V
oCuJGN3eaeSjlfUVKXUtupCNU7SPC93lhHkzD+GA7w2e2SXfetqvqe2e8R8jcZhG
i3jUc3e8TbUHjsPUFp740G1thAbJ7Lhs14b4N26S+POyBEiTm6mYPV6yFealMmoV
3d2SN8zXPV3aqTsT6ANbUgbTg0FtMaTpex76zDo/NI0C6rj7QdAbJ7csKZ8WjGxN
38is9u0N6HPgiXO3cmFnKdoYqr7mtShcw6Cj1or7hsYa4zuge/+PsEKw/gV0Mnk6
i6w6NM/yaUiNKncFg40/smq8QeAGkYNrW+rykrUvF4HjLFMxio9D7XZm3KwJvLlL
toqlTOS5F1Clwa8opQoWlpIWNtj5QSGKmfkQy0WaD1bGrj9yLAtoOH66rz9ZHz9U
fihdmeH2PpGqUsERsv2Lv149w0Wrl8X7coNciZSNvYmwMYokKzqdtVa9ie7MWkHZ
dv+p9hengfeJWkIDu9D9H2sk2vOxYPUjJ5tXpqvEHHVR5H3jfAHXaSytz0Q53GrU
6uLRgxy9ylMPuhfile2byulgJbVCNTlp4zoGn6w/BxyJGptCtslO2CbsCAyTzrYA
UsJIu8fzpIIEFJa4ld7Pv+yLjg3+hwi2Az8X9YfjLsOmWv+59Btt2SnLNOuFTLoE
FoayGggOhxNc1XK3HQ/9ZFf5Dk823w/FnpVBgXL0Wt6/h7CWgH6H4f1F/NfvBPKy
mNqvoIOFomtgfkW2lcxjCYrZTnNBw5yRHsMuhCrxvFO4KrwyQihS3yu+Pf2It4iY
nyZ4mIseYcJWJtjPJsOfe/e+jEzuBU7qSlRuCFI5McVOI8GKs+XpFmvQ1VFvhANr
P8/Qf1MJG3rjhJvoNnJQ7+1vz1CSo2x/4+FeUovyr6uZb8+FhtjQJiQlp/ejYEtU
SRS0suhlQYkuMsPx4PRCCCjTLuKd2TmQrU3nvtKpjE1EG3qWCWS/3uh+45y7orNP
QHQXYUxAfdxVYblkaf7V/ThNij/4QyogC6DvenM2L8kgCF17ilzo65JcXLFy6jOP
IdLiIBUZ/Kxo762Dev0LouIoWgPYqW6GhL5R8TmmkKhsTVabgu6Xm8wfssQhEgPk
EipseC33ipEZo4pp0d/2wrTQKRUSKtTDwOfEvAcrbC+iN6TMwXoMYdXi7NJuo0La
oOEN7xvynaLKPS+tfYvTzama0eSahm7ratiFkvZ+hdenW+2doWEpM6Azi7yzwyaI
Rh1nKAZqvYeokh9FFa645JTzSwRIHdOBSgjHjIaJfu6WavMRc2Sa1eo2PkELK1Xg
HtJTKYfA0/QHGho8iWXkFmpZBL3CLZU6eGD4t3yMsyqmxnuiwHtM9deJvGMePA/l
dWjhPK7cORGjgx+X1GxXeuT2qXlg8t7Bm/m5cw+YTMSkiqytPEphruq7A2Pijn0R
+5HARROM2VU6UH+TlxXBHUJ3fa1V7c+zl6YdAlI59LzINeJ8zbrrq+Cztgt02nJb
VdSBFYh+/MLXR5Ul0BZAoRKIincID9aeqSVE0hon9i559pngq+TjcREKeOK5GNUg
DrGip+ixIyJAT+jQTJ2tkm97224ojMbb6aPIcGt/ckD6H+me+XyWSuZFYeDmCZQE
wGbKaI3fGpaX6YJsqI+qMwjOsPspHCFEt515OJY/BsIJtfBYZOD/B3naCB+ekUa5
ItusLBX1V2XvD+tTc/aiQ+GxRJ1bRm/cBFfybICOa3aXHlpTj6wD/yNdmPN5/Qpj
xqT78VAG4a7U5hpLtABJOx+Mg47SGtR3/DKK9UOyzy97TU1lz9b4kYc8Akdzpbd8
oHglqo7eYq3eMQ1EWuTNIamAo5ElT+fK4x7GnYNRSwecjMeMBiKfXVJw5Kib3uF8
6yiVgk/DftU10TP24l0nz4oGdUe+rWBkgJYw5gXJ5olxIsgt2m9Zn8tbes6zlcA8
Arw8E8tR0wyPvD1zWfAx3/bja13EWrQu4uhD4HUG+pRBUpIGU3qSDRYA1pQD5VVx
WUqqG3e29YN5i8rQ3GTaGMoePqgUlUD2zp7V4bXWxh6bGuoyhqS+aCOd75qmS2ej
QjBAMB0GA1UdDgQWBBTXHXuu6XDL0bST/zYyVOL/3dJm4DAfBgNVHSMEGDAWgBTc
EsF9ame88m26jeQT7/4gw4ppKjANBgsrBgEEAQKCCwcIBwOCEfQAgC4n6EUyjwrg
erb9Jfkw1Bp1W3WetARq0piEkfT4EKPwH7kwa1qKtt4SJfxNzCqfuErZwqTlsqMJ
GjLjpwjTthMKcxPfdg7BbCWFjzKYp/aY1hxNi/fdYavOF0gmdIE3YR5yoGDQ/Wqr
8+cQLiT7OIWUgK+0qrcF5nbpfSe6QqEFmunsMLSATTxgU/RZLah66q9/J6URN0O2
1Tc+qACCbRqKgXPWa1hlaPaqbqCAZ9yEqIfUdofTXdXBXCNQ1z8fldZMpMAkxI83
HrGODDaFC/6Qm9PnRJW3cOYpgvcjVbQiKotIe5OLg34QvAe1m8tbtU5bFTz9CZS4
oT3m2yzLRVQmxWAIxtn7FdTrgE1vcAmBSLEY8LU2Z2E3CLyiNdzAIXnC9uaXbNCC
RlVFTmoQIUKCM5UKk+OTk+vcY/9h2VAl4dlSw3X/HKrOjO+NYerFOxXz1mGo+uS+
3JOhj5LEAkOu3ujG5VsmI1P0XG7qmaUFX4RZ92Fi8R5FNDOgLcO91LfvhS3TczgZ
9wHcjkr5fVSyhUYw+Ddv9G6BSHOISp6rXSzSAn52j9VaVclj6QV1xRqUQg0+BziV
CGVItNh9f6J0h7DBWHOBbkeKBb3mVgCrvS3AifYVwQrm9Jvf0SlV//tKXnr2Uass
5bB5qBvfKcHnz17l5W+Z5TTfHXDtoObu9PNCaba04pWtPdm8BtmdHGF5nHPcMhw/
gufCsb1IYaLsqC5hz3dH8xUIY2iAbTNfoA+nSaoTdl4iiGTRyDnAeMCtB3/aef1Y
UnhFHE7/je2oM0U1QQ9F9Pl4azKEBLhz5jkKPdy94I9mgE9vkhFF7iVrka7zNN+v
e7Xd9VoOfgoV8taLMFLb0QhziC7KVS67toKKo5ZDVFkcB9frq8rqDjs88Qphk3qi
7Rq3xElfCU3F3piWd6gfuKEecjRrElz+I+tjZsJT8ETF8Mk9Nw8uj9w872FDoWD/
YmGippjDOY26IAO8HpO7nzGkvxpLu4q0VM7TsX2/2E0ilMtANmxg+JfpGkivE3d3
oQfPD+Nl+L6+lXpzJHkOJyYcPZr3g2XWxWHfXs/ZuMrfY34yDYw1UVBEYyp64HDr
rRM1rBn/SIQ2YFmLuLqQuE0fKZtzb+E5EP90vNaN3nzyppAh5Od2PqO5VESZXDPY
SXAgwjInxpEDWzyGEVnLyofmoaara8eDvVzydGiFNXKjqzrd17n/cFyGnCWfqPFa
7lwDRH6Av5imbR/o89aFo/ulmxdH9aY6RsOtSLq66TFErT8/sT9kMEE386IGn7Ka
wVJxiO0qqQhoL15vfgRNv1CDZOWRZw0yXPP/PVN5YV0mJYM71GcxxyXl2SwZ+hlR
r+YKrd7XDoA49CM8RREhhOQGicQfmi9S1lK85rchjX1CR3fiJFjb9/cqjMi2Y+7C
UPAtkTFS/mr7SgThvGDOxFHVsrCoUPR8dWFZREohaNlNSDzh88Ejwcevz1HDxU5f
pa5o2F3vmTPGIy1tH16L6MK2oyIC0oGGrddv66mV22le8EJLkPYA93rBEJvUw42w
+V+Ficqg0K4HZn0Ay/sabmDlSpbHkox3qfhpSh9yZ70nxaf4QUF5UgdxpPgkG0+e
kKShClrnaKuscxFWwogJb5y4D9JG5LvpyEnzEOMJTxYoDxNVH2b92cBxP4UwIDyc
rETpuk3ZQmWTWOKi+SmCvroxuZbJXaPS9LtY3v2Umqs7RaeDy67pWS7upv9o/OEj
ziT8JwwAuL0bO2/9M4rfBJb/ihWvwVzZS84cra8cEtTedQeHPTcuqZEmDryd3GV1
x8LXj/JB1cl7uzKRNrDLlR6yNunoRAYqYnQM0Vt7YoJN63c6UucQLkeWfrAyvAIZ
nn/MxVn0DBPO30v5UAgchoPFEZiiqzyX7q/D3zy8rPQaQNYZsXnBfVZoCx5z1RMp
jbNVN5c0gDEU8TadLoFSYzVXa5JgrCsbqkFjdeO20VRLO69/WmMe4VikCWM9c4Qt
EzzMeqXoig34bBmtar7r4P1XhtoByQPgavTj2h5WTlfdrMz/Q/lGG0ErX2QQRDxG
fVNc5K9eNCCGyZenAjuHQ1sx62nVwuFoalB75dROxuDb+hPAxBcI6KlDs1JNi2Vz
MYAtWrEbwktkllgyYbEU8qcQb+ScptfU3RiKgVhik9WWR21Ro37Ir9BcXWGdqIoz
cNsPQqnqdDlkCVBAMpmDfW4ivGsnlIPUG3O6FrEeo/UwYXjLNeQyJZ84OEvMWX9x
mtDmuK/vgWarIPCusjAyYRFj0wp+0zZaoW9X5Jmbq8cAFXGSh/fIgWu3yuOWgF4j
eCXabz35IM78Ss0ltPZwgTwAy/M0R5Mc43iNlXK80WOh5O1gPW25vQ+x4rphsSnn
93N7t/S9Xa7J9xCNVgpxHmwIJVyAJPlmVhYgteRycqKWRQsjh5paW8k4+EzYcY96
szDEmW93kojIaA6xBBy4UI20CS16fATMT2G/RMEU4QWZD+eM19qP2+UHpQP+RNyf
o8ctYYSqNAqGuyw+4u3aSHv+Gk01CEeFTW9VxjoktTquyZLJ2mimm73nZbyry8ZJ
ZBWO3xvQJ+eepapUfQR3OO/dPJR+6Ku+UXlJrLcuQMVcqYJvyZKLZwFUVuZaHvpu
ecj58b3c28IiMBu2Hgquau9R/wKj3dOOt5BW6JSIeVfIQN64ic8ubqw9WObJumD2
s2cl7wYv2b5ezRLIyJKi7mdo/5TeYpEurouHG2lIzDbFYnu+S2TgjutN4nyrnat7
2Y0ltpyFjwwLjs+mg99JwSg3d1BVWwguym1qyo+L+bFO2HZSvQD+4TOFJNJ9aGzx
ldnBsCKjfLckHFRAnw7ib/cInFWnn4GFQTyJ+/KhiWyuGzYFHxa/GcrxcQVBMCLG
XssiB/2q8WBLSLk+HdfEIoXtj3W/oQnx+bGYcvvMkFFWopMHoDz+vpdP5LAkyrHl
kNwcOvB/ZMR2IbPWmaW1QjyNmndeQPwvN+7FdvavdgvZouSQcE0A0kr54RpmFjZy
77poOCEfkun5hKkdaIoZcAwDNfd5nIwPn7aos8V8Nr98qzXQZZv1gxFW8qKF2EbE
+QBzSLAK4H48rzqPx8TkFSQrDNrNzuDvuO5TAJpYozdWY9PU3wqR58nuFbmpAod0
mOKPMQ6/22izfUPtBsvnoA+ZZ7206FxZ7rBhpmwx7rDIdOrqLjiE/ndE0Mwrsxs6
m6nyAWBA9Nv+3ofrrVoWGx7F8pgEONcJ9ZOAPuIXAiAXAp1Faw7IvdAjllbT9NIh
iRv4d9vhS45IkY4vaJw4rAPZfvrcS1cBRfwnf1bI30cfkYOXhB1rKjqCgp0nWNvG
bT7gHVwWGpgfeChH0uByFhyEgmu0HcRLZQF00qjhGzwofXpgxarsGD4+3faOM4WC
ddUm0aH/zOWZlKaHQyToCuXW8l5e4+UIrJufKCVGugR8caiOS7QDwLxoue/mB9tw
aRDmMPYjfZqsmr+87632Cf1FZIi5bCdoZrkEivpIK3yjbu6TzitDvCA2fTrObgu0
w+pjZRql4/tDx0Id4AL8kji/6RmpD6N9NSE+jsuXn83LPHZhSXuQ8ZM0pJyLp6X7
qXsTPPCWAU5y/RV+WsasQc6wGxe1Lm/SHUoLxijI6KEWnOJKdf32KFacDt+LGhGk
vb59fXQPUzcw9kYh1psR+QYNV/3zy83ZAXiM3lAHoiTGm8pKzlVgthlN+I5hiPcb
tMD97yKQasOrb9Rlcqs0CZ3lrDxg8QtuvYqNsR6GXMrNUKq5D9l3Yd0+LK3L5S73
pDUYqxtNn18hI8lXnKx8DwToeymoT5KGsjhmHXl6mBSPqAC5Fe1Opgf14OM8S34J
LjPntwT+gbqGpQoAcgz84Fv6XcfnF02na5ywPlupyLemHe3ZM8gw1qOTphAMOrG+
8XV2EjLNJez/07zRcTPCziHkszdocT9PX3Fwj0wk/UJ+61gokbrqZzQ49Kmv1DuD
tBXdybqpZ7QUkdSRjhcio5ahIW3w16Y65x1LJj9Y0/2Zco3d6CKaiK9r1RxarkLF
fKJRDOUv24AG496BEMLcY9oXRPinoPcWjDarTitx6TmIw8/2Dut8Z3P8WBtFVZGA
ENSEEKeY4dXJo28scZopcWNhhU7PyJK95t2ugHJU3h54tJT7oY/AampVQrInw4d9
FfvXZj3sCLNukgOB9lsAQSPcS44vvoGpUkpPVUmVGCjF5hItLQH2dhzlhu0sXUp0
t7IPywsqs+SwnoYAr7QxAXK6NWdsGMthwFvGg2WhrrYld1ShAQIcugvpZW8ei9rT
LjyQPvAZXz4WowD83xLwX0rMPyo9cBlY8/dYbQziI9tpc8L4wd20pT5kW0ONIsX3
osRdUawchybgRerCUSTUjPMaat+H73CYmE1sbPWB2Ky3k1k8EuJCf0OzPDFhPMRt
SEzHXjjCLOIN7J2ZV57h6Y69gK+w06L9TQytZa9Y2str8D8Tn4dXOwszNuiTAOYK
OJK1etOM4ntV5J1ErxlbK6+uVeAmbjsZP/jAa3tJG6CEKWxn55Nfo0a8vzhrt+dR
KevIFU+lo55If41DNsMxZzu7LQueN+cd8TfYMfHYi9sJnsVlrGNexeITsfLPbiS2
YF3VYZ6EqzGKJWh7t2+rPIqy8E6vv7BOjUZScW2ZAWcVHZQK3WXaNW3qUxOdFISi
mHx7+lBs/uycg6XkUsLUkxa92QvQWagY4FvTuLd2zfH+VxVtvbWfzSJQp8JLgafH
HkQSHITlkxsp+gfpegmhrYvH3yf1nMto27Vi803/LUU7lMMK1BjRMYaEeE1E0viE
HSN2C7ZfoxX/1tVsv05/ImibN41T3RDEDZnr7yiCxOWHvkuuThhem4EvAg1WS+fu
dEbphRpf/s0agJz09UD77aNOKDcl8heVUB558P/9zLieAYYgViKLFFO+AZgo1onJ
h4UGDjz7WtqTzb63i5MXAF7fMudDk2zdbpD6IuV/7Su5WYsjnCQc/A4mYpYFvjJ0
qIxqviZyuhNDm3nnt0oaIZjwbWPH7HVxNN+THIldnOqtQ+i90ScWxpZFl6XkJhxV
0riqRCzPMZAQgj3RZ0QQJF2x7PRqgUo8n+W2KRO8aFVTB7skyLUOyoBhuwu2sag4
Xl9iXYHlT9p5IXlIFW5co5jdNLXze719cR+DTXeiSgVblRbf7lrp7eNjWi+NnZla
xY+3qMWMjSwBMQNn/woisUip65M1AuZ8dyHjGjGQnInH/obeQjG64BMktmraqwd1
kmxvfuFVRSo3W+OiYIG5Y6Q+c+oEJGkPk4U7YUSgsYA9idqSXrXAd/F+gbkxNDWu
TVNe6hSd5ksln3jNNtzTIvBweoOdDslJPO2BeK4AqlzOF/UjOw/FbMMmSjwL/wtI
xuKKTaWo+i9cubLXk1WuginWQz+jtuAiWyRsdUS0yU7uqXFwcR6rQprtbXyKtpPQ
ItpEtJjSZaddvbLWJYqmrBBRjgLFbKfQnlffZyPQplf883QGVGLN2aVXme/BBqp2
G3vE48+XglDRxITViPjAUlwKkwmJZxCi1xle3/oynD8TdINJaD3pepcz4MAhb02l
p8VZLAW/v4d0reogPWb3pPQJfZb5wYkgWKEPKue3+0G/BLKl8YilM3HTuWaxNGGx
2BVA5P8dJijfFUUqMU3TP9RPoV3Ce8Zn/RFG7l9D0ouw5jzagmo2J4PaDkl9OoKI
ycJW8csfbNrMP73paLOOyN+HvHjYUNJ2dAe+b1c9Mwf9Llf9FDjj4ca3/1zvtYhd
29vf1PJlUB7jfW09b9ag8+3G2FcBnWw3OafU3Fg5b4Xi/WphQzdSG706egSQQvtz
BoAKLnvj+Sdv8yx7DPGX9v71FOqDabW1Uh5y7R0IAwaniCmdaNlamHh3BPpNIoqy
1JP0ax+kx95zrmTl1Jknk/xsTVkmWE2sVrtmWjsKA1tpF1TxkSKmz8vbSaqNskzo
VL4GK5EvOIMnnjdF1X6pgzZhj4ok8tsJgs95EsPpgYkp3vCpsNReTmJnaZThEkpc
wAwNJDt/g4iVqebsEBxpfoep1OYAASeU1kJRrsLUHUlXZn6w2QcIIHR2wsfPAAAA
AAAAAAAAAAAAAAAAAAAAAAAABgoVHSInLjY=
-----END CERTIFICATE-----
subject=C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
issuer=C=IN, ST=Uttar Pradesh, L=Noida, O=Thales-PQC, OU=PQC Integration, CN=dilithium5_CA
---
No client certificate CA names sent
Peer signature type: dilithium3
---
SSL handshake has read 11635 bytes and written 1619 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 192 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0E748E5E9E65478348733DED836F47D0C8621390B7E4BFCD92DBCD5EDA4E3E25
    Session-ID-ctx:
    Resumption PSK:3D23FF34AB009A9103D93490899FB97A281D9752754CD917F6F1BC39D8804AA7AEC2F04E80CCFA8472209F262A0106D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3c 5e 48 dd 57 48 5f 53-c5 01 7a 02 1a b3 18 6e   <^H.WH_S..z....n
    0010 - 45 af 32 2d 81 bf 65 a9-ac e5 52 3e c2 8d c8 47   E.2-..e...R>...G
    0020 - bf 95 4a 02 8a 2b e2 d1-c1 29 c0 86 99 80 27 70   ..J..+...)....'p
    0030 - 0d 1e 78 29 bc d1 58 d7-ca 00 2c fa 03 2d d8 6d   ..x)..X...,..-.m
    0040 - d0 18 9b b5 7c 7c d0 33-c0 46 3b 52 b0 7a ed 36   ....||.3.F;R.z.6
    0050 - bd 9d c0 bb 0e c9 8f 65-b9 7a be eb 26 ff 49 61   .......e.z..&.Ia
    0060 - c4 a8 a5 30 e2 ee ef bb-34 75 fd fc f7 26 a1 31   ...0....4u...&.1
    0070 - 7d 5e 31 dc 9e 80 bd 34-c1 08 b3 94 96 e5 6a d7   }^1....4......j.
    0080 - e4 e2 24 6f 97 fb 6f b8-9d 6a 99 21 f3 5d f9 0b   ..$o..o..j.!.]..
    0090 - 36 8d de 10 9b 92 bd b0-3e 79 77 19 de 4e fe 33   6.......>yw..N.3
    00a0 - ac 63 7d 63 8f ac e3 93-d0 8f 70 ea 74 15 28 9e   .c}c......p.t.(.
    00b0 - d3 f2 76 31 7e 0c ba fe-c8 e1 71 e5 0e b4 b8 48   ..v1~.....q....H
    00c0 - cd 1c 57 31 f1 5f 62 bd-f9 a7 d4 a2 e4 9c 0b f3   ..W1._b.........

    Start Time: 1723786132
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E7DA65D795C811282319D2AEADF1782954B9AB2264BAB63A6FF9D99AB90ED28F
    Session-ID-ctx:
    Resumption PSK: 0E85B524461CE54A479A6FE3B4848B428DCC5376E227CA8156B82C8EB242F51F176EE14ED987E2DEF5926B9A05EE97BC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3c 5e 48 dd 57 48 5f 53-c5 01 7a 02 1a b3 18 6e   <^H.WH_S..z....n
    0010 - c9 30 50 87 ee 6b b4 92-ec ef 4c cf d1 5c b1 84   .0P..k....L..\..
    0020 - 05 a1 86 b1 87 9f 9b e3-af 0c 99 ec 17 ec 5f 12   .............._.
    0030 - 81 ff 76 d0 12 c1 5f 4a-5f 12 ab 2f d3 9d af 2c   ..v..._J_../...,
    0040 - 63 c8 2e a9 9d 2d d2 ec-e0 48 f8 92 a8 26 02 77   c....-...H...&.w
    0050 - 26 82 e9 c6 b9 ec 62 34-cb b2 88 5f 32 53 47 1f   &.....b4..._2SG.
    0060 - 5e ce 29 26 0a f4 81 57-9b ed 86 b3 a1 64 da 62   ^.)&...W.....d.b
    0070 - eb 8d 21 ef 28 af 3c 21-98 e0 8d 03 62 19 12 50   ..!.(..V....K
    00a0 - ab 14 9d 96 e2 2b 2e cf-36 b0 7f 78 91 59 03 0c   .....+..6..x.Y..
    00b0 - f7 74 6b c9 53 12 f6 50-4f 80 d3 50 6a a5 24 50   .tk.S..PO..Pj.$P
    00c0 - 8f 92 2c 51 3c c4 9c 63-58 9f ad d2 f9 8d c7 d0   ..,Q<..cX.......

    Start Time: 1723786132
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
  read R BLOCK

After successfully connecting the client, enter the command GET / to prompt the quantum-safe crypto-enabled OpenSSL3 server to return details about the established connection.

---
read R BLOCK
GET /
HTTP/1.0 200 ok
Content-type: text/html



s_server -cert /usr/local/ssl/certs/server/server.crt -key /usr/local/ssl/certs/server/server.key -www -tls1_3 groups kyber768:x25519_kyber768:mlkem1024
This TLS version forbids renegotiation.
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-RSA-CHACHA20-POLY1305
TLSv1.2    :DHE-RSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2    :DHE-RSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-ECDSA-AES256-SHA384 TLSv1.2    :ECDHE-RSA-AES256-SHA384
TLSv1.2    :DHE-RSA-AES256-SHA256     TLSv1.2    :ECDHE-ECDSA-AES128-SHA256
TLSv1.2    :ECDHE-RSA-AES128-SHA256   TLSv1.2    :DHE-RSA-AES128-SHA256
TLSv1.0    :ECDHE-ECDSA-AES256-SHA    TLSv1.0    :ECDHE-RSA-AES256-SHA
SSLv3      :DHE-RSA-AES256-SHA        TLSv1.0    :ECDHE-ECDSA-AES128-SHA
TLSv1.0    :ECDHE-RSA-AES128-SHA      SSLv3      :DHE-RSA-AES128-SHA
TLSv1.2    :RSA-PSK-AES256-GCM-SHA384 TLSv1.2    :DHE-PSK-AES256-GCM-SHA384
TLSv1.2    :RSA-PSK-CHACHA20-POLY1305 TLSv1.2    :DHE-PSK-CHACHA20-POLY1305
TLSv1.2    :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2    :AES256-GCM-SHA384
TLSv1.2    :PSK-AES256-GCM-SHA384     TLSv1.2    :PSK-CHACHA20-POLY1305
TLSv1.2    :RSA-PSK-AES128-GCM-SHA256 TLSv1.2    :DHE-PSK-AES128-GCM-SHA256
TLSv1.2    :AES128-GCM-SHA256         TLSv1.2    :PSK-AES128-GCM-SHA256
TLSv1.2    :AES256-SHA256             TLSv1.2    :AES128-SHA256
TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA
SSLv3      :SRP-RSA-AES-256-CBC-SHA   SSLv3      :SRP-AES-256-CBC-SHA
TLSv1.0    :RSA-PSK-AES256-CBC-SHA384 TLSv1.0    :DHE-PSK-AES256-CBC-SHA384
SSLv3      :RSA-PSK-AES256-CBC-SHA    SSLv3      :DHE-PSK-AES256-CBC-SHA
SSLv3      :AES256-SHA                TLSv1.0    :PSK-AES256-CBC-SHA384
SSLv3      :PSK-AES256-CBC-SHA        TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA256
TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA  SSLv3      :SRP-RSA-AES-128-CBC-SHA
SSLv3      :SRP-AES-128-CBC-SHA       TLSv1.0    :RSA-PSK-AES128-CBC-SHA256
TLSv1.0    :DHE-PSK-AES128-CBC-SHA256 SSLv3      :RSA-PSK-AES128-CBC-SHA
SSLv3      :DHE-PSK-AES128-CBC-SHA    SSLv3      :AES128-SHA
TLSv1.0    :PSK-AES128-CBC-SHA256     SSLv3      :PSK-AES128-CBC-SHA
---
Ciphers common between both SSL end points:
TLS_AES_256_GCM_SHA384     TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384  ECDHE-RSA-AES256-SHA384    DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256  ECDHE-RSA-AES128-SHA256    DHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA     ECDHE-RSA-AES256-SHA       DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA     ECDHE-RSA-AES128-SHA       DHE-RSA-AES128-SHA
AES256-GCM-SHA384          AES128-GCM-SHA256          AES256-SHA256
AES128-SHA256              AES256-SHA                 AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple
Supported groups: kyber768
Shared groups: kyber768
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 58DA73FB96C923CB38FCFB9163E0DBB809FABB4EE07459E0D9D2B11E2162510B
    Session-ID-ctx: 01000000
    Resumption PSK: 0E85B524461CE54A479A6FE3B4848B428DCC5376E227CA8156B82C8EB242F51F176EE14ED987E2DEF5926B9A05EE97BC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1723786132
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
---
no client certificate available


closed

To begin, use the user certificate created in Step 10-11 of the Generate Crypto Materials using PQC Algorithms section to sign the data.

Create a text file named inputfile containing the data that you wish to sign. For example:

echo "Sample data to validate the signing using PQC Signature Algorithms Supported by Luna Provider" > inputfile

OpenSSL CMS requires a digest algorithm for signing. Unlike the certificate creation step, where no digest algorithm is needed, signing data with CMS necessitates specifying a message digest algorithm via the -md parameter. Use the following command to sign the data:

openssl cms -provider lunaprov -in inputfile -sign -signer /usr/local/ssl/certs/user/user1.crt -inkey /usr/local/ssl/certs/user/user1.key -nodetach -outform pem -binary -out signedfile -md sha512

The data to be signed is read from the inputfile, and the signed output is stored in signedfile. The quantum-safe signature algorithm used is the same one specified in the user1.crt certificate.

To verify the signature on the signedfile CMS file, use the following command. This will output the contents to a new file called outputfile. If the contents of outputfile match the original data in inputfile, the verification is successful:

openssl cms -verify -CAfile /usr/local/ssl/certs/dilithium5_CA.crt -inform pem -in signedfile -crlfeol -out outputfile

If the contents of both inputfile and outputfile are identical, the signing and verification process has been completed successfully.

To sign the data using the private key, run the following command:

openssl dgst -provider lunaprov -sign /usr/local/ssl/certs/user/user1.key -out dgstsignfile inputfile

This will create a signed file named dgstsignfile.

To verify the signature, extract the public key from the user certificate:

openssl x509 -in /usr/local/ssl/certs/user/user1.crt -pubkey -noout > user1.pubkey

Verify the signature by running the following command, using the public key extracted in the previous step:

openssl dgst -signature dgstsignfile -verify user1.pubkey inputfile

Here, dgstsignfile is the signed data file, and user1.pubkey is the public key from the user certificate.

Open the /etc/Chrystoki.conf file and add the following GemEngine section:

GemEngine = {
    LibPath64 = "/usr/safenet/lunaclient/lib/libshim.so";
    LibPath = "/usr/safenet/lunaclient/lib/libshim.so";
    DisableEcdsa = 0;
    DisablePqc = 0;
    IncludePqc = "ALL";
    ExcludePqc = "x448_mlkem768:x448_kyber768";
    EnablePqcGenKeyPair = 1;
    EnableEcGenKeyPair = 1;
    EnableEdGenKeyPair = 1;
    EnableRsaGenKeyPair = 1;
    DisableCheckFinalize = 1;
    IntermediateProcesses = 0;
    DisableSessionCache = 0;
    EngineInit = "TPA-FM:0:0:passfile=/workdir/passfile";
    EnableLoginInit = 1;
}

Replace passfile=/workdir/passfile with the actual value of your token’s passfile.

Execute the following commands to create the /workdir directory and store the Luna HSM partition password in the passfile:

mkdir /workdir
echo "partition_password" > /workdir/passfile

Replace partition_password with the actual crypto officer password for the token specified in the GemEngine section.

Choose or create a directory to store the keys and certificates. For example:

cd /workdir

Use the following commands to generate a root CA key and certificate with a hybrid algorithm, such as p384_dilithium3:

openssl genpkey -provider lunaprov -provider default -algorithm p384_dilithium3 -out hybridCA.key
openssl req -provider lunaprov -provider default -new -x509 -days 730 -key hybridCA.key -out hybridCA.crt

Alternatively, combine the above steps into a single command:

openssl req -provider lunaprov -provider default -x509 -new -newkey p384_dilithium3 -keyout hybridCA.key -out hybridCA.crt

Replace p384_dilithium3 with any supported hybrid PQC signature algorithm as required.

Create an intermediate CA key and CSR using a hybrid algorithm, such as p256_dilithium2:

openssl req -provider lunaprov -provider default -new -newkey p256_dilithium2 -noenc -keyout intermediateCA.key -out intermediateCA.csr

The generated CSR will be signed by the root CA to create an intermediate CA certificate.

Use the root CA key and certificate to sign the intermediate CA's CSR:

openssl x509 -provider lunaprov -provider default -req -in intermediateCA.csr -out intermediateCA.crt -CA hybridCA.crt -CAkey hybridCA.key -CAcreateserial -days 365

Confirm the validity of the intermediate CA certificate against the root CA:

openssl verify -provider lunaprov -provider default -CAfile hybridCA.crt intermediateCA.crt

Combine the root CA and intermediate CA certificates into a single file:

cat intermediateCA.crt hybridCA.crt > ca-chain.pem

Create a server key and CSR using a hybrid algorithm, such as rsa3072_dilithium2:

openssl req -provider lunaprov -provider default -new -newkey rsa3072_dilithium2 -noenc -keyout server.key -out server.csr

Replace rsa3072_dilithium2 with a suitable hybrid PQC signature algorithm as required.

Use the intermediate CA key and certificate to sign the server's CSR:

openssl x509 -provider lunaprov -provider default -req -in server.csr -out server.crt -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -days 365

Verify the generated keys using the cmu utility:

<LunaClient_Installation_Directory>/bin/cmu list

For example:

/usr/safenet/lunaclient/bin/cmu list

Enter the partition password when prompted.

Launch a TLS server that utilizes hybrid KEM algorithms and the generated certificate. Use the following command:

openssl s_server -provider lunaprov -provider default -cert server.crt -key server.key -www -tls1_3 -groups p256_kyber512:p384_kyber768:p521_mlkem1024

The -groups option specifies the hybrid KEM algorithms to be used by the server. Replace p256_kyber512:p384_kyber768:p521_mlkem1024 with any combination of hybrid KEM algorithms supported by the Luna Crypto Provider as needed.

In a separate terminal, start a client to connect to the TLS server using a hybrid KEM algorithm. Use the following command:

openssl s_client -provider lunaprov -provider default -chainCAfile ca-chain.pem -groups p256_kyber512

The example above demonstrates the use of the PQC p256_kyber512 KEM algorithm. However, any other hybrid KEM algorithm can be selected by specifying it in the -curves option, which is supported by the TLS server. For a complete list of available hybrid KEM algorithms, refer to the documentation for the Luna Crypto Provider.

[root@JJN4WL3 workdir]# openssl s_client -provider lunaprov -provider default -chainCAfile ca-chain.pem -groups p256_kyber512
Connecting to ::1
CONNECTED(00000006)
depth=0 C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=hybridServer.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=hybridServer.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=hybridServer.org
verify return:1
---
Certificate chain
 0 s:C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=hybridServer.org
   i:C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=intermediateCA.org
   a:PKEY: UNDEF, 128 (bit); sigalg: p256_dilithium2
   v:NotBefore: Jan  8 11:05:51 2025 GMT; NotAfter: Jan  8 11:05:51 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIR+DCCCCagAwIBAgIUG16Y4cZcUnSiabdfm+yZOvqNhPEwCAYGK84PAgcBMGsx
CzAJBgNVBAYTAklOMQ0wCwYDVQQIDARVUFNUMQ4wDAYDVQQHDAVOb2lkYTEPMA0G
A1UECgwGVGhhbGVzMQ8wDQYDVQQLDAZIeWJyaWQxGzAZBgNVBAMMEmludGVybWVk
aWF0ZUNBLm9yZzAeFw0yNTAxMDgxMTA1NTFaFw0yNjAxMDgxMTA1NTFaMGkxCzAJ
BgNVBAYTAklOMQ0wCwYDVQQIDARVUFNUMQ4wDAYDVQQHDAVOb2lkYTEPMA0GA1UE
CgwGVGhhbGVzMQ8wDQYDVQQLDAZIeWJyaWQxGTAXBgNVBAMMEGh5YnJpZFNlcnZl
ci5vcmcwggbBMAgGBivODwIHAgOCBrMAAAABjjCCAYoCggGBAKToGKVaZeM0dXLY
Godu53GQpyApre+uEocxjvERmwBRP9lTwalk6X+L7QdwwicpV9qe8/XpfUi56U83
cyBsvLnwLWf5DAgnUqn6KSGMtfrdaCK+CDHVfB356Xo1uzI25Ynh9Zjay61WwCRd
Fp6L0HIkUuYdt0gTPWwZMePMo+ZUeJf5+jRFcCGqo0xCWvLEH2JrSyz3HpMXEcBt
HNCmnsvhpcU6+Q3EuZ92KlVNEeQexKdKJfzov3i0G5f0Mr6c6CNbXXj2SpkLp7oZ
cT7VfoKLIRf6aFMOuOwoUjfdFfdbdTGd3dwQxMFC3QmOgwPjIIOVL13JNKAPEhAP
nKzIPz3PNfai1HRBKj1uoZY+NNzmR2VlfrfGgdYFu6/WTgzpAP9OIXPxwpFRoXA3
5k4UGb7qogbEbo9aZ3IgGuMExJAMLflgPtFj8bx80LMKzA2dq/7xTTMQCJsMfHrx
p20HMtnmzhUbhqrNIVHr+vb9ihelf4gg/5jsyTtfiMZKO+puDQIDAQABtzFu0qhx
9VNu9btXuw/NPbMnjyFnSV7zVZE64vPAOK+S2o9r5VzBpGdDTVTvmC56+upXbOtt
AeZQNyO57k6BQcJ4nl4ue4sVWP5sMfh39P2TxN8Sen65MrwF++sMp8wY67HtSY9u
6Dv4tbd0zCyr/CzJmw0rQDJtG4CC1aNA7zEICwjsQncL+FvpibzqqJ/1xTmAyuMz
cg9OuY308J90PEBzdT201dX7wUkgq0JFNiAcSzJsemJY1exyLmTU2AVa4qvC8VzW
ccJfI0EcMWWAO5fYOel5obQ3LdC2BV7WQPJw9Ax5cQdocCaLXcKh9Q5or8f4o6sc
DwGCyQoy4iKVxkikyi+o+h0Z5pv0ogtXPj3VQDzspmX21hBpjZCSO4RGgdO4jpPI
TDBEBku1JLm0Un7kc0sWMbMSlZniLOwwqU5YPyXy/wfYSwU2TP0KgYTvh+1pRp6K
0MhK2aQoLYCP+WCVp2lmh1X/mBrNy+n3K7wVnVClPcSQjnnTp0MijrRMi0ZsztiO
U+93GAxaPruMZ54Xh/bPcIp6uf/EvzXyeMOdoOp9XNPDa+DBu1oRE0Fn8RUS6Klx
aZkxhKXm2TpPH2O4eWYMRQzQVBN+OzX4iE5J6f2xQnvexJ+tUNq+A3TDRPdEmurR
8qoqXG6Z37cOxk08/LhHrpS2uRfexljX8yV/75QLMUmuU7aliIivM3g/URYQIwRi
n04veJ+6L4fui+440AZz0e+JTO4VGs3G1QVui4OUAlY2/lg78mhOqqTT8Kwh7Nql
nH0BGP1NyvzBv+Zwi3au9ma22MOsyodvqX6VqBLK1I1IgH2fh2MKp0THSKJKs8bR
MJKrp3rrKWZQgiynV/dMF/cRo4GC3s8OSrZ1he9yhzax+k/kBMQueTQSsGuh0nmF
xhxHkfT3clY/GwjDkk9kN8D8XtINl0oX2Q9IbHc42/KlZZKCjk6YqMubvhaMNOmR
PGhWVX5Nk/OqP6uZ6X+DBvREEkf5/7jYD19sg4NGgy/oaAaBlE7Ttnm6u0t/ouDj
XmuwVNeJRhv76DKkETlusNO4Ap0rLSA1fbPLpqJwOdPb8YPMStcryZu3sMqJhsEe
X0EgZ0Cq1R5qr2l5ShkaI57010T9W/WSKXeI9kkVVRH27uxELrljfPubFFFBZSY5
TNcHBZmSIdWrtNVBvcug1oPYlXdQrAr84gh/3kzOJRU+SseicHUzZwRvYGm7saDu
k8YDDNfqMQ+SQS5OM+iY2XC3PMlB4T5TOfMAk8pUoG76nn+lJ8cVYm+79mR2rrJf
m/sgibGefIN1cxPjO/aK+gxClmKwxvy+cWK3Br39bNQdpX/RXnV5UomWon6Dz0C+
cZlQdP8o/BH35FHdJEuXD3cdakW0a5on6LpNyYa5+IqhVE12ROw1LXR6oCE3JhYC
MeWyaAmxABjV8WIda3LwoR5SLCCm90nMq1OyIPGUy8Jmz0Nv9RCqbqVUmaCG1iie
fSVmJecf7FEGG255N4G2En6QnIbenQ97UJyNDgeVJLUmueI3q9RrFvrn77T+xpga
FxTUdipvBVMioFBsvZytzk87g9Gge6cE+Zviq08g3s7QQP0/bhZWSOr55U4WYmIb
We0XSISyh3PwafAE3XR/ATnSx32hMV7Bhb0nbSWlIUSkAXMCI7TXm+Tz/8cKBU5j
fX/0gIWu6dTu93J76TURz9gb93hsqEkBt7NnAyhasMWVLGMyc3lDqTRRhHkyZ4Fe
lu5w9Zbq6qofiKNCMEAwHQYDVR0OBBYEFFE/0Ulf+fJNR70uJ5dJnrH01CQNMB8G
A1UdIwQYMBaAFLGS/F58PnPyRGEkHONnHJutlxazMAgGBivODwIHAQOCCcAAAAAA
RzBFAiB86fpt9jjAoHF6G9csL2VN6pzyEmf4Paj4CVEAByOdCwIhANTZ8K39RZP4
zsU935FmJGtmQI0lg7rFVWkwaPz0X6ua7eMWKrG82tqRGq0Sx2lG6IksEO7OJ6DX
hCYQkFI9MEylnleMp2vlJMIJTZz16mDjckdky7vE9qHWzqy1uOBAGx6R1SC7biNt
SEbt1/PsyJQqUV35dFcYRhQxtwCo2hbdtNv85b/s7dWeosAmUHKEMuczqtXr7lro
1kIhzVUv+I2TW60S6EOFcX0zuuLGGg+RhRQZkxFkYbAk8r7IMVrbo/Ceyfs+UKDf
Zoo0b8AB44/LE2gv6h4zz6nQrd6kyMQ5GwM+pyXv+0aLh8CdmqeU1J2+YYhikmg5
J495ioIweZkahCQ8P1FzX5WVgPplJVYfIR/coIG9QfacD+L8C4y+JHr0YUAbK8Ie
oV9YgHnflPd6i3IePxBUXDIMYpsxUouGsN87qsaTmDcxowwMjFFZqZTPwVO8HC06
bXnAP4H6To1+6Fl+QIe3fWdUr4XXgu/GVwY/vN9nUUlhtLV4y1LJ+FQtiflwFGkn
Hqnxr4wfDmxt/4TVt5Mn2C0gtlE+ekR3OELq9no271IF0EAykdVvLyfE4VK2HRVr
KqoKchEQmpTiwDrObLATd8/TfbKeoHKMDpDavn/Wv/nJkfBOyN0vj3H30zKDXRBk
pWSnfBRlGpMdC10gb1S5sWelpQ3248RV9bwGeaVZzB7AIzG5FfGaLaiw1J2/tGR4
lDx9gbfHVLAntOL/zBylRQMAXsCmoGjblcna5deGhcZU8c0F5TeCc6cdOT69tHuz
JBlpAcIsOTZwcWzEsFe3WQHrVopfFeV3Pt+U2IN2hTGHQoFSQt0tHzmJxXnuygPd
vc0SjRef46Ss1EX1gUIFWCEmAJ2YQOTZh0XKDoVvIqurcK1rC2iODuMqGpEvDNLd
5ZHD+aPCkhmOgT/kZTjLz98RxCtV1Tf6OGpTcNaYTx9QY0XTDDIs2ehRQCVm2XY/
sg9SjchAunXWRkEIKW6IgxtrQxSc1vIe83So8fkmQtwu2LcqI7y/t7/kTQ+AEsvN
o8gYUSPts5Qy5FY0jlaC8hlx/bcsNTx2tRLJmhYe8eQSpUuFcRCYBkQD8Q7/o9om
lVOQntgOrtnPmEhVZ31/zhN2fxDW9/5Htoo4Vt/utgQ7v7dd8jSf4p/MO8vFkOH8
a01Cz8cXGNOgfnbT5VnMpiGr0RdD5DH/Yyv4T4bdGCwXjEPno1rJIvJc7Wjb4lHD
QaOiILSuC6lodBmgUyb37v5HueMxk4HU0CCKAdK/tWPUbTWbKn+vJyt/DyXHU3Yv
iUAFQNtA/6/GLJldnrxxR9Y18KnVSWSrwWcQpvVGRNafqbcjz+AFUbG4ij8PF6A5
4cLjcFlrr/uMjob/RJXKEdNuX6ACcRgXAn61H6TUQF/8OYl1M7BpG+sy57Kq7o+r
c5esJD4zP1SZ/Cjsfp4W8Scj+/EY4oYY0Y6To5sK81UPS7qprvmIRPBRQXvQlwVM
+u25YoMAEM6ddYrkBCnwHoxMejiO9yaGH9fwstpafVibEb8v+UmgDZF8MNpnvAFo
TNxP5mmUiGDRPcE13xtRrsWw+DdVvkh1C44d0n/ri8Q8bWljy+LNfRFFKN/Wods4
973SLkh4XFRTuwCc6eNmxv0vi8yUDZ4Tubwft3EjOpD9RNXBEXc9/k1VOpvASzR8
IwM8z1RczYXCqUJ14qBlDhC1rdfQ3f9yWxrpNBNouC9hVVFyLz1ZRFjnhipoD5j3
WBGTDIZpF+M/kc8kn3up47Fdxk8WMjsjYk697Tqx6wOoGL3nhbFVwkVjSHBq/wI1
+ANsqkyuxlQa3CejUpe9uvUkHzMIM6uChMrdbic6RT4uS6FLPsy0/g5pUI/SbbKv
an5SW44P7fVa+rGVsMaJtFW1q+b0af9j/9zEa8a8skUTMZBVwHmtDhN+t9Bdtp6W
XfJrl751/gGmO80YBhgoEXYO8H6cZJxm7Y8u63AsEJEoBDkLj4w2m1eydPPMYZOL
16j+z5i1RwVRCNAawjpgNXQUR3fL/Hy5LmGG1we6zjokD7w9rDO+BGyS2gnj2Rfz
VuxqDxrMtf0V/5Aesow1cPwAP8ZQyVPz7eT1eHV3Y6NZXOOtAKWdmbqYBC3VMt1D
rPkWaqgwM1jqdJWEGv9dn2w+/WX+rGtGz0qWe9SigcP4lhg/OrZEVQNLkMVPc7HQ
dqPnI6rd8xbcIQCvj0CVmytrnCt85FRCrOvcwswKEOii/o5Jh3Mo4zRjfcVyFir2
Nh7n9vcMGGTi15PkpiaKuzoSBzlP3kgkOAdoYomWfA5T2dUWDcYkwOaryotCNcQ/
Lj3HqN/Vo7epq2wgXO7EENzNyt0g7X9gORUnwk+TpkBDwKjcgG/M3L2itCGhPtnP
QAP16gP6wov6yiDrrk9dkwsHbR0MqyxH9ryGIHoVTozDJP0NMXyeLdVG0VxV+IMZ
ak47IjA9Hw2om0q9yOzZVoN3/XDrYBHUJbrodnJdbdA0ZO693rg6kQly9BJN3BRZ
Y/TJMCOPNaZHNq8WZfAxkuhpq3Pko9LG1XP6k3P/nuC+F8xlzsFKM6EWtPB35fm5
+WcjNVpEAvWIbdSHoZd320NDVusa+3CUDR6l0un4iqcGqfLVd9HddmvSn5m3g1MC
GeOS7GlpmSmgjIXUZWilqEeeMmaZSFfQiwNH5sLduVE5clxYYAA+xwJerohFGEYq
IUCtCKb7O9ADuO96GGhQmFxSwv26MO9UsjSTM38Sm19w1IzI+ivYNG5xK8illx2j
9FLSrZEcrm0KUlNcFqRiHKqlZqeOLXxTPtuvWcPplcY4QkZPWVpWg9I/c2vRVWkc
4PfVCvbrpS6srz/htDV2g9xk19E/tR5LdMvK50oCkSJoeCb13Z76Dyoa7Kr1uVww
pssTlyVnfb3jQGkZIi7yVvBIkpo/3Cc6aoA9tGqvWDtKSyU9umAkatEODMon5E3l
Dn71utemvNcTvAeSr44CfChV5HtxyGmIx38bNCzLD5wTy24QoGNDpS4Gco3lpvux
oOXh0nwUfSyKQ2GHkvhd39MHsFGGaJxd8OSlSiMLY1JdL7OilQIn83ZykuXeVSQW
Vqm0C0E7o46oIw2pH3KoFkQf2kI4OyDcFYvtUCqeDHgfj7iVBdDV5lL06d3Sc3Hy
O4QCC/WnZSYMGik1Nk5ZYpGXpcjX3hQmJy8zPkZbaW90iaCx6/MEIigsMzpBTWxz
jJikuru+x+r/KD9lf4eMn6aqwsPE0tnq9wAAAAAAAAAAAAAAAAAAAA4eMUE=
-----END CERTIFICATE-----
subject=C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=hybridServer.org
issuer=C=IN, ST=UPST, L=Noida, O=Thales, OU=Hybrid, CN=intermediateCA.org
---
No client certificate CA names sent
Peer signature type: rsa3072_dilithium2
---
SSL handshake has read 8513 bytes and written 1300 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 128 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 06E96BE1BCFFC5A9B4FE4E691541810D3CE05A1B417D169175802548EEEEE3DD
    Session-ID-ctx:
    Resumption PSK: 991C6F477C44BBAAB6C691D70A62F6DA59AF200D3D69E77A621D4FB580AC2F8471A088F239F901DD28D0BA6702E6D164
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c9 ab 1b 75 86 89 10 7d-40 24 75 9f ee d6 48 75   ...u...}@$u...Hu
    0010 - 45 0a 0f b6 dc 38 14 52-0c e4 59 55 48 d1 86 02   E....8.R..YUH...
    0020 - c6 24 22 7a d3 0e e8 b5-79 e9 63 e6 e1 92 13 14   .$"z....y.c.....
    0030 - d1 0e 40 18 7e 64 f5 2f-d9 de 3c 3e fd 9d c6 d5   ..@.~d./..<>....
    0040 - b8 73 51 36 f6 58 3c 57-ff 1f 52 3c de b3 db 7b   .sQ6.X.x.
    0070 - 40 aa 65 2e 4f f3 9e 79-da 2b f1 be 02 06 a6 be   @.e.O..y.+......
    0080 - 72 4f 70 b1 bc cc 40 80-43 43 58 6a 31 98 54 63   rOp...@.CCXj1.Tc
    0090 - 21 d8 82 12 81 fd c3 d1-6f da c6 df 00 db 85 50   !.......o......P
    00a0 - f1 dc 69 ad 94 63 b4 2c-4c c8 4e 51 47 4f f0 50   ..i..c.,L.NQGO.P
    00b0 - 40 3f 52 d3 81 5e 5b 5a-10 5a fd 99 d4 73 71 d2   @?R..^[Z.Z...sq.
    00c0 - a5 8a 5d 20 da a5 7d fc-82 11 6a bf df 53 77 41   ..] ..}...j..SwA

    Start Time: 1736337278
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 03A4572B240EE303F65B56D7C0B3B8534769F8B12685EA67B1D4FFB974E5E986
    Session-ID-ctx:
    Resumption PSK: D4B3A956B7E5EC52DD106EB2C038191BB95AD52075F72A6EEA3331DA16F36326E8A628231277CFDF21854FF1ACB61A04
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c9 ab 1b 75 86 89 10 7d-40 24 75 9f ee d6 48 75   ...u...}@$u...Hu
    0010 - 34 50 3f da ce e5 0b c1-06 ee 5f 07 6e 64 36 8c   4P?......._.nd6.
    0020 - be 6a 11 e7 ef a4 5f 68-33 7a ef e5 06 13 03 8c   .j...._h3z......
    0030 - 83 ae af 0c 56 11 a4 02-8e 7b d1 30 9e fa e5 51   ....V....{.0...Q
    0040 - ed 30 03 68 47 f1 2f 8b-6b 88 f0 2b 73 95 ea fc   .0.hG./.k..+s...
    0050 - 93 de a1 1d 87 2a 69 d7-54 82 55 14 44 bc c1 7a   .....*i.T.U.D..z
    0060 - 4c 3e a6 cb a3 42 aa bc-0c b2 81 1a dc d7 b7 3f   L>...B.........?
    0070 - c4 91 d6 d7 68 b9 85 6c-31 d9 93 98 8a b9 37 39   ....h..l1.....79
    0080 - 1e 8d 93 70 b2 3b ae 8f-2d a9 79 c1 c0 6b 95 0c   ...p.;..-.y..k..
    0090 - 8d 64 95 bf 0d 60 40 4a-a3 7d 10 0c fb 4c 0e 15   .d...`@J.}...L..
    00a0 - dd b7 c5 d5 94 65 77 7f-00 01 6f c0 57 43 e5 28   .....ew...o.WC.(
    00b0 - 31 54 6f 95 d8 06 6c bf-45 47 c5 b1 4d 0b b7 1b   1To...l.EG..M...
    00c0 - 35 41 d6 89 4f 4a 46 9b-0a cb c6 2a 14 2b 86 84   5A..OJF....*.+..

    Start Time: 1736337278
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Once the client connection is successful, issue the command GET /. The OpenSSL3 server will then return details about the established connection.

GET /
HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">

s_server -provider lunaprov -provider default -cert server.crt -key server.key -www -tls1_3 -groups p256_kyber512:p384_kyber768:p521_mlkem1024
This TLS version forbids renegotiation.
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-RSA-CHACHA20-POLY1305
TLSv1.2    :DHE-RSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2    :DHE-RSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-ECDSA-AES256-SHA384 TLSv1.2    :ECDHE-RSA-AES256-SHA384
TLSv1.2    :DHE-RSA-AES256-SHA256     TLSv1.2    :ECDHE-ECDSA-AES128-SHA256
TLSv1.2    :ECDHE-RSA-AES128-SHA256   TLSv1.2    :DHE-RSA-AES128-SHA256
TLSv1.0    :ECDHE-ECDSA-AES256-SHA    TLSv1.0    :ECDHE-RSA-AES256-SHA
SSLv3      :DHE-RSA-AES256-SHA        TLSv1.0    :ECDHE-ECDSA-AES128-SHA
TLSv1.0    :ECDHE-RSA-AES128-SHA      SSLv3      :DHE-RSA-AES128-SHA
TLSv1.2    :RSA-PSK-AES256-GCM-SHA384 TLSv1.2    :DHE-PSK-AES256-GCM-SHA384
TLSv1.2    :RSA-PSK-CHACHA20-POLY1305 TLSv1.2    :DHE-PSK-CHACHA20-POLY1305
TLSv1.2    :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2    :AES256-GCM-SHA384
TLSv1.2    :PSK-AES256-GCM-SHA384     TLSv1.2    :PSK-CHACHA20-POLY1305
TLSv1.2    :RSA-PSK-AES128-GCM-SHA256 TLSv1.2    :DHE-PSK-AES128-GCM-SHA256
TLSv1.2    :AES128-GCM-SHA256         TLSv1.2    :PSK-AES128-GCM-SHA256
TLSv1.2    :AES256-SHA256             TLSv1.2    :AES128-SHA256
TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA
SSLv3      :SRP-RSA-AES-256-CBC-SHA   SSLv3      :SRP-AES-256-CBC-SHA
TLSv1.0    :RSA-PSK-AES256-CBC-SHA384 TLSv1.0    :DHE-PSK-AES256-CBC-SHA384
SSLv3      :RSA-PSK-AES256-CBC-SHA    SSLv3      :DHE-PSK-AES256-CBC-SHA
SSLv3      :AES256-SHA                TLSv1.0    :PSK-AES256-CBC-SHA384
SSLv3      :PSK-AES256-CBC-SHA        TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA256
TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA  SSLv3      :SRP-RSA-AES-128-CBC-SHA
SSLv3      :SRP-AES-128-CBC-SHA       TLSv1.0    :RSA-PSK-AES128-CBC-SHA256
TLSv1.0    :DHE-PSK-AES128-CBC-SHA256 SSLv3      :RSA-PSK-AES128-CBC-SHA
SSLv3      :DHE-PSK-AES128-CBC-SHA    SSLv3      :AES128-SHA
TLSv1.0    :PSK-AES128-CBC-SHA256     SSLv3      :PSK-AES128-CBC-SHA
---
Ciphers common between both SSL end points:
TLS_AES_256_GCM_SHA384     TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384  ECDHE-RSA-AES256-SHA384    DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256  ECDHE-RSA-AES128-SHA256    DHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA     ECDHE-RSA-AES256-SHA       DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA     ECDHE-RSA-AES128-SHA       DHE-RSA-AES128-SHA
AES256-GCM-SHA384          AES128-GCM-SHA256          AES256-SHA256
AES128-SHA256              AES256-SHA                 AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple
Supported groups: p256_kyber512
Shared groups: p256_kyber512
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 113B3D1A8A953F689B1227415FE98C7EDAE80E1086635CB0B19F018A42804D95
    Session-ID-ctx: 01000000
    Resumption PSK: 1FFD5464A26BEF350F05EA003231FDFAAAC00F00DC01C511AFA4F9670B3565A8E01E01D5B6F59252D2C20B49A5BB3498
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1736338762
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
---
no client certificate available
</BODY></HTML>

closed

Ensure that both the Luna Crypto Provider and the default provider are enabled in the OpenSSL configuration file. For details, refer to Scenario C: Configure OpenSSL to enable the Luna Crypto Provider by default.

Use an empty or new partition for the performance test. This prevents key overflow and avoids interfering with application-specific keys stored in an active partition.

Run performance tests:

a. Use the following command to test the performance of a hybrid Key Encapsulation Mechanism (KEM) algorithm:

openssl speed -provider lunaprov -provider default p384_kyber768

The example above uses the PQC p384_kyber768 KEM algorithm. You can replace it with any other KEM algorithm supported by the Luna Crypto Provider.

b. Use the following command to test the performance of a PQC signature algorithm:

openssl speed -provider lunaprov p256_dilithium2

The example above uses the PQC dilithium2 signature algorithm. You can replace it with any other PQC signature algorithm supported by the Luna Crypto Provider.