Luna PQC FM

Set up Luna HSM

Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

Create a partition that will be later on used by OpenSSL.

Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

Initialize Crypto Officer and Crypto User roles for the registered partition.

Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved.
Available HSMs:
Slot Id ->                           0
Label ->                             TPA-FM
Serial Number ->                     1578912774253
Model ->                             LunaSA 7.8.0
Firmware Version ->                  7.8.0
Bootloader Version ->                1.1.5   
Configuration ->                     Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->                  Net Token Slot
FM HW Status ->                      FM
Current Slot Id:                     0

For PED-authenticated HSMs, enable Partition Policies 22 and 23 to support activation and auto-activation.

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Access the Thales Support Portal and download the Luna Post Quantum Cryptography (PQC) FM Toolkit Version 3.1 (KB0028642). Refer to the README file included with the FM Toolkit for detailed installation instructions.

Unzip the downloaded toolkit from the Thales Support Portal.

Copy the lunapqc.fm and fmsign.cer files to the Luna SA using the following commands:

scp [FM_TOOLKIT_DIRECTORY]/fm/lunapqc.fm admin@[LUNA_SA_IP]:
scp [FM_TOOLKIT_DIRECTORY]/fm/fmsign.cer admin@[LUNA_SA_IP]:

Connect to the Luna SA as admin via SSH, then perform a Security Officer (SO) login. An HSM login is required to load the FM modules.

Execute the following command in the lunash shell to load the FM module:

hsm fm load -c fmsign.cer -f lunapqc.fm

Ensure the HSM is in the HSM Enabled state; otherwise, the command will fail to load the FM module.

Run the hsm restart command within lunash to reboot the Luna SA.

This restart will activate all existing partitions and enable SMFS. Any new partitions created after this point will require an additional HSM restart for activation.

After the restart, confirm that the Secure Multi-Factor Services (SMFS) is activated by executing the command:

hsm fm status

If SMFS is not activated, enable it by running the following command:

hsm fm smfs activate

Ensure that HSM Policy 52 (Restrict FM Privilege Level) is disabled on the Luna Security Appliance (SA) to allow proper functionality.

On the client system where the Luna Client is installed, replace the existing libshim.so file in the Luna Client library folder with the version provided in the FM Toolkit.

Both the FM Toolkit and FM SDK must be installed alongside the Luna Client to utilize the PQC FM Toolkit. The libshim.so included with the Luna PQC FM Toolkit is designed to function only when the FM Toolkit and FM SDK are properly installed with the Luna SDK.

Modify the Luna Client configuration file to include the following entries in the Chrystoki.conf file:

   Chrystoki2 = {
      LibUNIX = /usr/safenet/lunaclient/lib/libshim.so;
      LibUNIX64 = /usr/safenet/lunaclient/lib/libshim.so;
   }

   Shim2 = {
      LibUNIX = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
      LibUNIX64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
   }

Ensure that the following line is included in the Misc section of the /etc/Chrystoki.conf file:

ApplicationInstance = LUNA_PQC;

After implementing all configuration changes, confirm that the Luna Partition is accessible through LunaCM. Execute the following command:

/usr/safenet/lunaclient/bin/lunacm

The expected output should resemble the following:

lunacm (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved.

Available HSMs:

Slot Id ->              0
Label ->                TPA-FM
Serial Number ->        1578912774253
Model ->                LunaSA 7.8.0
Firmware Version ->     7.8.0
Bootloader Version ->   1.1.5
Configuration ->        Luna User Partition With SO (PW) 
                        Key Export With Cloning Mode
Slot Description ->     Net Token Slot
FM HW Status ->         FM

Current Slot Id: 0

Unzip the downloaded Luna Crypto Provider Toolkit and navigate to the toolkit directory.

Identify the lunaprov.so and sautil binaries within the following directory structure:

builds/linux/{flavour}/{bits}/{stream}

For example:

builds/linux/rhel/64/3.2/

Use the command which openssl to find the path of the default OpenSSL binary. If the path differs from the default, update the environment variables PATH and LD_LIBRARY_PATH accordingly. You can also use the command openssl version to check the current stream.

Utilize gembuild to determine the location of the OpenSSL modules directory:

./gembuild locate-providers

Copy the lunaprov.so binary to the OpenSSL modules directory to complete the installation of the Luna Crypto Provider:

cp /builds/linux/rhel/64/3.2/lunaprov.so /usr/lib64/openssl/ossl-modules

Transfer the sautil utility to the /usr/local/bin directory, ensuring compatibility with your version of OpenSSL:

cp {Luna_Crypto_Provider_Toolkit_directory}/builds/linux/rhel/64/3.2/sautil /usr/local/bin

Execute the sautil utility to verify that all options are displayed correctly:

/usr/local/bin/sautil

If the openssl and sautil locations are not included in the system defaults, add them to the PATH environment variable:

export PATH=/usr/local/bin:$PATH

If the OpenSSL library location is not present in the system defaults, add it to the LD_LIBRARY_PATH environment variable:

export LD_LIBRARY_PATH=/usr/local/lib64:$LD_LIBRARY_PATH

Confirm that Luna Crypto Provider support is available and active by running the following command:

openssl list -provider lunaprov -provider default -providers

Example output:

   Providers:
   default
     name: OpenSSL Default Provider
     version: 3.2.2
     status: active
   lunaprov
     name: Thales Luna Provider
     version: 1.6.2
     status: active

If the output matches the example above, the Luna Crypto Provider has been successfully installed.

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Download and extract the OpenSSL source tarball from https://www.openssl.org/source/. It is required to download the version that is closest to your existing OpenSSL installation. For example, if you have OpenSSL v3.2.0 installed, you can download any OpenSSL v3.2.x where x can be any number.

tar xvfz openssl-x.x.x.tar.gz

Download the liboqs, a C library for quantum-safe cryptographic algorithms.

git clone -b main https://github.com/open-quantum-safe/liboqs

Navigate to the Luna Crypto Provider Toolkit directory and locate the modules location for the existing OpenSSL.

./gembuild locate-providers

Note the OpenSSL modules directory that will be used as input for the next command.

Run gembuild config and provide the inputs required to compile the provider.

./gembuild config --openssl-source= --openssl-providers= --liboqs-source= --config-bits=64

Example:

./gembuild config --openssl-source=/home/marif/openssl-3.2.2 --openssl-providers=/usr/lib64/openssl/ossl-modules --liboqs-source=/home/marif/liboqs --config-bits=64

If the OpenSSL development package is not available, you need to install it on the system. In this example, it is assumed that the OpenSSL headers and libraries are in their default locations, i.e., /usr/include and /usr/lib64, respectively. If the header and library files are installed in a custom location, use the --openssl-includes and --openssl-libs options to specify the location of the OpenSSL headers and library directory where libcrypto.so is available. All paths need to be absolute.

Build and install the liboqs.

./gembuild liboqs-build
./gembuild liboqs-install

Build and install the Luna Provider.

./gembuild provider-build
./gembuild provider-install

Verify that the Luna Crypto Provider support is available and active.

openssl list -provider lunaprov -provider default -providers

Example output:

       Providers:
       default
         name: OpenSSL Default Provider
         version: 3.2.2
         status: active
       lunaprov
         name: Thales Luna Provider
         version: 1.6.2
         status: active

Build and install sautil. By default, this will install the sautil utility to /usr/local/bin/sautil. If a customized location is desired, use the --sautil-prefix option in Step 4 to specify the location, or use the --sautil-prefix option with the ./gembuild sautil-install command.

./gembuild sautil-build
./gembuild sautil-install

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Download openssl-x.x.xx.tar.gz from OpenSSL Source.

tar xvfz openssl-x.x.xx.tar.gz

Download the liboqs, a C library for quantum-safe cryptographic algorithms.

git clone -b main https://github.com/open-quantum-safe/liboqs

Extract the Luna Crypto Provider Toolkit and navigate to the toolkit directory. Run the gembuild config command using the --prefix option.

./gembuild config --openssl-source= --liboqs-source= --prefix=/usr/local --config-bits=64

Example:

# ./gembuild config --openssl-source=/home/marif/openssl-3.2.2 --liboqs-source=/home/marif/liboqs --prefix=/usr/local --config-bits=64

Build and install the liboqs.

./gembuild liboqs-build
./gembuild liboqs-install

Build and install OpenSSL.

./gembuild openssl-build
./gembuild openssl-install

Execute the following commands to build and install the Luna Crypto Provider:

./gembuild provider-build
./gembuild provider-install

Check that the Luna Crypto Provider support is available and active by running:

openssl list -provider lunaprov -provider default -providers

Example output:

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.2
    status: active
  lunaprov
    name: Thales Luna Provider
    version: 1.6.2
    status: active

If the output matches the example above, the Luna Crypto Provider has been successfully installed.

Run the following commands to build and install the sautil utility:

./gembuild sautil-build
./gembuild sautil-install

The sautil utility will be installed in the directory specified by the --prefix option in Step 3, located at <prefix>/sautil/bin/sautil.

Add the locations of OpenSSL and sautil to the PATH environment variable:

export PATH=/usr/local/ssl/bin:/usr/local/sautil/bin:$PATH

Add the OpenSSL library location to the LD_LIBRARY_PATH environment variable:

export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Identify the location of the OpenSSL configuration file, openssl.cnf, where the provider configuration is defined. Use the following command:

openssl version -d

Example output:

OPENSSLDIR: "/usr/local/ssl"

The above command will indicate the OpenSSL version set via the PATH environment variable. To verify that you are accessing the correct configuration file, run which openssl.

Modify the openssl.cnf file as follows:

• At the very beginning of the openssl.cnf file**, add the following line:

openssl_conf = openssl_init

• Scroll down a few lines to find the section in the file and update it to include the following:

[ openssl_init ]
providers = provider_sect

[provider_sect]
lunaprov = lunaprov_sect
default = default_sect

[default_sect]
activate = 1

[lunaprov_sect]
activate = 1

If a section is added to explicitly activate any other provider (for example, the Luna Crypto provider), it is essential to also explicitly activate the default provider. Failing to do so may render the default provider unavailable in OpenSSL, potentially causing applications dependent on OpenSSL to malfunction. This can lead to significant system issues, including loss of remote access to the system.

Confirm that the Luna Crypto Provider is loading by default without the need to specify any provider. Execute the following command:

 openssl list -providers

Example output:

   Providers:
     default
       name: OpenSSL Default Provider
       version: 3.2.2
       status: active
     lunaprov
       name: Thales Luna Provider
       version: 1.6.2
       status: active

If the output resembles the example above, the Luna Provider is configured as the default provider for OpenSSL.

Generate a certificate request without specifying the provider parameter to test the application. Run the following command:

 openssl req -out CSR.csr -new -newkey dilithium3 -nodes -keyout privateKey.key

Example output:

HSM Label is "TPA-FM".
Enter Crypto-Officer Password: ***********************************************************************
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: IN
State or Province Name (full name) [Some-State]: Uttar Pradesh
Locality Name (eg, city) []: Noida
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Thales
Organizational Unit Name (eg, section) []: PQC FM 3.1
Common Name (e.g. server FQDN or YOUR name) []: localhost.localdomain
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If the private key and certificate request are successfully created on the Luna HSM without explicitly mentioning the specific provider, it confirms that the Luna Crypto Provider is now active by default.

Proceed to the next steps to link the Luna Crypto Provider to Luna HSM.

Edit the /etc/Chrystoki.conf file to include the GemEngine configuration, as shown below:

GemEngine = {
   LibPath64 = /usr/safenet/lunaclient/lib/libshim.so;
   LibPath = /usr/safenet/lunaclient/lib/libshim.so;
   DisableEcdsa = 0;
   DisablePqc = 0;
   IncludePqc = ALL;
   ExcludePqc = NONE;
   EnableEcGenKeyPair = 1;
   EnableEdGenKeyPair = 1;
   EnablePqcGenKeyPair = 1;
   DisableCheckFinalize = 1;
   IntermediateProcesses = 0;
   DisableSessionCache = 0;
   EngineInit = :10:11;
}

Replace <slot_id> with the actual identifier of the physical or virtual slot on your Luna HSM.

To establish a persistent session with the specified slot on the Luna HSM, use the sautil utility as follows:

/usr/local/sautil/bin/sautil -v -s  -i 10:11 -o -q

If a persistent session is not required, refer to the README-GEM-CONFIG file located in the <Luna Crypto Provider Toolkit directory>/docs folder. This document includes alternative login methods for partition access.

Verify the version of the Luna Crypto Provider by executing the following command:

openssl list -provider lunaprov -providers -verbose

Expected output:

Providers:
     lunaprov
       name: Thales Luna Provider
       version: 1.6.2
       status: active
       build info: 1.6.2
       gettable provider parameters:
         name: pointer to a UTF8 encoded string (arbitrary size)
         version: pointer to a UTF8 encoded string (arbitrary size)
         buildinfo: pointer to a UTF8 encoded string (arbitrary size)
         status: integer (arbitrary size)

Use the following command to view the quantum-safe signature algorithms supported by the Luna Crypto Provider:

openssl list -signature-algorithms -provider lunaprov

Expected output:

{ 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ lunaprov
{ 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ lunaprov
{ 1.3.101.112, ED25519 } @ lunaprov
{ 1.3.101.113, ED448 } @ lunaprov
ECDSA @ lunaprov
dilithium2 @ lunaprov
p256_dilithium2 @ lunaprov
rsa3072_dilithium2 @ lunaprov
dilithium3 @ lunaprov
p384_dilithium3 @ lunaprov

The list of available algorithms is truncated for brevity. Execute the command to view the complete list of supported algorithms.

Check the quantum-safe KEM algorithms supported by the Luna Crypto Provider:

openssl list -kem-algorithms -provider lunaprov

Expected output:

kyber512 @ lunaprov
p256_kyber512 @ lunaprov
x25519_kyber512 @ lunaprov
kyber768 @ lunaprov
p384_kyber768 @ lunaprov

The list of available algorithms is truncated for clarity. Please execute the command to see the full list of supported algorithms.

Open the <OPENSSLDIR>/openssl.cnf configuration file in a text editor.

In the [CA_default] section, update the following entries:

dir              = /usr/local/ssl
new_certs_dir    = $dir/certs

You can specify any directory, but ensure the path is consistent throughout the following steps.

If the directory for storing certificates does not already exist, create it with the following command:

mkdir -p /usr/local/ssl/certs

Create the necessary files for OpenSSL operations:

touch /usr/local/ssl/index.txt
touch /usr/local/ssl/serial

Open the /usr/local/ssl/serial file, enter 01 at the top, press Enter, and save the file. This initializes the serial number for certificates.

Generate the CA key and certificate using Post-Quantum Cryptography (PQC) algorithms as follows:

• Option 1: Generate the CA key and certificate in separate commands:

openssl genpkey -provider lunaprov -algorithm dilithium5 -out /usr/local/ssl/certs/dilithium5_CA.key
openssl req -provider lunaprov -new -x509 -days 730 -key /usr/local/ssl/certs/dilithium5_CA.key -out /usr/local/ssl/certs/dilithium5_CA.crt

• Option 2: Generate the CA key and certificate in a single command:

openssl req -provider lunaprov -x509 -new -newkey dilithium5 -keyout /usr/local/ssl/certs/dilithium5_CA.key -out /usr/local/ssl/certs/dilithium5_CA.crt

The example above uses the dilithium5 PQC algorithm, but you can substitute it with any PQC signature algorithm supported by the Luna Crypto Provider.

List the generated key pairs using the cmu utility:

[LunaClient_Installation_Directory]/bin/cmu list

Example:

/usr/safenet/lunaclient/bin/cmu list

When prompted, enter the partition password.

Create separate directories to store certificate requests for the server and user:

mkdir /usr/local/ssl/certs/server
mkdir /usr/local/ssl/certs/user

Generate a Certificate Signing Request (CSR) for the server by executing the following command:

openssl req -provider lunaprov -new -newkey dilithium3 -keyout /usr/local/ssl/certs/server/server.key -out /usr/local/ssl/certs/server/server.csr

This CSR can be used to create the server’s certificate, which is signed by the CA.

The example above uses the PQC dilithium3 signature algorithm. You may substitute this with any other PQC signature algorithm supported by the Luna Crypto Provider.

Sign the server’s certificate request using the CA certificate generated in step 5:

openssl x509 -provider lunaprov -req -in /usr/local/ssl/certs/server/server.csr -out /usr/local/ssl/certs/server/server.crt -CA /usr/local/ssl/certs/dilithium5_CA.crt -CAkey /usr/local/ssl/certs/dilithium5_CA.key -CAcreateserial -days 365

Generate a CSR for a user:

openssl req -provider lunaprov -new -newkey dilithium2 -keyout /usr/local/ssl/certs/user/user1.key -out /usr/local/ssl/certs/user/user1.csr

This CSR can be used to create the user’s certificate, which is also signed by the CA.

This example uses the dilithium2 PQC signature algorithm, but you can select any supported PQC signature algorithm for generating user certificates.

Sign the user’s certificate request using the CA certificate created previously:

openssl x509 -provider lunaprov -req -in /usr/local/ssl/certs/user/user1.csr -out /usr/local/ssl/certs/user/user1.crt -CA /usr/local/ssl/certs/dilithium5_CA.crt -CAkey /usr/local/ssl/certs/dilithium5_CA.key -CAcreateserial -days 365

Verify the newly generated key pairs, using the cmu utility:

/bin/cmu list

/usr/safenet/lunaclient/bin/cmu list

When prompted, enter the partition password.

Start a simple TLS server with quantum-safe KEM algorithms and certificates by running the following command:

openssl s_server -provider lunaprov -cert /usr/local/ssl/certs/server/server.crt -key /usr/local/ssl/certs/server/server.key -www -tls1_3 -groups kyber768:x25519_kyber768:mlkem1024

The example specifies kyber768:x25519_kyber768:mlkem1024, but you can select any supported KEM algorithms by listing them with the -groups option. The TLS server will attempt to connect to the client using any of the specified algorithms.

Open a new terminal window and initiate a client connection to the TLS server using a quantum-safe KEM algorithm by running the following command:

openssl s_client -provider lunaprov -groups kyber768

This example uses the kyber768 KEM algorithm. You may select any quantum-safe KEM algorithm supported by the Luna Crypto Provider by specifying it with the -groups option. For a full list of supported KEM algorithms, refer to the Luna Crypto Provider documentation.

[root@tpa01-intg ~]# openssl s_client -provider lunaprov -groups kyber768
Connecting to ::1
CONNECTED(00000003)
depth=0 C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
verify return:1
---
Certificate chain
 0 s:C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
   i:C=IN, ST=Uttar Pradesh, L=Noida, O=Thales-PQC, OU=PQC Integration, CN=dilithium5_CA
   a:PKEY: UNDEF, 192 (bit); sigalg: dilithium5
   v:NotBefore: Aug 16 05:06:58 2024 GMT; NotAfter: Aug 16 05:06:58 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIbRjCCCTugAwIBAgIUJm2Yh7wbtUCSo/e0KoPHBUOZxXcwDQYLKwYBBAECggsH
CAcwfDELMAkGA1UEBhMCSU4xFjAUBgNVBAgMDVV0dGFyIFByYWRlc2gxDjAMBgNV
BAcMBU5vaWRhMRMwEQYDVQQKDApUaGFsZXMtUFFDMRgwFgYDVQQLDA9QUUMgSW50
ZWdyYXRpb24xFjAUBgNVBAMMDWRpbGl0aGl1bTVfQ0EwHhcNMjQwODE2MDUwNjU4
WhcNMjUwODE2MDUwNjU4WjB1MQswCQYDVQQGEwJJTjEWMBQGA1UECAwNVXR0YXIg
UHJhZGVzaDEOMAwGA1UEBwwFTm9pZGExDzANBgNVBAoMBlRoYWxlczEYMBYGA1UE
CwwPUFFDIEludGVncmF0aW9uMRMwEQYDVQQDDApTZXJ2ZXJfVExTMIIHtDANBgsr
BgEEAQKCCwcGBQOCB6EANIyyMsyn6fRP3ZQEp976ghZA5bNbkivkeeIPzAPS409T
fEoDJ18HHMhD4BXKiD6Qa6v8ofTWtiPwRNvi3QKC2yX5MnIJqRbP3ZhTVMuuo0I+
HEd0AG5/K1nimpEaAeg0ts8PkqMa3nsag8X42umUAAxTjx4foAzwQwKVDh0azVCz
b8pL2dSAqM5DlAMQtxO0U1fsG2dCbwvrDI5tjbUqcQMhE5cvJEml8fq5BOLncizr
ZEU5fHUWGAxbcgM7ivMrlhfwsCTjdaikJlIrTIsqrV0GhXxDRdNMTeKWQojBq9W4
vaMdqciryDLvkjX0XOEqmKiEGBpm2dbrDy6INOSG0+zsI5vmS26UyTB2VBdRX6PG
nTalL0uMXVB8J0nyZTPU4NT7gcllyfUldG3ji5n7o79Q+q0ZVXUmtXZf3QN9ehAA
yar1zCEGtilpRH1oJySl5ySaLPm4QMEC0HYZ4LnCpB2KswZ8l+GQhGvohgmAC57j
i1hpw8i7FhwmBRG+6dMqhNBihscqE7TZfxkYThzli9te4cveTQ57JjQomJPHk22V
oCuJGN3eaeSjlfUVKXUtupCNU7SPC93lhHkzD+GA7w2e2SXfetqvqe2e8R8jcZhG
i3jUc3e8TbUHjsPUFp740G1thAbJ7Lhs14b4N26S+POyBEiTm6mYPV6yFealMmoV
3d2SN8zXPV3aqTsT6ANbUgbTg0FtMaTpex76zDo/NI0C6rj7QdAbJ7csKZ8WjGxN
38is9u0N6HPgiXO3cmFnKdoYqr7mtShcw6Cj1or7hsYa4zuge/+PsEKw/gV0Mnk6
i6w6NM/yaUiNKncFg40/smq8QeAGkYNrW+rykrUvF4HjLFMxio9D7XZm3KwJvLlL
toqlTOS5F1Clwa8opQoWlpIWNtj5QSGKmfkQy0WaD1bGrj9yLAtoOH66rz9ZHz9U
fihdmeH2PpGqUsERsv2Lv149w0Wrl8X7coNciZSNvYmwMYokKzqdtVa9ie7MWkHZ
dv+p9hengfeJWkIDu9D9H2sk2vOxYPUjJ5tXpqvEHHVR5H3jfAHXaSytz0Q53GrU
6uLRgxy9ylMPuhfile2byulgJbVCNTlp4zoGn6w/BxyJGptCtslO2CbsCAyTzrYA
UsJIu8fzpIIEFJa4ld7Pv+yLjg3+hwi2Az8X9YfjLsOmWv+59Btt2SnLNOuFTLoE
FoayGggOhxNc1XK3HQ/9ZFf5Dk823w/FnpVBgXL0Wt6/h7CWgH6H4f1F/NfvBPKy
mNqvoIOFomtgfkW2lcxjCYrZTnNBw5yRHsMuhCrxvFO4KrwyQihS3yu+Pf2It4iY
nyZ4mIseYcJWJtjPJsOfe/e+jEzuBU7qSlRuCFI5McVOI8GKs+XpFmvQ1VFvhANr
P8/Qf1MJG3rjhJvoNnJQ7+1vz1CSo2x/4+FeUovyr6uZb8+FhtjQJiQlp/ejYEtU
SRS0suhlQYkuMsPx4PRCCCjTLuKd2TmQrU3nvtKpjE1EG3qWCWS/3uh+45y7orNP
QHQXYUxAfdxVYblkaf7V/ThNij/4QyogC6DvenM2L8kgCF17ilzo65JcXLFy6jOP
IdLiIBUZ/Kxo762Dev0LouIoWgPYqW6GhL5R8TmmkKhsTVabgu6Xm8wfssQhEgPk
EipseC33ipEZo4pp0d/2wrTQKRUSKtTDwOfEvAcrbC+iN6TMwXoMYdXi7NJuo0La
oOEN7xvynaLKPS+tfYvTzama0eSahm7ratiFkvZ+hdenW+2doWEpM6Azi7yzwyaI
Rh1nKAZqvYeokh9FFa645JTzSwRIHdOBSgjHjIaJfu6WavMRc2Sa1eo2PkELK1Xg
HtJTKYfA0/QHGho8iWXkFmpZBL3CLZU6eGD4t3yMsyqmxnuiwHtM9deJvGMePA/l
dWjhPK7cORGjgx+X1GxXeuT2qXlg8t7Bm/m5cw+YTMSkiqytPEphruq7A2Pijn0R
+5HARROM2VU6UH+TlxXBHUJ3fa1V7c+zl6YdAlI59LzINeJ8zbrrq+Cztgt02nJb
VdSBFYh+/MLXR5Ul0BZAoRKIincID9aeqSVE0hon9i559pngq+TjcREKeOK5GNUg
DrGip+ixIyJAT+jQTJ2tkm97224ojMbb6aPIcGt/ckD6H+me+XyWSuZFYeDmCZQE
wGbKaI3fGpaX6YJsqI+qMwjOsPspHCFEt515OJY/BsIJtfBYZOD/B3naCB+ekUa5
ItusLBX1V2XvD+tTc/aiQ+GxRJ1bRm/cBFfybICOa3aXHlpTj6wD/yNdmPN5/Qpj
xqT78VAG4a7U5hpLtABJOx+Mg47SGtR3/DKK9UOyzy97TU1lz9b4kYc8Akdzpbd8
oHglqo7eYq3eMQ1EWuTNIamAo5ElT+fK4x7GnYNRSwecjMeMBiKfXVJw5Kib3uF8
6yiVgk/DftU10TP24l0nz4oGdUe+rWBkgJYw5gXJ5olxIsgt2m9Zn8tbes6zlcA8
Arw8E8tR0wyPvD1zWfAx3/bja13EWrQu4uhD4HUG+pRBUpIGU3qSDRYA1pQD5VVx
WUqqG3e29YN5i8rQ3GTaGMoePqgUlUD2zp7V4bXWxh6bGuoyhqS+aCOd75qmS2ej
QjBAMB0GA1UdDgQWBBTXHXuu6XDL0bST/zYyVOL/3dJm4DAfBgNVHSMEGDAWgBTc
EsF9ame88m26jeQT7/4gw4ppKjANBgsrBgEEAQKCCwcIBwOCEfQAgC4n6EUyjwrg
erb9Jfkw1Bp1W3WetARq0piEkfT4EKPwH7kwa1qKtt4SJfxNzCqfuErZwqTlsqMJ
GjLjpwjTthMKcxPfdg7BbCWFjzKYp/aY1hxNi/fdYavOF0gmdIE3YR5yoGDQ/Wqr
8+cQLiT7OIWUgK+0qrcF5nbpfSe6QqEFmunsMLSATTxgU/RZLah66q9/J6URN0O2
1Tc+qACCbRqKgXPWa1hlaPaqbqCAZ9yEqIfUdofTXdXBXCNQ1z8fldZMpMAkxI83
HrGODDaFC/6Qm9PnRJW3cOYpgvcjVbQiKotIe5OLg34QvAe1m8tbtU5bFTz9CZS4
oT3m2yzLRVQmxWAIxtn7FdTrgE1vcAmBSLEY8LU2Z2E3CLyiNdzAIXnC9uaXbNCC
RlVFTmoQIUKCM5UKk+OTk+vcY/9h2VAl4dlSw3X/HKrOjO+NYerFOxXz1mGo+uS+
3JOhj5LEAkOu3ujG5VsmI1P0XG7qmaUFX4RZ92Fi8R5FNDOgLcO91LfvhS3TczgZ
9wHcjkr5fVSyhUYw+Ddv9G6BSHOISp6rXSzSAn52j9VaVclj6QV1xRqUQg0+BziV
CGVItNh9f6J0h7DBWHOBbkeKBb3mVgCrvS3AifYVwQrm9Jvf0SlV//tKXnr2Uass
5bB5qBvfKcHnz17l5W+Z5TTfHXDtoObu9PNCaba04pWtPdm8BtmdHGF5nHPcMhw/
gufCsb1IYaLsqC5hz3dH8xUIY2iAbTNfoA+nSaoTdl4iiGTRyDnAeMCtB3/aef1Y
UnhFHE7/je2oM0U1QQ9F9Pl4azKEBLhz5jkKPdy94I9mgE9vkhFF7iVrka7zNN+v
e7Xd9VoOfgoV8taLMFLb0QhziC7KVS67toKKo5ZDVFkcB9frq8rqDjs88Qphk3qi
7Rq3xElfCU3F3piWd6gfuKEecjRrElz+I+tjZsJT8ETF8Mk9Nw8uj9w872FDoWD/
YmGippjDOY26IAO8HpO7nzGkvxpLu4q0VM7TsX2/2E0ilMtANmxg+JfpGkivE3d3
oQfPD+Nl+L6+lXpzJHkOJyYcPZr3g2XWxWHfXs/ZuMrfY34yDYw1UVBEYyp64HDr
rRM1rBn/SIQ2YFmLuLqQuE0fKZtzb+E5EP90vNaN3nzyppAh5Od2PqO5VESZXDPY
SXAgwjInxpEDWzyGEVnLyofmoaara8eDvVzydGiFNXKjqzrd17n/cFyGnCWfqPFa
7lwDRH6Av5imbR/o89aFo/ulmxdH9aY6RsOtSLq66TFErT8/sT9kMEE386IGn7Ka
wVJxiO0qqQhoL15vfgRNv1CDZOWRZw0yXPP/PVN5YV0mJYM71GcxxyXl2SwZ+hlR
r+YKrd7XDoA49CM8RREhhOQGicQfmi9S1lK85rchjX1CR3fiJFjb9/cqjMi2Y+7C
UPAtkTFS/mr7SgThvGDOxFHVsrCoUPR8dWFZREohaNlNSDzh88Ejwcevz1HDxU5f
pa5o2F3vmTPGIy1tH16L6MK2oyIC0oGGrddv66mV22le8EJLkPYA93rBEJvUw42w
+V+Ficqg0K4HZn0Ay/sabmDlSpbHkox3qfhpSh9yZ70nxaf4QUF5UgdxpPgkG0+e
kKShClrnaKuscxFWwogJb5y4D9JG5LvpyEnzEOMJTxYoDxNVH2b92cBxP4UwIDyc
rETpuk3ZQmWTWOKi+SmCvroxuZbJXaPS9LtY3v2Umqs7RaeDy67pWS7upv9o/OEj
ziT8JwwAuL0bO2/9M4rfBJb/ihWvwVzZS84cra8cEtTedQeHPTcuqZEmDryd3GV1
x8LXj/JB1cl7uzKRNrDLlR6yNunoRAYqYnQM0Vt7YoJN63c6UucQLkeWfrAyvAIZ
nn/MxVn0DBPO30v5UAgchoPFEZiiqzyX7q/D3zy8rPQaQNYZsXnBfVZoCx5z1RMp
jbNVN5c0gDEU8TadLoFSYzVXa5JgrCsbqkFjdeO20VRLO69/WmMe4VikCWM9c4Qt
EzzMeqXoig34bBmtar7r4P1XhtoByQPgavTj2h5WTlfdrMz/Q/lGG0ErX2QQRDxG
fVNc5K9eNCCGyZenAjuHQ1sx62nVwuFoalB75dROxuDb+hPAxBcI6KlDs1JNi2Vz
MYAtWrEbwktkllgyYbEU8qcQb+ScptfU3RiKgVhik9WWR21Ro37Ir9BcXWGdqIoz
cNsPQqnqdDlkCVBAMpmDfW4ivGsnlIPUG3O6FrEeo/UwYXjLNeQyJZ84OEvMWX9x
mtDmuK/vgWarIPCusjAyYRFj0wp+0zZaoW9X5Jmbq8cAFXGSh/fIgWu3yuOWgF4j
eCXabz35IM78Ss0ltPZwgTwAy/M0R5Mc43iNlXK80WOh5O1gPW25vQ+x4rphsSnn
93N7t/S9Xa7J9xCNVgpxHmwIJVyAJPlmVhYgteRycqKWRQsjh5paW8k4+EzYcY96
szDEmW93kojIaA6xBBy4UI20CS16fATMT2G/RMEU4QWZD+eM19qP2+UHpQP+RNyf
o8ctYYSqNAqGuyw+4u3aSHv+Gk01CEeFTW9VxjoktTquyZLJ2mimm73nZbyry8ZJ
ZBWO3xvQJ+eepapUfQR3OO/dPJR+6Ku+UXlJrLcuQMVcqYJvyZKLZwFUVuZaHvpu
ecj58b3c28IiMBu2Hgquau9R/wKj3dOOt5BW6JSIeVfIQN64ic8ubqw9WObJumD2
s2cl7wYv2b5ezRLIyJKi7mdo/5TeYpEurouHG2lIzDbFYnu+S2TgjutN4nyrnat7
2Y0ltpyFjwwLjs+mg99JwSg3d1BVWwguym1qyo+L+bFO2HZSvQD+4TOFJNJ9aGzx
ldnBsCKjfLckHFRAnw7ib/cInFWnn4GFQTyJ+/KhiWyuGzYFHxa/GcrxcQVBMCLG
XssiB/2q8WBLSLk+HdfEIoXtj3W/oQnx+bGYcvvMkFFWopMHoDz+vpdP5LAkyrHl
kNwcOvB/ZMR2IbPWmaW1QjyNmndeQPwvN+7FdvavdgvZouSQcE0A0kr54RpmFjZy
77poOCEfkun5hKkdaIoZcAwDNfd5nIwPn7aos8V8Nr98qzXQZZv1gxFW8qKF2EbE
+QBzSLAK4H48rzqPx8TkFSQrDNrNzuDvuO5TAJpYozdWY9PU3wqR58nuFbmpAod0
mOKPMQ6/22izfUPtBsvnoA+ZZ7206FxZ7rBhpmwx7rDIdOrqLjiE/ndE0Mwrsxs6
m6nyAWBA9Nv+3ofrrVoWGx7F8pgEONcJ9ZOAPuIXAiAXAp1Faw7IvdAjllbT9NIh
iRv4d9vhS45IkY4vaJw4rAPZfvrcS1cBRfwnf1bI30cfkYOXhB1rKjqCgp0nWNvG
bT7gHVwWGpgfeChH0uByFhyEgmu0HcRLZQF00qjhGzwofXpgxarsGD4+3faOM4WC
ddUm0aH/zOWZlKaHQyToCuXW8l5e4+UIrJufKCVGugR8caiOS7QDwLxoue/mB9tw
aRDmMPYjfZqsmr+87632Cf1FZIi5bCdoZrkEivpIK3yjbu6TzitDvCA2fTrObgu0
w+pjZRql4/tDx0Id4AL8kji/6RmpD6N9NSE+jsuXn83LPHZhSXuQ8ZM0pJyLp6X7
qXsTPPCWAU5y/RV+WsasQc6wGxe1Lm/SHUoLxijI6KEWnOJKdf32KFacDt+LGhGk
vb59fXQPUzcw9kYh1psR+QYNV/3zy83ZAXiM3lAHoiTGm8pKzlVgthlN+I5hiPcb
tMD97yKQasOrb9Rlcqs0CZ3lrDxg8QtuvYqNsR6GXMrNUKq5D9l3Yd0+LK3L5S73
pDUYqxtNn18hI8lXnKx8DwToeymoT5KGsjhmHXl6mBSPqAC5Fe1Opgf14OM8S34J
LjPntwT+gbqGpQoAcgz84Fv6XcfnF02na5ywPlupyLemHe3ZM8gw1qOTphAMOrG+
8XV2EjLNJez/07zRcTPCziHkszdocT9PX3Fwj0wk/UJ+61gokbrqZzQ49Kmv1DuD
tBXdybqpZ7QUkdSRjhcio5ahIW3w16Y65x1LJj9Y0/2Zco3d6CKaiK9r1RxarkLF
fKJRDOUv24AG496BEMLcY9oXRPinoPcWjDarTitx6TmIw8/2Dut8Z3P8WBtFVZGA
ENSEEKeY4dXJo28scZopcWNhhU7PyJK95t2ugHJU3h54tJT7oY/AampVQrInw4d9
FfvXZj3sCLNukgOB9lsAQSPcS44vvoGpUkpPVUmVGCjF5hItLQH2dhzlhu0sXUp0
t7IPywsqs+SwnoYAr7QxAXK6NWdsGMthwFvGg2WhrrYld1ShAQIcugvpZW8ei9rT
LjyQPvAZXz4WowD83xLwX0rMPyo9cBlY8/dYbQziI9tpc8L4wd20pT5kW0ONIsX3
osRdUawchybgRerCUSTUjPMaat+H73CYmE1sbPWB2Ky3k1k8EuJCf0OzPDFhPMRt
SEzHXjjCLOIN7J2ZV57h6Y69gK+w06L9TQytZa9Y2str8D8Tn4dXOwszNuiTAOYK
OJK1etOM4ntV5J1ErxlbK6+uVeAmbjsZP/jAa3tJG6CEKWxn55Nfo0a8vzhrt+dR
KevIFU+lo55If41DNsMxZzu7LQueN+cd8TfYMfHYi9sJnsVlrGNexeITsfLPbiS2
YF3VYZ6EqzGKJWh7t2+rPIqy8E6vv7BOjUZScW2ZAWcVHZQK3WXaNW3qUxOdFISi
mHx7+lBs/uycg6XkUsLUkxa92QvQWagY4FvTuLd2zfH+VxVtvbWfzSJQp8JLgafH
HkQSHITlkxsp+gfpegmhrYvH3yf1nMto27Vi803/LUU7lMMK1BjRMYaEeE1E0viE
HSN2C7ZfoxX/1tVsv05/ImibN41T3RDEDZnr7yiCxOWHvkuuThhem4EvAg1WS+fu
dEbphRpf/s0agJz09UD77aNOKDcl8heVUB558P/9zLieAYYgViKLFFO+AZgo1onJ
h4UGDjz7WtqTzb63i5MXAF7fMudDk2zdbpD6IuV/7Su5WYsjnCQc/A4mYpYFvjJ0
qIxqviZyuhNDm3nnt0oaIZjwbWPH7HVxNN+THIldnOqtQ+i90ScWxpZFl6XkJhxV
0riqRCzPMZAQgj3RZ0QQJF2x7PRqgUo8n+W2KRO8aFVTB7skyLUOyoBhuwu2sag4
Xl9iXYHlT9p5IXlIFW5co5jdNLXze719cR+DTXeiSgVblRbf7lrp7eNjWi+NnZla
xY+3qMWMjSwBMQNn/woisUip65M1AuZ8dyHjGjGQnInH/obeQjG64BMktmraqwd1
kmxvfuFVRSo3W+OiYIG5Y6Q+c+oEJGkPk4U7YUSgsYA9idqSXrXAd/F+gbkxNDWu
TVNe6hSd5ksln3jNNtzTIvBweoOdDslJPO2BeK4AqlzOF/UjOw/FbMMmSjwL/wtI
xuKKTaWo+i9cubLXk1WuginWQz+jtuAiWyRsdUS0yU7uqXFwcR6rQprtbXyKtpPQ
ItpEtJjSZaddvbLWJYqmrBBRjgLFbKfQnlffZyPQplf883QGVGLN2aVXme/BBqp2
G3vE48+XglDRxITViPjAUlwKkwmJZxCi1xle3/oynD8TdINJaD3pepcz4MAhb02l
p8VZLAW/v4d0reogPWb3pPQJfZb5wYkgWKEPKue3+0G/BLKl8YilM3HTuWaxNGGx
2BVA5P8dJijfFUUqMU3TP9RPoV3Ce8Zn/RFG7l9D0ouw5jzagmo2J4PaDkl9OoKI
ycJW8csfbNrMP73paLOOyN+HvHjYUNJ2dAe+b1c9Mwf9Llf9FDjj4ca3/1zvtYhd
29vf1PJlUB7jfW09b9ag8+3G2FcBnWw3OafU3Fg5b4Xi/WphQzdSG706egSQQvtz
BoAKLnvj+Sdv8yx7DPGX9v71FOqDabW1Uh5y7R0IAwaniCmdaNlamHh3BPpNIoqy
1JP0ax+kx95zrmTl1Jknk/xsTVkmWE2sVrtmWjsKA1tpF1TxkSKmz8vbSaqNskzo
VL4GK5EvOIMnnjdF1X6pgzZhj4ok8tsJgs95EsPpgYkp3vCpsNReTmJnaZThEkpc
wAwNJDt/g4iVqebsEBxpfoep1OYAASeU1kJRrsLUHUlXZn6w2QcIIHR2wsfPAAAA
AAAAAAAAAAAAAAAAAAAAAAAABgoVHSInLjY=
-----END CERTIFICATE-----
subject=C=IN, ST=Uttar Pradesh, L=Noida, O=Thales, OU=PQC Integration, CN=Server_TLS
issuer=C=IN, ST=Uttar Pradesh, L=Noida, O=Thales-PQC, OU=PQC Integration, CN=dilithium5_CA
---
No client certificate CA names sent
Peer signature type: dilithium3
---
SSL handshake has read 11635 bytes and written 1619 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 192 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0E748E5E9E65478348733DED836F47D0C8621390B7E4BFCD92DBCD5EDA4E3E25
    Session-ID-ctx:
    Resumption PSK:3D23FF34AB009A9103D93490899FB97A281D9752754CD917F6F1BC39D8804AA7AEC2F04E80CCFA8472209F262A0106D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3c 5e 48 dd 57 48 5f 53-c5 01 7a 02 1a b3 18 6e   <^H.WH_S..z....n
    0010 - 45 af 32 2d 81 bf 65 a9-ac e5 52 3e c2 8d c8 47   E.2-..e...R>...G
    0020 - bf 95 4a 02 8a 2b e2 d1-c1 29 c0 86 99 80 27 70   ..J..+...)....'p
    0030 - 0d 1e 78 29 bc d1 58 d7-ca 00 2c fa 03 2d d8 6d   ..x)..X...,..-.m
    0040 - d0 18 9b b5 7c 7c d0 33-c0 46 3b 52 b0 7a ed 36   ....||.3.F;R.z.6
    0050 - bd 9d c0 bb 0e c9 8f 65-b9 7a be eb 26 ff 49 61   .......e.z..&.Ia
    0060 - c4 a8 a5 30 e2 ee ef bb-34 75 fd fc f7 26 a1 31   ...0....4u...&.1
    0070 - 7d 5e 31 dc 9e 80 bd 34-c1 08 b3 94 96 e5 6a d7   }^1....4......j.
    0080 - e4 e2 24 6f 97 fb 6f b8-9d 6a 99 21 f3 5d f9 0b   ..$o..o..j.!.]..
    0090 - 36 8d de 10 9b 92 bd b0-3e 79 77 19 de 4e fe 33   6.......>yw..N.3
    00a0 - ac 63 7d 63 8f ac e3 93-d0 8f 70 ea 74 15 28 9e   .c}c......p.t.(.
    00b0 - d3 f2 76 31 7e 0c ba fe-c8 e1 71 e5 0e b4 b8 48   ..v1~.....q....H
    00c0 - cd 1c 57 31 f1 5f 62 bd-f9 a7 d4 a2 e4 9c 0b f3   ..W1._b.........

    Start Time: 1723786132
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E7DA65D795C811282319D2AEADF1782954B9AB2264BAB63A6FF9D99AB90ED28F
    Session-ID-ctx:
    Resumption PSK: 0E85B524461CE54A479A6FE3B4848B428DCC5376E227CA8156B82C8EB242F51F176EE14ED987E2DEF5926B9A05EE97BC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3c 5e 48 dd 57 48 5f 53-c5 01 7a 02 1a b3 18 6e   <^H.WH_S..z....n
    0010 - c9 30 50 87 ee 6b b4 92-ec ef 4c cf d1 5c b1 84   .0P..k....L..\..
    0020 - 05 a1 86 b1 87 9f 9b e3-af 0c 99 ec 17 ec 5f 12   .............._.
    0030 - 81 ff 76 d0 12 c1 5f 4a-5f 12 ab 2f d3 9d af 2c   ..v..._J_../...,
    0040 - 63 c8 2e a9 9d 2d d2 ec-e0 48 f8 92 a8 26 02 77   c....-...H...&.w
    0050 - 26 82 e9 c6 b9 ec 62 34-cb b2 88 5f 32 53 47 1f   &.....b4..._2SG.
    0060 - 5e ce 29 26 0a f4 81 57-9b ed 86 b3 a1 64 da 62   ^.)&...W.....d.b
    0070 - eb 8d 21 ef 28 af 3c 21-98 e0 8d 03 62 19 12 50   ..!.(..V....K
    00a0 - ab 14 9d 96 e2 2b 2e cf-36 b0 7f 78 91 59 03 0c   .....+..6..x.Y..
    00b0 - f7 74 6b c9 53 12 f6 50-4f 80 d3 50 6a a5 24 50   .tk.S..PO..Pj.$P
    00c0 - 8f 92 2c 51 3c c4 9c 63-58 9f ad d2 f9 8d c7 d0   ..,Q<..cX.......

    Start Time: 1723786132
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
  read R BLOCK

After successfully connecting the client, enter the command GET / to prompt the quantum-safe crypto-enabled OpenSSL3 server to return details about the established connection.

---
read R BLOCK
GET /
HTTP/1.0 200 ok
Content-type: text/html



s_server -cert /usr/local/ssl/certs/server/server.crt -key /usr/local/ssl/certs/server/server.key -www -tls1_3 groups kyber768:x25519_kyber768:mlkem1024
This TLS version forbids renegotiation.
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-RSA-CHACHA20-POLY1305
TLSv1.2    :DHE-RSA-CHACHA20-POLY1305 TLSv1.2    :ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2    :DHE-RSA-AES128-GCM-SHA256
TLSv1.2    :ECDHE-ECDSA-AES256-SHA384 TLSv1.2    :ECDHE-RSA-AES256-SHA384
TLSv1.2    :DHE-RSA-AES256-SHA256     TLSv1.2    :ECDHE-ECDSA-AES128-SHA256
TLSv1.2    :ECDHE-RSA-AES128-SHA256   TLSv1.2    :DHE-RSA-AES128-SHA256
TLSv1.0    :ECDHE-ECDSA-AES256-SHA    TLSv1.0    :ECDHE-RSA-AES256-SHA
SSLv3      :DHE-RSA-AES256-SHA        TLSv1.0    :ECDHE-ECDSA-AES128-SHA
TLSv1.0    :ECDHE-RSA-AES128-SHA      SSLv3      :DHE-RSA-AES128-SHA
TLSv1.2    :RSA-PSK-AES256-GCM-SHA384 TLSv1.2    :DHE-PSK-AES256-GCM-SHA384
TLSv1.2    :RSA-PSK-CHACHA20-POLY1305 TLSv1.2    :DHE-PSK-CHACHA20-POLY1305
TLSv1.2    :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2    :AES256-GCM-SHA384
TLSv1.2    :PSK-AES256-GCM-SHA384     TLSv1.2    :PSK-CHACHA20-POLY1305
TLSv1.2    :RSA-PSK-AES128-GCM-SHA256 TLSv1.2    :DHE-PSK-AES128-GCM-SHA256
TLSv1.2    :AES128-GCM-SHA256         TLSv1.2    :PSK-AES128-GCM-SHA256
TLSv1.2    :AES256-SHA256             TLSv1.2    :AES128-SHA256
TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0    :ECDHE-PSK-AES256-CBC-SHA
SSLv3      :SRP-RSA-AES-256-CBC-SHA   SSLv3      :SRP-AES-256-CBC-SHA
TLSv1.0    :RSA-PSK-AES256-CBC-SHA384 TLSv1.0    :DHE-PSK-AES256-CBC-SHA384
SSLv3      :RSA-PSK-AES256-CBC-SHA    SSLv3      :DHE-PSK-AES256-CBC-SHA
SSLv3      :AES256-SHA                TLSv1.0    :PSK-AES256-CBC-SHA384
SSLv3      :PSK-AES256-CBC-SHA        TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA256
TLSv1.0    :ECDHE-PSK-AES128-CBC-SHA  SSLv3      :SRP-RSA-AES-128-CBC-SHA
SSLv3      :SRP-AES-128-CBC-SHA       TLSv1.0    :RSA-PSK-AES128-CBC-SHA256
TLSv1.0    :DHE-PSK-AES128-CBC-SHA256 SSLv3      :RSA-PSK-AES128-CBC-SHA
SSLv3      :DHE-PSK-AES128-CBC-SHA    SSLv3      :AES128-SHA
TLSv1.0    :PSK-AES128-CBC-SHA256     SSLv3      :PSK-AES128-CBC-SHA
---
Ciphers common between both SSL end points:
TLS_AES_256_GCM_SHA384     TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384  ECDHE-RSA-AES256-SHA384    DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256  ECDHE-RSA-AES128-SHA256    DHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA     ECDHE-RSA-AES256-SHA       DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA     ECDHE-RSA-AES128-SHA       DHE-RSA-AES128-SHA
AES256-GCM-SHA384          AES128-GCM-SHA256          AES256-SHA256
AES128-SHA256              AES256-SHA                 AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple
Supported groups: kyber768
Shared groups: kyber768
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 58DA73FB96C923CB38FCFB9163E0DBB809FABB4EE07459E0D9D2B11E2162510B
    Session-ID-ctx: 01000000
    Resumption PSK: 0E85B524461CE54A479A6FE3B4848B428DCC5376E227CA8156B82C8EB242F51F176EE14ED987E2DEF5926B9A05EE97BC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1723786132
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
---
no client certificate available


closed

To begin, use the user certificate created in Step 10-11 of the Generate Crypto Materials using PQC Algorithms section to sign the data.

Create a text file named inputfile containing the data that you wish to sign. For example:

echo "Sample data to validate the signing using PQC Signature Algorithms Supported by Luna Provider" > inputfile

OpenSSL CMS requires a digest algorithm for signing. Unlike the certificate creation step, where no digest algorithm is needed, signing data with CMS necessitates specifying a message digest algorithm via the -md parameter. Use the following command to sign the data:

openssl cms -provider lunaprov -in inputfile -sign -signer /usr/local/ssl/certs/user/user1.crt -inkey /usr/local/ssl/certs/user/user1.key -nodetach -outform pem -binary -out signedfile -md sha512

The data to be signed is read from the inputfile, and the signed output is stored in signedfile. The quantum-safe signature algorithm used is the same one specified in the user1.crt certificate.

To verify the signature on the signedfile CMS file, use the following command. This will output the contents to a new file called outputfile. If the contents of outputfile match the original data in inputfile, the verification is successful:

openssl cms -verify -CAfile /usr/local/ssl/certs/dilithium5_CA.crt -inform pem -in signedfile -crlfeol -out outputfile

If the contents of both inputfile and outputfile are identical, the signing and verification process has been completed successfully.

To sign the data using the private key, run the following command:

openssl dgst -provider lunaprov -sign /usr/local/ssl/certs/user/user1.key -out dgstsignfile inputfile

This will create a signed file named dgstsignfile.

To verify the signature, extract the public key from the user certificate:

openssl x509 -in /usr/local/ssl/certs/user/user1.crt -pubkey -noout > user1.pubkey

Verify the signature by running the following command, using the public key extracted in the previous step:

openssl dgst -signature dgstsignfile -verify user1.pubkey inputfile

Here, dgstsignfile is the signed data file, and user1.pubkey is the public key from the user certificate.

Ensure that you are using an empty or new partition for the performance test. This is important as the test can generate hundreds of keys, potentially filling up the partition’s storage. Avoid using the application partition in use to prevent overwriting keys necessary for your application.

To measure the performance of a PQC Key Encapsulation Mechanism (KEM) algorithm, run the following command. For example, to use the p384_kyber768 KEM algorithm, enter:

openssl speed -provider lunaprov p384_kyber768

This command measures the performance of the p384_kyber768 KEM algorithm, but you can replace it with any other supported KEM algorithm.

To test the performance of a PQC signature algorithm, such as p256_dilithium2, use the following command:

openssl speed -provider lunaprov p256_dilithium2

This command measures the performance of the p256_dilithium2 signature algorithm, but you can substitute it with any PQC signature algorithm supported by the Luna Crypto Provider. The tests will provide output indicating the performance metrics for the specified algorithms, including how quickly they can process cryptographic operations.