Focus Determines Reality
Post-quantum TLS and QUIC with OpenSSL 3.5, nginx and Let's Encrypt.
Published:
Updated:

Table of Contents

Intro

Here's my latest crypto playbook for my domain cyber.cafe using Ubuntu Server 24.04.

Preparation

In order to take advantage of OpenSSL 3.5, we need to build it and nginx from source. Linode already has great documentation on how to do this here:

https://www.linode.com/docs/guides/post-quantum-encryption-nginx-debian11/

I'm patiently waiting for a Linux distrobution to be released with OpenSSL 3.5 baked in so that I don't have to build from source.

You can donate to the OpenSSL Software Foundation here: https://openssl-library.org/donations/

Install Let's Encrypt's certbot

Per EFF's documentation: https://certbot.eff.org/instructions?ws=nginx&os=snap

sudo snap install --classic certbot

You can donate to Let's Encrypt here: https://letsencrypt.org/donate/

Use stronger certs

Instead of the default RSA-2048, choose RSA-4096 or EC-384:

RSA-4096

sudo certbot certonly --nginx -d cyber.cafe --key-type rsa --rsa-key-size 4096 --redirect --hsts

EC-384

sudo certbot certonly --nginx -d cyber.cafe --key-type ecdsa --elliptic-curve secp384r1 --redirect --hsts

nginx changes

This is a template, please adjust accordingly. Please be aware that it includes HSTS and HSTS-preload.

sudo vim /etc/nginx/conf.d/default

server {
    listen [::]:443 quic reuseport;
    listen [::]:443 ssl;
    listen 443 quic reuseport;
    listen 443 ssl;
    server_name cyber.cafe;
    root /var/www/public;
    access_log off;

    add_header Alt-Svc 'h3=":443"; ma=86400';
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    http2 on;
    http3 on;
    http3_hq on;
    quic_gso on;
    quic_retry on;
    ssl_early_data on;
    
    ssl_certificate /etc/letsencrypt/live/cyber.cafe/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/cyber.cafe/privkey.pem; 

    ssl_protocols TLSv1.3;
    ssl_conf_command Groups X25519MLKEM768:SecP384r1MLKEM1024:SecP256r1MLKEM768:MLKEM1024:X25519:secp384r1;
    ssl_conf_command Options +ServerPreference;
    ssl_conf_command Options +PrioritizeChaCha;
    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
}

Validate with:

sudo nginx -t

Restart nginx:

sudo service nginx restart

Notes

I made a script to validate the server config here: https://github.com/yawnbox/test-pqc