opium.io

Notes from my voyages in Wonderland…
Thoughts from someone born before the Intel 8088…

Checking PQC support with Boring SSL or PQCscan

PUBLISHED ON FEB 19, 2026 — CATEGORIES: CADDY , PQC

Check PQC One (me) might want to test PQC support to be sure that their server are ready for the imminent (< 10 years) PQC apocalyse. One might say that it is a bit too early to be scared of a not so impending doom… But why wait and who I am to judge? After all, the Y2K craze bootstraped my career…

Note: on MacOS you can install Ninja and Cmake using brew: brew install cmake ninja

The next steps are pretty much straightforward. We just have to clone the boringssl repo and build the binary.

git clone https://boringssl.googlesource.com/boringssl
cd boringssl
cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release
ninja -C build

And voilà! Now the only thing we have left to do is to check our website for PQC.

cd build
./bssl client -connect opium.io -server-name opium.io -curves X25519
Connecting to [2001:19f0:6c01:92:5400:ff:fe2e:7516]:443
Connected.
  Version: TLSv1.3
  Resumed session: no
  Cipher: TLS_AES_128_GCM_SHA256
  ECDHE group: X25519
  Signature algorithm: ecdsa_secp256r1_sha256
  Secure renegotiation: yes
  Extended master secret: yes
  Next protocol negotiated:
  ALPN protocol:
  OCSP staple: no
  SCT list: no
  Early data: no
  Encrypted ClientHello: no
  Cert subject: CN = opium.io
  Cert issuer: C = US, O = Let's Encrypt, CN = E8

or… you can use PQCscan (written in rust). I find PQCscan easier since it will do the boring lifting of looping through PQC available algorithms for you.

if it’s not done already, instal rust using brew with: brew install rust

Then clone and compile pqcscan.

git clone https://github.com/anvilsecure/pqcscan.git
cd pqcscan/
cargo build --release

Then execute PQCscan using the TLS scan option.

./target/release/pqcscan tls-scan -t opium.io:443
[2026-02-19T22:29:52Z INFO  pqcscan] PQCscan 0.8.0 starting
[2026-02-19T22:29:52Z INFO  pqcscan] Starting TLS scan
[2026-02-19T22:29:52Z INFO  pqcscan] Loaded 1 target(s) for TLS scan
[2026-02-19T22:29:52Z INFO  pqcscan] Using 8 thread(s)
[2026-02-19T22:29:52Z INFO  pqcscan] Initializing async runtime
[2026-02-19T22:29:52Z INFO  pqcscan] Starting scan execution
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Scan started at 2026-02-19 22:29:52 UTC
[2026-02-19T22:29:52Z INFO  pqcscan::tls] TLS scan: opium.io:443 supports hybrid PQC algorithm: X25519MLKEM768
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Scan finished at 2026-02-19 22:29:52 UTC
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Total scans completed: 1
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Done scanning. All threads exited.
[2026-02-19T22:29:52Z INFO  pqcscan] Scan completed. Total results: 1
[2026-02-19T22:29:52Z INFO  pqcscan] Scan duration: 0.17s
[2026-02-19T22:29:52Z INFO  pqcscan] PQCscan finished

This blog post is 100% human-written and 100% GenAI proofread.

TAGS: PQC , CADDY , TLS