Checking PQC support with Boring SSL or PQCscan

PUBLISHED ON FEB 19, 2026 — 370 words — CADDY , PQC


Check PQC One (me) might want to test PQC support to be sure that their server are ready for the imminent (< 10 years) PQC apocalyse. One might say that it is a bit too early to be scared of a not so impending doom… But why wait and who I am to judge? After all, the Y2K craze bootstraped my career…

Note: on MacOS you can install Ninja and Cmake using brew.

brew install cmake ninja

The next steps are pretty much straightforward. We just have to clone the boringssl repo and build the binary.

git clone https://boringssl.googlesource.com/boringssl
cd boringssl
cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release
ninja -C build

And voilà! Now the only thing we have left to do is to check our website for PQC.

cd build
./bssl client -connect opium.io -server-name opium.io -curves X25519
Connecting to [2001:19f0:6c01:92:5400:ff:fe2e:7516]:443
Connected.
  Version: TLSv1.3
  Resumed session: no
  Cipher: TLS_AES_128_GCM_SHA256
  ECDHE group: X25519
  Signature algorithm: ecdsa_secp256r1_sha256
  Secure renegotiation: yes
  Extended master secret: yes
  Next protocol negotiated:
  ALPN protocol:
  OCSP staple: no
  SCT list: no
  Early data: no
  Encrypted ClientHello: no
  Cert subject: CN = opium.io
  Cert issuer: C = US, O = Let's Encrypt, CN = E8

or… you can use PQCscan (written in rust). I find PQCscan easier since it will do the boring lifting of looping through PQC available algorithms for you.

if it’s not done already, instal rust using brew with:

brew install rust

Then clone and compile pqcscan.

git clone https://github.com/anvilsecure/pqcscan.git
cd pqcscan/
cargo build --release

Then execute PQCscan using the TLS scan option.

./target/release/pqcscan tls-scan -t opium.io:443
[2026-02-19T22:29:52Z INFO  pqcscan] PQCscan 0.8.0 starting
[2026-02-19T22:29:52Z INFO  pqcscan] Starting TLS scan
[2026-02-19T22:29:52Z INFO  pqcscan] Loaded 1 target(s) for TLS scan
[2026-02-19T22:29:52Z INFO  pqcscan] Using 8 thread(s)
[2026-02-19T22:29:52Z INFO  pqcscan] Initializing async runtime
[2026-02-19T22:29:52Z INFO  pqcscan] Starting scan execution
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Scan started at 2026-02-19 22:29:52 UTC
[2026-02-19T22:29:52Z INFO  pqcscan::tls] TLS scan: opium.io:443 supports hybrid PQC algorithm: X25519MLKEM768
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Scan finished at 2026-02-19 22:29:52 UTC
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Total scans completed: 1
[2026-02-19T22:29:52Z INFO  pqcscan::scan] Done scanning. All threads exited.
[2026-02-19T22:29:52Z INFO  pqcscan] Scan completed. Total results: 1
[2026-02-19T22:29:52Z INFO  pqcscan] Scan duration: 0.17s
[2026-02-19T22:29:52Z INFO  pqcscan] PQCscan finished

This blog post is 100% human-written and 100% GenAI proofread.

TAGS: CADDY , PQC , TLS
< prev | blog

home