Skip to content

Commit 05fe350

Browse files
RebeccaTamachiroRebeccaTamachiro
committed
Add setup instructions to pqc-to-origin
1 parent 8b65760 commit 05fe350

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,4 +20,42 @@ To reduce the risk of any issues when connecting to servers that are not ready f
2020

2121
If the origin supports ML-KEM, it can use HelloRetryRequest to request it from Cloudflare.
2222

23+
## Set up
24+
25+
### Cloudflare zone settings
26+
27+
The method described above is the one used to allow Cloudflare to support post-quantum to all outbound connections. However, if your origin server supports PQC and prefers it, you can use the [API](/api/operations/zone-cache-settings-change-origin-post-quantum-encryption-setting) to adjust it and avoid the extra round trip.
28+
29+
It is also possible to opt out of PQC using the same API endpoint.
30+
31+
:::note
32+
This setting affects all outbound connections from the zone you specify in the API call, including `fetch()` requests made by [workers](/workers/) on your zone.
33+
:::
34+
35+
```bash
36+
curl --request PUT \
37+
"https://api.cloudflare.com/client/v4/zones/{zone_id}/cache/origin_post_quantum_encryption" \
38+
--header "Authorization: Bearer <API_TOKEN>" \
39+
--header "Content-Type: application/json" \
40+
--data '{
41+
"value": "<YOUR_CHOSEN_SETTING>"
42+
}'
43+
```
44+
45+
The possible values are:
46+
- `supported` (most compatible): Advertise support for post-quantum key agreement, but send a classical keyshare in the first ClientHello.
47+
- `preferred` (most performant): Send a post-quantum keyshare in the first ClientHello. Cloudflare continues to advertise support for classical keyshares as well.
48+
- `off`: Do not send nor advertise support for post-quantum key agreement to the origin.
49+
50+
### Origin server
51+
52+
If you set your Cloudflare zone to `supported`, you can make sure that your origin server will prefer the post-quantum key agreement by using Cloudflare's [fork of BoringSSL](https://github.com/cloudflare/boringssl-pq).
53+
54+
If you set your Cloudflare zone to `preferred`, you can use the `bssl` tool of BoringSSL to check that your origin supports the correct [key agreement](/ssl/post-quantum-cryptography/#hybrid-key-agreement).
55+
56+
```txt
57+
$ bssl client -connect (your server):443 -curves X25519MLKEM768
58+
```
59+
60+
2361
[^1]: When, to remove a round trip, a client makes a guess of what the server supports.

0 commit comments

Comments
 (0)