Add support for hybrid key exchange protocol x25519mlkem768 for making TLS sessions quantum safe.

anavarr · anavarr · commit 2dcf59ec8622 · 2026-03-16T17:53:16.000+01:00
This features relies on the netty-tcnative-openssl-dynamic bound to version 3.6 of openssl.

- Add boolean useHybrid field to io.vertx.core.net.SSLOptions and create getters/setters in io.vertx.core.net.SSLOptions as well as every implementation of io.vertx.core.net.TCPSSLOptions.
- If this value is set to true (default false), the ssl handler will be set to use x25519mlkem768 instead of x25519.
- If key exchange protocol is set to x25519mlkem768 but JdkSsl is used instead of OpenSsl, or the version of openssl used at runtime does not suppot x25519mlkem768, the user is informed that hybrid key exchange is impossible channel is closed
diff --git a/pom.xml b/pom.xml
@@ -204,6 +204,11 @@
       <artifactId>log4j-core</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-classes</artifactId>
+      <version>2.0.76.Final</version>
+    </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-tcnative-boringssl-static</artifactId>
diff --git a/src/main/asciidoc/http.adoc b/src/main/asciidoc/http.adoc
@@ -41,6 +41,10 @@ To handle `h2` requests, TLS must be enabled along with {@link io.vertx.core.htt
 {@link examples.HTTP2Examples#example0}
 ----
 
+The rise of quantum computers will make key exchange protocols such as x25519 obsolete as they will be able to "crack" secret keys quickly.
+Vert.x proposes a quantum-safe key exchange protocol, x25519MLKEM768 (official recommendation of NIST) to ensure sessions over TLS are safe against quantum computers.
+Hybrid key exchange must be enabled along with {@link io.vertx.core.http.HttpServerOptions#setUseHybrid(boolean)} and only works using OpenSsl ({$@link io.vertx.core.http.HttpServerOptions#setSslEngineOptions(SSLEngineOptions)})
+
 ALPN is a TLS extension that negotiates the protocol before the client and the server start to exchange data.
 
 Clients that don't support ALPN will still be able to do a _classic_ SSL handshake.
diff --git a/src/main/generated/io/vertx/core/eventbus/EventBusOptionsConverter.java b/src/main/generated/io/vertx/core/eventbus/EventBusOptionsConverter.java
@@ -279,6 +279,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, EventBu
             obj.setUseAlpn((Boolean)member.getValue());
           }
           break;
+        case "useHybrid":
+          if (member.getValue() instanceof Boolean) {
+            obj.setUseHybrid((Boolean)member.getValue());
+          }
+          break;
         case "writeIdleTimeout":
           if (member.getValue() instanceof Number) {
             obj.setWriteIdleTimeout(((Number)member.getValue()).intValue());
@@ -388,6 +393,7 @@ static void toJson(EventBusOptions obj, java.util.Map<String, Object> json) {
       json.put("trustStoreOptions", obj.getTrustStoreOptions().toJson());
     }
     json.put("useAlpn", obj.isUseAlpn());
+    json.put("useHybrid", obj.isUseHybrid());
     json.put("writeIdleTimeout", obj.getWriteIdleTimeout());
   }
 }
diff --git a/src/main/generated/io/vertx/core/net/SSLOptionsConverter.java b/src/main/generated/io/vertx/core/net/SSLOptionsConverter.java
@@ -69,6 +69,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, SSLOpti
             obj.setUseAlpn((Boolean)member.getValue());
           }
           break;
+        case "useHybrid":
+          if (member.getValue() instanceof Boolean) {
+            obj.setUseHybrid((Boolean)member.getValue());
+          }
+          break;
       }
     }
   }
@@ -103,5 +108,6 @@ static void toJson(SSLOptions obj, java.util.Map<String, Object> json) {
       json.put("sslHandshakeTimeoutUnit", obj.getSslHandshakeTimeoutUnit().name());
     }
     json.put("useAlpn", obj.isUseAlpn());
+    json.put("useHybrid", obj.isUseHybrid());
   }
 }
diff --git a/src/main/generated/io/vertx/core/net/TCPSSLOptionsConverter.java b/src/main/generated/io/vertx/core/net/TCPSSLOptionsConverter.java
@@ -179,6 +179,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, TCPSSLO
             obj.setUseAlpn((Boolean)member.getValue());
           }
           break;
+        case "useHybrid":
+          if (member.getValue() instanceof Boolean) {
+            obj.setUseHybrid((Boolean)member.getValue());
+          }
+          break;
         case "writeIdleTimeout":
           if (member.getValue() instanceof Number) {
             obj.setWriteIdleTimeout(((Number)member.getValue()).intValue());
@@ -258,6 +263,7 @@ static void toJson(TCPSSLOptions obj, java.util.Map<String, Object> json) {
       json.put("trustStoreOptions", obj.getTrustStoreOptions().toJson());
     }
     json.put("useAlpn", obj.isUseAlpn());
+    json.put("useHybrid", obj.isUseHybrid());
     json.put("writeIdleTimeout", obj.getWriteIdleTimeout());
   }
 }
diff --git a/src/main/java/io/vertx/core/eventbus/EventBusOptions.java b/src/main/java/io/vertx/core/eventbus/EventBusOptions.java
@@ -475,6 +475,11 @@ public EventBusOptions setUseAlpn(boolean useAlpn) {
     return (EventBusOptions) super.setUseAlpn(useAlpn);
   }
 
+  @Override
+  public EventBusOptions setUseHybrid(boolean useHybrid) {
+    return (EventBusOptions) super.setUseHybrid(useHybrid);
+  }
+
   @Override
   public EventBusOptions setSslEngineOptions(SSLEngineOptions sslEngineOptions) {
     return (EventBusOptions) super.setSslEngineOptions(sslEngineOptions);
diff --git a/src/main/java/io/vertx/core/http/HttpClientOptions.java b/src/main/java/io/vertx/core/http/HttpClientOptions.java
@@ -1154,6 +1154,11 @@ public HttpClientOptions setUseAlpn(boolean useAlpn) {
     return (HttpClientOptions) super.setUseAlpn(useAlpn);
   }
 
+  @Override
+  public HttpClientOptions setUseHybrid(boolean useHybrid) {
+    return (HttpClientOptions) super.setUseHybrid(useHybrid);
+  }
+
   @Override
   public HttpClientOptions setSslEngineOptions(SSLEngineOptions sslEngineOptions) {
     return (HttpClientOptions) super.setSslEngineOptions(sslEngineOptions);
diff --git a/src/main/java/io/vertx/core/http/HttpServerOptions.java b/src/main/java/io/vertx/core/http/HttpServerOptions.java
@@ -421,6 +421,18 @@ public HttpServerOptions setUseAlpn(boolean useAlpn) {
     return this;
   }
 
+  /*
+  Use X25519MLKEM768 instead of X25519 for key exchange.
+  X25519MLKEM768 is a hybrid protocol exchange ensuring that encryption will resist quantum computers
+   */
+  @Override
+  public HttpServerOptions setUseHybrid(boolean useHybrid) {
+    super.setUseHybrid(useHybrid);
+    return this;
+  }
+
+
+
   @Override
   public HttpServerOptions setKeyCertOptions(KeyCertOptions options) {
     super.setKeyCertOptions(options);
diff --git a/src/main/java/io/vertx/core/http/WebSocketClientOptions.java b/src/main/java/io/vertx/core/http/WebSocketClientOptions.java
@@ -552,6 +552,11 @@ public WebSocketClientOptions setUseAlpn(boolean useAlpn) {
     return (WebSocketClientOptions)super.setUseAlpn(useAlpn);
   }
 
+  @Override
+  public WebSocketClientOptions setUseHybrid(boolean useHybrid) {
+    return (WebSocketClientOptions)super.setUseHybrid(useHybrid);
+  }
+
   @Override
   public WebSocketClientOptions setSslEngineOptions(SSLEngineOptions sslEngineOptions) {
     return (WebSocketClientOptions)super.setSslEngineOptions(sslEngineOptions);
diff --git a/src/main/java/io/vertx/core/http/impl/HttpServerWorker.java b/src/main/java/io/vertx/core/http/impl/HttpServerWorker.java
@@ -33,9 +33,12 @@
 import io.vertx.core.impl.VertxInternal;
 import io.vertx.core.net.impl.*;
 import io.vertx.core.spi.metrics.HttpServerMetrics;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.nio.charset.StandardCharsets;
 import java.util.List;
+import java.util.concurrent.ExecutionException;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 import java.util.function.Supplier;
@@ -61,6 +64,7 @@ public class HttpServerWorker implements BiConsumer<Channel, SslChannelProvider>
   private final CompressionOptions[] compressionOptions;
   private final Function<String, String> encodingDetector;
   private final GlobalTrafficShapingHandler trafficShapingHandler;
+  private static final Logger log = LoggerFactory.getLogger(SslChannelProvider.class);
 
   public HttpServerWorker(ContextInternal context,
                           Supplier<ContextInternal> streamContextSupplier,
@@ -115,18 +119,28 @@ public void accept(Channel ch, SslChannelProvider sslChannelProvider) {
           if (idle != null) {
             ch.pipeline().remove(idle);
           }
-          configurePipeline(future.getNow(), sslChannelProvider);
+          try {
+            configurePipeline(future.getNow(), sslChannelProvider);
+          } catch (Exception e) {
+            log.error(e.getMessage()+ ", now closing the channel");
+            ch.close();
+          }
         } else {
           //No need to close the channel.HAProxyMessageDecoder already did
           handleException(future.cause());
         }
       });
     } else {
-      configurePipeline(ch, sslChannelProvider);
+      try {
+        configurePipeline(ch, sslChannelProvider);
+      } catch (Exception e) {
+        log.error(e.getMessage()+ ", now closing the channel");
+        ch.close();
+      }
     }
   }
 
-  private void configurePipeline(Channel ch, SslChannelProvider sslChannelProvider) {
+  private void configurePipeline(Channel ch, SslChannelProvider sslChannelProvider) throws Exception {
     ChannelPipeline pipeline = ch.pipeline();
     if (options.isSsl()) {
       pipeline.addLast("ssl", sslChannelProvider.createServerHandler(HttpUtils.socketAddressToHostAndPort(ch.remoteAddress())));
diff --git a/src/main/java/io/vertx/core/net/ClientOptionsBase.java b/src/main/java/io/vertx/core/net/ClientOptionsBase.java
@@ -340,6 +340,11 @@ public ClientOptionsBase setUseAlpn(boolean useAlpn) {
     return (ClientOptionsBase) super.setUseAlpn(useAlpn);
   }
 
+  @Override
+  public ClientOptionsBase setUseHybrid(boolean useHyrbrid) {
+    return (ClientOptionsBase) super.setUseHybrid(useHyrbrid);
+  }
+
   @Override
   public ClientOptionsBase setSslEngineOptions(SSLEngineOptions sslEngineOptions) {
     return (ClientOptionsBase) super.setSslEngineOptions(sslEngineOptions);
diff --git a/src/main/java/io/vertx/core/net/NetClientOptions.java b/src/main/java/io/vertx/core/net/NetClientOptions.java
@@ -263,6 +263,11 @@ public NetClientOptions setUseAlpn(boolean useAlpn) {
     return (NetClientOptions) super.setUseAlpn(useAlpn);
   }
 
+  @Override
+  public NetClientOptions setUseHybrid(boolean useHybrid) {
+    return (NetClientOptions) super.setUseHybrid(useHybrid);
+  }
+
   @Override
   public NetClientOptions setSslEngineOptions(SSLEngineOptions sslEngineOptions) {
     return (NetClientOptions) super.setSslEngineOptions(sslEngineOptions);
diff --git a/src/main/java/io/vertx/core/net/NetServerOptions.java b/src/main/java/io/vertx/core/net/NetServerOptions.java
@@ -221,8 +221,8 @@ public NetServerOptions setSsl(boolean ssl) {
   }
 
   @Override
-  public NetServerOptions setUseAlpn(boolean useAlpn) {
-    super.setUseAlpn(useAlpn);
+  public NetServerOptions setUseHybrid(boolean useHybrid) {
+    super.setUseHybrid(useHybrid);
     return this;
   }
 
diff --git a/src/main/java/io/vertx/core/net/SSLOptions.java b/src/main/java/io/vertx/core/net/SSLOptions.java
@@ -37,7 +37,11 @@ public class SSLOptions {
   /**
    * Default use alpn = false
    */
-  public static final boolean DEFAULT_USE_ALPN = false;
+  public static final boolean DEFAULT_USE_ALPN = false;  /**
+
+   * Default use hybrid = false
+   */
+  public static final boolean DEFAULT_USE_HYBRID = false;
 
   /**
    * The default value of SSL handshake timeout = 10
@@ -66,6 +70,7 @@ public class SSLOptions {
   private ArrayList<String> crlPaths;
   private ArrayList<Buffer> crlValues;
   private boolean useAlpn;
+  private boolean useHybrid;
   private Set<String> enabledSecureTransportProtocols;
 
   /**
@@ -99,6 +104,7 @@ public SSLOptions(SSLOptions other) {
     this.crlPaths = new ArrayList<>(other.getCrlPaths());
     this.crlValues = new ArrayList<>(other.getCrlValues());
     this.useAlpn = other.useAlpn;
+    this.useHybrid = other.useHybrid;
     this.enabledSecureTransportProtocols = other.getEnabledSecureTransportProtocols() == null ? new LinkedHashSet<>() : new LinkedHashSet<>(other.getEnabledSecureTransportProtocols());
   }
 
@@ -110,6 +116,7 @@ private void init() {
     crlPaths = new ArrayList<>();
     crlValues = new ArrayList<>();
     useAlpn = DEFAULT_USE_ALPN;
+    useHybrid = DEFAULT_USE_HYBRID;
     enabledSecureTransportProtocols = new LinkedHashSet<>(DEFAULT_ENABLED_SECURE_TRANSPORT_PROTOCOLS);
   }
 
@@ -236,6 +243,13 @@ public boolean isUseAlpn() {
     return useAlpn;
   }
 
+  /**
+   * @return whether to use or not Hybrid key exchange protocol x25519MLKEM768
+   */
+  public boolean isUseHybrid() {
+    return useHybrid;
+  }
+
   /**
    * Set the ALPN usage.
    *
@@ -246,6 +260,11 @@ public SSLOptions setUseAlpn(boolean useAlpn) {
     return this;
   }
 
+  public SSLOptions setUseHybrid(boolean useHybrid) {
+    this.useHybrid = useHybrid;
+    return this;
+  }
+
   /**
    * Returns the enabled SSL/TLS protocols
    * @return the enabled protocols
diff --git a/src/main/java/io/vertx/core/net/TCPSSLOptions.java b/src/main/java/io/vertx/core/net/TCPSSLOptions.java
@@ -712,6 +712,13 @@ public boolean isUseAlpn() {
     return sslOptions.isUseAlpn();
   }
 
+  /**
+   * @return whether to use or not Hybrid key exchange protocol x25519MLKEM768
+   */
+  public boolean isUseHybrid() {
+    return sslOptions.isUseHybrid();
+  }
+
   /**
    * Set the ALPN usage.
    *
@@ -722,6 +729,11 @@ public TCPSSLOptions setUseAlpn(boolean useAlpn) {
     return this;
   }
 
+  public TCPSSLOptions setUseHybrid(boolean useHybrid) {
+    sslOptions.setUseHybrid(useHybrid);
+    return this;
+  }
+
   /**
    * @return the SSL engine implementation to use
    */
diff --git a/src/main/java/io/vertx/core/net/impl/ChannelProvider.java b/src/main/java/io/vertx/core/net/impl/ChannelProvider.java
@@ -34,6 +34,8 @@
 import io.vertx.core.net.ProxyOptions;
 import io.vertx.core.net.ProxyType;
 import io.vertx.core.net.SocketAddress;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.SSLHandshakeException;
 import java.net.InetAddress;
@@ -49,6 +51,7 @@
  */
 public final class ChannelProvider {
 
+  private static final Logger log = LoggerFactory.getLogger(ChannelProvider.class);
   private final Bootstrap bootstrap;
   private final SslChannelProvider sslContextProvider;
   private final ContextInternal context;
@@ -115,9 +118,17 @@ private void connect(Handler<Channel> handler, SocketAddress remoteAddress, Sock
 
   private void initSSL(Handler<Channel> handler, SocketAddress peerAddress, String serverName, boolean ssl, boolean useAlpn, Channel ch, Promise<Channel> channelHandler) {
     if (ssl) {
-      SslHandler sslHandler = sslContextProvider.createClientSslHandler(peerAddress, serverName, useAlpn);
+      SslHandler sslHandler = null;
+      try {
+        sslHandler = sslContextProvider.createClientSslHandler(peerAddress, serverName, useAlpn);
+      } catch (Exception e) {
+        log.error(e.getMessage());
+        ch.close();
+        return;
+      }
       ChannelPipeline pipeline = ch.pipeline();
       pipeline.addLast("ssl", sslHandler);
+      SslHandler finalSslHandler = sslHandler;
       pipeline.addLast(new ChannelInboundHandlerAdapter() {
         @Override
         public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
@@ -127,7 +138,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
             if (completion.isSuccess()) {
               // Remove from the pipeline after handshake result
               ctx.pipeline().remove(this);
-              applicationProtocol = sslHandler.applicationProtocol();
+              applicationProtocol = finalSslHandler.applicationProtocol();
               if (handler != null) {
                 context.dispatch(ch, handler);
               }
diff --git a/src/main/java/io/vertx/core/net/impl/NetServerImpl.java b/src/main/java/io/vertx/core/net/impl/NetServerImpl.java
@@ -39,6 +39,7 @@
 import io.vertx.core.spi.metrics.VertxMetrics;
 import io.vertx.core.streams.ReadStream;
 
+import java.util.concurrent.ExecutionException;
 import java.util.function.BiConsumer;
 
 /**
@@ -209,18 +210,28 @@ public void accept(Channel ch, SslChannelProvider sslChannelProvider) {
             if (idle != null) {
               ch.pipeline().remove(idle);
             }
-            configurePipeline(future.getNow(), sslChannelProvider);
+            try {
+              configurePipeline(future.getNow(), sslChannelProvider);
+            } catch (Exception e) {
+              log.error(e.getMessage()+ ", now closing the channel");
+              ch.close();
+            }
           } else {
             //No need to close the channel.HAProxyMessageDecoder already did
             handleException(future.cause());
           }
         });
       } else {
-        configurePipeline(ch, sslChannelProvider);
+        try {
+          configurePipeline(ch, sslChannelProvider);
+        } catch (Exception e) {
+          log.error(e.getMessage()+ ", now closing the channel");
+          ch.close();
+        }
       }
     }
 
-    private void configurePipeline(Channel ch, SslChannelProvider sslChannelProvider) {
+    private void configurePipeline(Channel ch, SslChannelProvider sslChannelProvider) throws Exception{
       if (options.isSsl()) {
         ch.pipeline().addLast("ssl", sslChannelProvider.createServerHandler(HttpUtils.socketAddressToHostAndPort(ch.remoteAddress())));
         ChannelPromise p = ch.newPromise();
diff --git a/src/main/java/io/vertx/core/net/impl/NetSocketImpl.java b/src/main/java/io/vertx/core/net/impl/NetSocketImpl.java
diff --git a/src/main/java/io/vertx/core/net/impl/SSLHelper.java b/src/main/java/io/vertx/core/net/impl/SSLHelper.java
diff --git a/src/main/java/io/vertx/core/net/impl/SslChannelProvider.java b/src/main/java/io/vertx/core/net/impl/SslChannelProvider.java
diff --git a/src/main/java/io/vertx/core/net/impl/VertxSniHandler.java b/src/main/java/io/vertx/core/net/impl/VertxSniHandler.java

Original file line number	Diff line number	Diff line change
`@@ -279,6 +279,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, EventBu`
`279`	`279`	`obj.setUseAlpn((Boolean)member.getValue());`
`280`	`280`	`}`
`281`	`281`	`break;`
	`282`	`+ case "useHybrid":`
	`283`	`+ if (member.getValue() instanceof Boolean) {`
	`284`	`+ obj.setUseHybrid((Boolean)member.getValue());`
	`285`	`+ }`
	`286`	`+ break;`
`282`	`287`	`case "writeIdleTimeout":`
`283`	`288`	`if (member.getValue() instanceof Number) {`
`284`	`289`	`obj.setWriteIdleTimeout(((Number)member.getValue()).intValue());`
`@@ -388,6 +393,7 @@ static void toJson(EventBusOptions obj, java.util.Map<String, Object> json) {`
`388`	`393`	`json.put("trustStoreOptions", obj.getTrustStoreOptions().toJson());`
`389`	`394`	`}`
`390`	`395`	`json.put("useAlpn", obj.isUseAlpn());`
	`396`	`+ json.put("useHybrid", obj.isUseHybrid());`
`391`	`397`	`json.put("writeIdleTimeout", obj.getWriteIdleTimeout());`
`392`	`398`	`}`
`393`	`399`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, SSLOpti`
`69`	`69`	`obj.setUseAlpn((Boolean)member.getValue());`
`70`	`70`	`}`
`71`	`71`	`break;`
	`72`	`+ case "useHybrid":`
	`73`	`+ if (member.getValue() instanceof Boolean) {`
	`74`	`+ obj.setUseHybrid((Boolean)member.getValue());`
	`75`	`+ }`
	`76`	`+ break;`
`72`	`77`	`}`
`73`	`78`	`}`
`74`	`79`	`}`
`@@ -103,5 +108,6 @@ static void toJson(SSLOptions obj, java.util.Map<String, Object> json) {`
`103`	`108`	`json.put("sslHandshakeTimeoutUnit", obj.getSslHandshakeTimeoutUnit().name());`
`104`	`109`	`}`
`105`	`110`	`json.put("useAlpn", obj.isUseAlpn());`
	`111`	`+ json.put("useHybrid", obj.isUseHybrid());`
`106`	`112`	`}`
`107`	`113`	`}`
Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, TCPSSLO`
`179`	`179`	`obj.setUseAlpn((Boolean)member.getValue());`
`180`	`180`	`}`
`181`	`181`	`break;`
	`182`	`+ case "useHybrid":`
	`183`	`+ if (member.getValue() instanceof Boolean) {`
	`184`	`+ obj.setUseHybrid((Boolean)member.getValue());`
	`185`	`+ }`
	`186`	`+ break;`
`182`	`187`	`case "writeIdleTimeout":`
`183`	`188`	`if (member.getValue() instanceof Number) {`
`184`	`189`	`obj.setWriteIdleTimeout(((Number)member.getValue()).intValue());`
`@@ -258,6 +263,7 @@ static void toJson(TCPSSLOptions obj, java.util.Map<String, Object> json) {`
`258`	`263`	`json.put("trustStoreOptions", obj.getTrustStoreOptions().toJson());`
`259`	`264`	`}`
`260`	`265`	`json.put("useAlpn", obj.isUseAlpn());`
	`266`	`+ json.put("useHybrid", obj.isUseHybrid());`
`261`	`267`	`json.put("writeIdleTimeout", obj.getWriteIdleTimeout());`
`262`	`268`	`}`
`263`	`269`	`}`