Too many advertised sig algs cause TLS server hang-up

[mouse07410]

Describe the bug
Provider built from the main branch pulled after Fri Apr 12, 2024, somehow causes OpenSSL to hang and then time-out on requests over corporate firewall (to https://index.crates.io, in case it matters).

When I comment out oqs provider in openssl.cnf the problem disappears.

I must add that before Apr 12th everything worked just fine. So, it's OpenSSL, or liboqs, or oqs-provider.

@levitte could you please take a look as well? I don't know whether it's the provider's fault, or that of the OpenSSL itself.

To Reproduce
A little complicated, but here's what I have.

Steps to reproduce the behavior:

1. Install Rust toolchain.
2. Install cargo-update via cargo install cargo-update
3. Have OpenSSL-3.2.1 installed.
4. Install current master of liboqs.
5. Clone and install oqs-provider (main branch).
6. Edit openssl.cnf to add oqs provider (some add it as oqsprovider, for me naming it oqs suffices).
7. Try cargo install-update -l
8. See error

Expected behavior

Something like

$ cargo install-update -l
    Polling registry 'https://index.crates.io/'.......................................

Package          Installed             Latest                               Needs update
asn1rs           v0.3.1                v0.3.1                               No
b3sum            v1.5.1                v1.5.1                               No
.  .  .

Actual behavior

$ cargo install-update -l
    Polling registry 'https://index.crates.io/'
Failed to update index repository crates-io: package asn1rs: [35] SSL connect error (OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to index.crates.io:443 ).
$ 
$ OQSPROV=1 cargo install-update -l
OQS PROV: successfully registered dilithium2 with NID 1320
OQS PROV: successfully registered p256_dilithium2 with NID 1321
OQS PROV: successfully registered rsa3072_dilithium2 with NID 1322
OQS PROV: successfully registered dilithium3 with NID 1323
OQS PROV: successfully registered p384_dilithium3 with NID 1324
OQS PROV: successfully registered dilithium5 with NID 1325
OQS PROV: successfully registered p521_dilithium5 with NID 1326
OQS PROV: successfully registered mldsa44 with NID 1327
OQS PROV: successfully registered p256_mldsa44 with NID 1328
OQS PROV: successfully registered rsa3072_mldsa44 with NID 1329
OQS PROV: successfully registered mldsa44_pss2048 with NID 1330
OQS PROV: successfully registered mldsa44_rsa2048 with NID 1331
OQS PROV: successfully registered mldsa44_ed25519 with NID 1332
OQS PROV: successfully registered mldsa44_p256 with NID 1333
OQS PROV: successfully registered mldsa44_bp256 with NID 1334
OQS PROV: successfully registered mldsa65 with NID 1335
OQS PROV: successfully registered p384_mldsa65 with NID 1336
OQS PROV: successfully registered mldsa65_pss3072 with NID 1337
OQS PROV: successfully registered mldsa65_rsa3072 with NID 1338
OQS PROV: successfully registered mldsa65_p256 with NID 1339
OQS PROV: successfully registered mldsa65_bp256 with NID 1340
OQS PROV: successfully registered mldsa65_ed25519 with NID 1341
OQS PROV: successfully registered mldsa87 with NID 1342
OQS PROV: successfully registered p521_mldsa87 with NID 1343
OQS PROV: successfully registered mldsa87_p384 with NID 1344
OQS PROV: successfully registered mldsa87_bp384 with NID 1345
OQS PROV: successfully registered mldsa87_ed448 with NID 1346
OQS PROV: successfully registered falcon512 with NID 1347
OQS PROV: successfully registered p256_falcon512 with NID 1348
OQS PROV: successfully registered rsa3072_falcon512 with NID 1349
OQS PROV: successfully registered falconpadded512 with NID 1350
OQS PROV: successfully registered p256_falconpadded512 with NID 1351
OQS PROV: successfully registered rsa3072_falconpadded512 with NID 1352
OQS PROV: successfully registered falcon1024 with NID 1353
OQS PROV: successfully registered p521_falcon1024 with NID 1354
OQS PROV: successfully registered falconpadded1024 with NID 1355
OQS PROV: successfully registered p521_falconpadded1024 with NID 1356
OQS PROV: successfully registered sphincssha2128fsimple with NID 1357
OQS PROV: successfully registered p256_sphincssha2128fsimple with NID 1358
OQS PROV: successfully registered rsa3072_sphincssha2128fsimple with NID 1359
OQS PROV: successfully registered sphincssha2128ssimple with NID 1360
OQS PROV: successfully registered p256_sphincssha2128ssimple with NID 1361
OQS PROV: successfully registered rsa3072_sphincssha2128ssimple with NID 1362
OQS PROV: successfully registered sphincssha2192fsimple with NID 1363
OQS PROV: successfully registered p384_sphincssha2192fsimple with NID 1364
OQS PROV: successfully registered sphincsshake128fsimple with NID 1365
OQS PROV: successfully registered p256_sphincsshake128fsimple with NID 1366
OQS PROV: successfully registered rsa3072_sphincsshake128fsimple with NID 1367
OQS PROV: Default or FIPS provider available.
    Polling registry 'https://index.crates.io/'Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 11 requested from OQS provider
Unknown operation 11 requested from OQS provider

Failed to update index repository crates-io: package asn1rs: [35] SSL connect error (OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to index.crates.io:443 ).
$ 

Environment (please complete the following information):

• OS: MacOS Sonoma 14.4.1
• OpenSSL version 3.2.1 (Macports-installed)
• oqsprovider version 0.6.0 (or whatever the current main is)
• liboqs current master

Please run the following commands to obtain the version information:

• For OpenSSL: openssl version
• For oqsprovider: openssl list -providers

$ openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.2.1
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.2.1
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.2.1
    status: active
  oqs
    name: OpenSSL OQS Provider
    version: 0.6.0
    status: active
  pkcs11
    name: PKCS#11 Provider
    version: 3.2.1
    status: active
$

[levitte]

Oh, so I guess I must learn Rust, then? 😆
(I've tried to avoid that, knowing full well that I'll have to some day)

[levitte]

Actually, this could be much simpler than I anticipated. SSL_ERROR_ZERO_RETURN indicates that the TLS peer closed the connection without a close notify. This has become more "normal" lately, so OpenSSL now has an option SSL_OP_IGNORE_UNEXPECTED_EOF to allow this behavior.

See the TLS Changes section in OpenSSL's migration guide or SSL_CTX_set_options(3) / SSL_set_options(3).

[iyanmv]

I think I observe a similar issue, but easier to reproduce with just curl.

curl -v https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig

This fails with liboqs 0.10.0, OpenSSL 3.2.1 and oqs-provider 0.6.0, and oqsprovider enabled in openssl.cnf.

Output with `oqsprovider` enabled

$ curl -v -o test.sig https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host downloads.1password.com:443 was resolved.
* IPv6: 2600:9000:225e:6600:2:d2db:f100:93a1, 2600:9000:225e:5800:2:d2db:f100:93a1, 2600:9000:225e:f400:2:d2db:f100:93a1, 2600:9000:225e:7000:2:d2db:f100:93a1, 2600:9000:225e:5c00:2:d2db:f100:93a1, 2600:9000:225e:6800:2:d2db:f100:93a1, 2600:9000:225e:4200:2:d2db:f100:93a1, 2600:9000:225e:b600:2:d2db:f100:93a1
* IPv4: 18.66.147.127, 18.66.147.99, 18.66.147.18, 18.66.147.29
*   Trying 18.66.147.127:443...
* Connected to downloads.1password.com (18.66.147.127) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, close notify (256):
{ [2 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to downloads.1password.com:443 
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
* Closing connection
curl: (35) OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to downloads.1password.com:443

Output without `oqsprovider` enabled

$ curl -v -o test.sig https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host downloads.1password.com:443 was resolved.
* IPv6: 2600:9000:225e:8a00:2:d2db:f100:93a1, 2600:9000:225e:ce00:2:d2db:f100:93a1, 2600:9000:225e:1000:2:d2db:f100:93a1, 2600:9000:225e:6c00:2:d2db:f100:93a1, 2600:9000:225e:6000:2:d2db:f100:93a1, 2600:9000:225e:8400:2:d2db:f100:93a1, 2600:9000:225e:d400:2:d2db:f100:93a1, 2600:9000:225e:1400:2:d2db:f100:93a1
* IPv4: 18.66.147.29, 18.66.147.99, 18.66.147.127, 18.66.147.18
*   Trying 18.66.147.29:443...
* Connected to downloads.1password.com (18.66.147.29) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4971 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=downloads.1password.com
*  start date: Jul 16 00:00:00 2023 GMT
*  expire date: Aug 13 23:59:59 2024 GMT
*  subjectAltName: host "downloads.1password.com" matched cert's "downloads.1password.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
} [5 bytes data]
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: downloads.1password.com]
* [HTTP/2] [1] [:path: /linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET /linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig HTTP/2
> Host: downloads.1password.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [124 bytes data]
< HTTP/2 200 
< content-type: application/pgp-signature
< content-length: 566
< date: Tue, 16 Apr 2024 14:35:40 GMT
< last-modified: Tue, 16 Apr 2024 14:17:29 GMT
< etag: "7f4901775676a583684caf0ef040f2fc"
< x-amz-server-side-encryption: AES256
< cache-control: max-age=31536000,must-revalidate
< x-amz-version-id: SS03x6XG02hZtDcRT_564Rjbs..R9mHW
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Hit from cloudfront
< via: 1.1 5b21c56dde1a436b4b6766d2406627d2.cloudfront.net (CloudFront)
< x-amz-cf-pop: FRA60-P4
< x-amz-cf-id: gwg4kykBpR3mwnnyc2nfDRSrfHcHjnmiUmD7kPmga26r3EQ5OfzNWQ==
< age: 152287
< 
{ [566 bytes data]
100   566  100   566    0     0  10171      0 --:--:-- --:--:-- --:--:-- 10290
* Connection #0 to host downloads.1password.com left intact

[mouse07410]

Oh, so I guess I must learn Rust, then? 😆

@levitte Of course! Didn't you know that all along? :-)

'm not sure how to answer your question, as I'm unsure what to look at.

Unfortunately, neither do I. Code that I didn't write uses OpenSSL library that misbehaves when OQS provider is present/loaded.

The best I see is the example from @iyanmv that reproduces the problem with curl.

What I observe with this reproducer is that TLS 1.3 Handshake begins with sending "Client Hello", and after that connection attempt fails, with server responding with "close notify" (not on timeout, as I thought?).

What's in the "Client Hello" when OQS is loaded, that the server doesn't even bother to answer?

SSL_ERROR_ZERO_RETURN indicates that the TLS peer closed the connection without a close notify. This has become more "normal" lately, so OpenSSL now has an option SSL_OP_IGNORE_UNEXPECTED_EOF to allow this behavior.

Unfortunately, the problem manifests itself with (popular and widely used) code that none of the participants here wrote or has any control over. If we had a reproducer, we could try adding that TLS option and see if it fixes the problem. As it is, I don't know...

And why everything is OK with OQS provider is out of the picture (with all the other providers enabled)?

Also, this problem appeared only this week. What changed, and where? (https://index.crates.io, OpenSSL, liboqs, oqs-provider?)

[levitte]

@iyanmv's curl example shows that this happens in the handshake.

There is one thing that might, or might not be related to this: the OQS provider uses SIGALG capabilities to add signature algorithms to the set that libssl has built in. It's possible that this affects the TLS handshake in a way that causes this issue.

[iyanmv]

I was writing this for something else, but I leave it here in case it's useful for anyone to reproduce the issue with my exact setup:

podman run -it --rm archlinux:base-devel sh -c "$(cat <<EOF
# Update packages & install dependencies to build liboqs and oqs-provider
pacman -Syu --noconfirm &&
pacman -S --noconfirm \
    cmake \
    curl \
    doxygen \
    git \
    ninja \
    python \
    python-jinja \
    python-tabulate \
    python-yaml

# Build liboqs & install
git clone https://aur.archlinux.org/liboqs.git
# chmod 777 directory because makepkg cannot run as root
chmod 777 liboqs && cd liboqs
runuser -unobody -- makepkg --nocheck
pacman -U --noconfirm liboqs-1\:0.10.0-2-x86_64.pkg.tar.zst

# Build oqs-provider & install
cd ..
git clone https://aur.archlinux.org/oqsprovider.git
# chmod 777 directory because makepkg cannot run as root
chmod 777 oqsprovider && cd oqsprovider
runuser -unobody -- makepkg --nocheck
pacman -U --noconfirm oqsprovider-0.6.0-1-x86_64.pkg.tar.zst

# Get openssl conf file from oqs-provider/scripts
cd ..
curl -O https://raw.githubusercontent.com/open-quantum-safe/oqs-provider/main/scripts/openssl-ca.cnf

# This works (oqsprovider is not enabled)
curl -v -o /dev/null https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig

# This doesn't work (oqsprovider enabled)
export OPENSSL_CONF=/openssl-ca.cnf
curl -v -o /dev/null https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig
EOF
)"

But I was able to reproduce using the fullbuild.sh script, so I don't think it's an issue of how I'm building liboqs or oqs-provider.

Since this only happens with certain servers, can it also be a "misconfiguration" on the server side? If the client offers PQC KEM, perhaps that triggers something on the server side that causes the handshake to fail.

[iyanmv]

Checking the exchange with wireshark, it really looks like a server issue. It responds with a close notify message after the client hello.

(Github doesn't like .pcapng, so renamed to .txt)
wrong_tls.txt

[mouse07410]

This is the captured TLS 1.3 "Client Hello" with OQS provider enabled, which causes the server to shut up and not even respond with "Server Hello":

Frame 2122: 573 bytes on wire (4584 bits), 573 bytes captured (4584 bits) on interface utun6, id 0
Null/Loopback
Internet Protocol Version 4, Src: 570657, Dst: llproxy
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 569
    Identification: 0x0000 (0)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x5276 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 570657
    Destination Address: llproxy
Transmission Control Protocol, Src Port: 55418 (55418), Dst Port: http-alt (8080), Seq: 138, Ack: 40, Len: 517
    Source Port: 55418 (55418)
    Destination Port: http-alt (8080)
    [Stream index: 25]
    [Conversation completeness: Incomplete, DATA (15)]
    [TCP Segment Len: 517]
    Sequence Number: 138    (relative sequence number)
    Sequence Number (raw): 380035978
    [Next Sequence Number: 655    (relative sequence number)]
    Acknowledgment Number: 40    (relative ack number)
    Acknowledgment number (raw): 1715394820
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x018 (PSH, ACK)
    Window: 2063
    [Calculated window size: 132032]
    [Window size scaling factor: 64]
    Checksum: 0xe34f [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]
    [SEQ/ACK analysis]
        [iRTT: 0.040025000 seconds]
        [Bytes in flight: 517]
        [Bytes sent since last PSH flag: 517]
    TCP payload (517 bytes)
Hypertext Transfer Protocol
    [Proxy-Connect-Hostname: downloads.1password.com]
    [Proxy-Connect-Port: 443]
Transport Layer Security
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random: ef94575e1e812afe832592b974becdf2498f1ad65e5e550a538428a94070984b
            Session ID Length: 32
            Session ID: 06d4b608c8fc46d17dee91e795b9496b9a688fb9578a9d0b68a8e053709ff6dc
            Cipher Suites Length: 72
            Cipher Suites (36 suites)
                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC (0xc101)
                Cipher Suite: TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC (0xc100)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: Unknown (0xff85)
                Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xc102)
                Cipher Suite: TLS_GOSTR341001_WITH_28147_CNT_IMIT (0x0081)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 363
            Extension: server_name (len=28) name=downloads.1password.com
            Extension: ec_point_formats (len=4)
            Extension: supported_groups (len=22)
                Type: supported_groups (10)
                Length: 22
                Supported Groups List Length: 20
                Supported Groups (10 groups)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: x448 (0x001e)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: ffdhe2048 (0x0100)
                    Supported Group: ffdhe3072 (0x0101)
                    Supported Group: ffdhe4096 (0x0102)
                    Supported Group: ffdhe6144 (0x0103)
                    Supported Group: ffdhe8192 (0x0104)
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
                    ALPN string length: 2
                    ALPN Next Protocol: h2
                    ALPN string length: 8
                    ALPN Next Protocol: http/1.1
            Extension: encrypt_then_mac (len=0)
            Extension: extended_master_secret (len=0)
            Extension: post_handshake_auth (len=0)
            Extension: signature_algorithms (len=154)
                Type: signature_algorithms (13)
                Length: 154
                Signature Hash Algorithms Length: 152
                Signature Hash Algorithms (76 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: ed25519 (0x0807)
                    Signature Algorithm: ed448 (0x0808)
                    Signature Algorithm: Unknown Unknown (0x081a)
                    Signature Algorithm: Unknown Unknown (0x081b)
                    Signature Algorithm: Unknown Unknown (0x081c)
                    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                    Signature Algorithm: SHA224 RSA (0x0301)
                    Signature Algorithm: SHA224 DSA (0x0302)
                    Signature Algorithm: SHA256 DSA (0x0402)
                    Signature Algorithm: SHA384 DSA (0x0502)
                    Signature Algorithm: SHA512 DSA (0x0602)
                    Signature Algorithm: Unknown Unknown (0x0840)
                    Signature Algorithm: Unknown Unknown (0x0841)
                    Signature Algorithm: Unknown Unknown (0xeeee)
                    Signature Algorithm: Unknown Unknown (0xefef)
                    Signature Algorithm: Unknown Unknown (0xeded)
                    Signature Algorithm: dilithium2 (0xfea0)
                    Signature Algorithm: p256_dilithium2 (0xfea1)
                    Signature Algorithm: rsa3072_dilithium2 (0xfea2)
                    Signature Algorithm: dilithium3 (0xfea3)
                    Signature Algorithm: p384_dilithium3 (0xfea4)
                    Signature Algorithm: dilithium5 (0xfea5)
                    Signature Algorithm: p521_dilithium5 (0xfea6)
                    Signature Algorithm: Unknown Unknown (0xfed0)
                    Signature Algorithm: Unknown Unknown (0xfed3)
                    Signature Algorithm: Unknown Unknown (0xfed4)
                    Signature Algorithm: Unknown Unknown (0xfee1)
                    Signature Algorithm: Unknown Unknown (0xfee2)
                    Signature Algorithm: Unknown Unknown (0xfee3)
                    Signature Algorithm: Unknown Unknown (0xfee4)
                    Signature Algorithm: Unknown Unknown (0xfee5)
                    Signature Algorithm: Unknown Unknown (0xfed1)
                    Signature Algorithm: Unknown Unknown (0xfed5)
                    Signature Algorithm: Unknown Unknown (0xfee6)
                    Signature Algorithm: Unknown Unknown (0xfee7)
                    Signature Algorithm: Unknown Unknown (0xfee8)
                    Signature Algorithm: Unknown Unknown (0xfee9)
                    Signature Algorithm: Unknown Unknown (0xfeea)
                    Signature Algorithm: Unknown Unknown (0xfed2)
                    Signature Algorithm: Unknown Unknown (0xfed6)
                    Signature Algorithm: Unknown Unknown (0xfeeb)
                    Signature Algorithm: Unknown Unknown (0xfeec)
                    Signature Algorithm: Unknown Unknown (0xfeed)
                    Signature Algorithm: Unknown Unknown (0xfed7)
                    Signature Algorithm: Unknown Unknown (0xfed8)
                    Signature Algorithm: Unknown Unknown (0xfed9)
                    Signature Algorithm: Unknown Unknown (0xfedc)
                    Signature Algorithm: Unknown Unknown (0xfedd)
                    Signature Algorithm: Unknown Unknown (0xfede)
                    Signature Algorithm: Unknown Unknown (0xfeda)
                    Signature Algorithm: Unknown Unknown (0xfedb)
                    Signature Algorithm: Unknown Unknown (0xfedf)
                    Signature Algorithm: Unknown Unknown (0xfee0)
                    Signature Algorithm: Unknown Unknown (0xfeb3)
                    Signature Algorithm: Unknown Unknown (0xfeb4)
                    Signature Algorithm: Unknown Unknown (0xfeb5)
                    Signature Algorithm: Unknown Unknown (0xfeb6)
                    Signature Algorithm: Unknown Unknown (0xfeb7)
                    Signature Algorithm: Unknown Unknown (0xfeb8)
                    Signature Algorithm: Unknown Unknown (0xfeb9)
                    Signature Algorithm: Unknown Unknown (0xfeba)
                    Signature Algorithm: Unknown Unknown (0xfec2)
                    Signature Algorithm: Unknown Unknown (0xfec3)
                    Signature Algorithm: Unknown Unknown (0xfec4)
            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
            Extension: psk_key_exchange_modes (len=2)
            Extension: key_share (len=38) x25519
            Extension: compress_certificate (len=3)
            Extension: padding (len=41)
                Type: padding (21)
                Length: 41
                Padding Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000
            [JA4: t13d3613h2_6399a10af667_f48b99e0092b]
            [JA4_r [truncated]: t13d3613h2_002f,0033,0035,0039,003c,003d,0067,006b,0081,009c,009d,009e,009f,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c100,c101,c102,cca8,cca9,ccaa,ff85_000a,000b,000d,0015,0016,0017]
            [JA3 Fullstring [truncated]: 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-49409-49408-61-60-65413-49410-129-53-47-255,0-11-10-16-22-23-49-13-43-45]
            [JA3: 6720a890086e507a3e8b799f7b4413cc]

And here's the exchange ("Client Hello" and "Server Hello") between the same entities, with OQS provider disabled (commented out in openssl.cnf):

Frame 292: 573 bytes on wire (4584 bits), 573 bytes captured (4584 bits) on interface utun6, id 0
Null/Loopback
Internet Protocol Version 4, Src: 570657, Dst: llproxy
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 569
    Identification: 0x0000 (0)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x5276 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 570657
    Destination Address: llproxy
Transmission Control Protocol, Src Port: 56174 (56174), Dst Port: http-alt (8080), Seq: 138, Ack: 40, Len: 517
    Source Port: 56174 (56174)
    Destination Port: http-alt (8080)
    [Stream index: 6]
    [Conversation completeness: Complete, WITH_DATA (31)]
    [TCP Segment Len: 517]
    Sequence Number: 138    (relative sequence number)
    Sequence Number (raw): 3711377751
    [Next Sequence Number: 655    (relative sequence number)]
    Acknowledgment Number: 40    (relative ack number)
    Acknowledgment number (raw): 1722682165
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x018 (PSH, ACK)
    Window: 2063
    [Calculated window size: 132032]
    [Window size scaling factor: 64]
    Checksum: 0x4bcb [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]
    [SEQ/ACK analysis]
        [iRTT: 0.038972000 seconds]
        [Bytes in flight: 517]
        [Bytes sent since last PSH flag: 517]
    TCP payload (517 bytes)
Hypertext Transfer Protocol
    [Proxy-Connect-Hostname: downloads.1password.com]
    [Proxy-Connect-Port: 443]
Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random: b29337a048932efa10158c94d5d0489dc7e3da43874664ff7c9b17e57aa2d061
            Session ID Length: 32
            Session ID: 576c4be933dfa3765375788a2708c6a1775c02378f1bbdeda04d4dc8a96aff8d
            Cipher Suites Length: 72
            Cipher Suites (36 suites)
                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC (0xc101)
                Cipher Suite: TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC (0xc100)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: Unknown (0xff85)
                Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xc102)
                Cipher Suite: TLS_GOSTR341001_WITH_28147_CNT_IMIT (0x0081)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 363
            Extension: server_name (len=28) name=downloads.1password.com
                Type: server_name (0)
                Length: 28
                Server Name Indication extension
                    Server Name list length: 26
                    Server Name Type: host_name (0)
                    Server Name length: 23
                    Server Name: downloads.1password.com
            Extension: ec_point_formats (len=4)
                Type: ec_point_formats (11)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
            Extension: supported_groups (len=22)
                Type: supported_groups (10)
                Length: 22
                Supported Groups List Length: 20
                Supported Groups (10 groups)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: x448 (0x001e)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: ffdhe2048 (0x0100)
                    Supported Group: ffdhe3072 (0x0101)
                    Supported Group: ffdhe4096 (0x0102)
                    Supported Group: ffdhe6144 (0x0103)
                    Supported Group: ffdhe8192 (0x0104)
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
                    ALPN string length: 2
                    ALPN Next Protocol: h2
                    ALPN string length: 8
                    ALPN Next Protocol: http/1.1
            Extension: encrypt_then_mac (len=0)
                Type: encrypt_then_mac (22)
                Length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: post_handshake_auth (len=0)
                Type: post_handshake_auth (49)
                Length: 0
            Extension: signature_algorithms (len=58)
                Type: signature_algorithms (13)
                Length: 58
                Signature Hash Algorithms Length: 56
                Signature Hash Algorithms (28 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ed25519 (0x0807)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (7)
                    Signature Algorithm: ed448 (0x0808)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (8)
                    Signature Algorithm: Unknown Unknown (0x081a)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (26)
                    Signature Algorithm: Unknown Unknown (0x081b)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (27)
                    Signature Algorithm: Unknown Unknown (0x081c)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (28)
                    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (9)
                    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (10)
                    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (11)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: SM2 (4)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: SHA224 RSA (0x0301)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 DSA (0x0302)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA256 DSA (0x0402)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA384 DSA (0x0502)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA512 DSA (0x0602)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: Unknown Unknown (0x0840)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (64)
                    Signature Algorithm: Unknown Unknown (0x0841)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (65)
                    Signature Algorithm: Unknown Unknown (0xeeee)
                        Signature Hash Algorithm Hash: Unknown (238)
                        Signature Hash Algorithm Signature: Unknown (238)
                    Signature Algorithm: Unknown Unknown (0xefef)
                        Signature Hash Algorithm Hash: Unknown (239)
                        Signature Hash Algorithm Signature: Unknown (239)
                    Signature Algorithm: Unknown Unknown (0xeded)
                        Signature Hash Algorithm Hash: Unknown (237)
                        Signature Hash Algorithm Signature: Unknown (237)
            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
                Type: supported_versions (43)
                Length: 5
                Supported Versions length: 4
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: key_share (len=38) x25519
                Type: key_share (51)
                Length: 38
                Key Share extension
                    Client Key Share Length: 36
                    Key Share Entry: Group: x25519, Key Exchange length: 32
            Extension: compress_certificate (len=3)
                Type: compress_certificate (27)
                Length: 3
                Algorithms Length: 2
                Algorithm: zlib (1)
            Extension: padding (len=137)
                Type: padding (21)
                Length: 137
                Padding Data [truncated]: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
            [JA4: t13d3613h2_6399a10af667_30e4835ce18a]
            [JA4_r [truncated]: t13d3613h2_002f,0033,0035,0039,003c,003d,0067,006b,0081,009c,009d,009e,009f,00ff,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c100,c101,c102,cca8,cca9,ccaa,ff85_000a,000b,000d,0015,0016,0017]
            [JA3 Fullstring [truncated]: 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-49409-49408-61-60-65413-49410-129-53-47-255,0-11-10-16-22-23-49-13-43-45]
            [JA3: 6720a890086e507a3e8b799f7b4413cc]



Frame 304: 1404 bytes on wire (11232 bits), 1404 bytes captured (11232 bits) on interface utun6, id 0
Null/Loopback
Internet Protocol Version 4, Src: llproxy, Dst: 570657
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x88 (DSCP: AF41, ECN: Not-ECT)
    Total Length: 1400
    Identification: 0x192b (6443)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 251
    Protocol: TCP (6)
    Header Checksum: 0x7a83 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: llproxy
    Destination Address: 570657
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: 56174 (56174), Seq: 40, Ack: 655, Len: 1348
    Source Port: http-alt (8080)
    Destination Port: 56174 (56174)
    [Stream index: 6]
    [Conversation completeness: Complete, WITH_DATA (31)]
    [TCP Segment Len: 1348]
    Sequence Number: 40    (relative sequence number)
    Sequence Number (raw): 1722682165
    [Next Sequence Number: 1388    (relative sequence number)]
    Acknowledgment Number: 655    (relative ack number)
    Acknowledgment number (raw): 3711378268
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
    Window: 14254
    [Calculated window size: 14254]
    [Window size scaling factor: 1]
    Checksum: 0x7cea [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]
    [SEQ/ACK analysis]
        [iRTT: 0.038972000 seconds]
        [Bytes in flight: 1348]
        [Bytes sent since last PSH flag: 1348]
    TCP payload (1348 bytes)
    [Reassembled PDU in frame: 308]
    TCP segment data (1174 bytes)
Hypertext Transfer Protocol
    [Proxy-Connect-Hostname: downloads.1password.com]
    [Proxy-Connect-Port: 443]
Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 122
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 118
            Version: TLS 1.2 (0x0303)
            Random: d226ecbde4695ff4a946b4b7723d5a21ac3750463b0138670eec8459c7cf8daf
            Session ID Length: 32
            Session ID: 576c4be933dfa3765375788a2708c6a1775c02378f1bbdeda04d4dc8a96aff8d
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Compression Method: null (0)
            Extensions Length: 46
            Extension: supported_versions (len=2) TLS 1.3
                Type: supported_versions (43)
                Length: 2
                Supported Version: TLS 1.3 (0x0304)
            Extension: key_share (len=36) x25519
                Type: key_share (51)
                Length: 36
                Key Share extension
                    Key Share Entry: Group: x25519, Key Exchange length: 32
                        Group: x25519 (29)
                        Key Exchange Length: 32
                        Key Exchange: f4f3fc894f03b37b0b10b294db48e402ee60a6a86af760d992c86ccfb6a3a526
            [JA3S Fullstring: 771,4865,43-51]
            [JA3S: f4febc55ea12b31ae17cfb7e614afda8]
    TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 36
        Encrypted Application Data: 133cf835eed335cca80224c967bb5bf665a157747305ef531022350391f70df94ba9b033
        [Application Data Protocol: Hypertext Transfer Protocol]
    TLS segment data (1174 bytes)

[levitte]

I suspected something like that. The server like, "yo'weeeird, I'm walking away"

[mouse07410]

I suspected something like that. The server like, "yo'weeeird, I'm walking away"

Is there any way to test/validate this hypothesis? And if it proves true - how can we work around this problem without completely disabling OQS provider?

[ashman-p]

I suspected something like that. The server like, "yo'weeeird, I'm walking away"

Is there any way to test/validate this hypothesis? And if it proves true - how can we work around this problem without completely disabling OQS provider?

You could run s_client to connect to your server with a limited list of cipher suites, groups and sig algs?
./openssl s_client -connect <server_ip>: -tls1_3 -groups kyber512 -provider oqsprovider

[mouse07410]

With OpenSSL-3.4.x-dev (master branch):

$ openssl3 version
OpenSSL 3.4.0-dev  (Library: OpenSSL 3.4.0-dev )
$ 
$ openssl3 s_client -debug -connect www.ibm.com:443 -tls1_3 -groups kyber512 -provider oqs
Connecting to 23.34.93.246
CONNECTED(00000005)
write to 0x600003c98000 [0x7f80f6810400] (1094 bytes => 1094 (0x446))
0000 - 16 03 01 04 41 01 00 04-3d 03 03 4f a7 90 56 e7   ....A...=..O..V.
0010 - 5e 76 a4 6e 3b d1 cf c1-56 d8 5a e3 6d cf 55 43   ^v.n;...V.Z.m.UC
0020 - 5b f2 a9 9a b4 cd 95 16-79 b2 de 20 13 6f cd 52   [.......y.. .o.R
0030 - 59 b8 7b 1a 67 41 32 6f-40 e5 3d d3 a1 46 9c 70   Y.{.gA2o@.=..F.p
0040 - 6d 35 b3 16 cc 80 af 97-7d 31 a3 df 00 06 13 02   m5......}1......
0050 - 13 03 13 01 01 00 03 ee-00 00 00 10 00 0e 00 00   ................
0060 - 0b 77 77 77 2e 69 62 6d-2e 63 6f 6d 00 0a 00 04   .www.ibm.com....
0070 - 00 02 02 3a 00 23 00 00-00 16 00 00 00 17 00 00   ...:.#..........
0080 - 00 0d 00 84 00 82 04 03-05 03 06 03 08 07 08 08   ................
0090 - 08 1a 08 1b 08 1c 08 09-08 0a 08 0b 08 04 08 05   ................
00a0 - 08 06 04 01 05 01 06 01-fe a0 fe a1 fe a2 fe a3   ................
00b0 - fe a4 fe a5 fe a6 fe d0-fe d3 fe d4 fe e1 fe e2   ................
00c0 - fe e3 fe e4 fe e5 fe d1-fe d5 fe e6 fe e7 fe e8   ................
00d0 - fe e9 fe ea fe d2 fe d6-fe eb fe ec fe ed fe d7   ................
00e0 - fe d8 fe d9 fe dc fe dd-fe de fe da fe db fe df   ................
00f0 - fe e0 fe b3 fe b4 fe b5-fe b6 fe b7 fe b8 fe b9   ................
0100 - fe ba fe c2 fe c3 fe c4-00 2b 00 03 02 03 04 00   .........+......
0110 - 2d 00 02 01 01 00 33 03-26 03 24 02 3a 03 20 85   -.....3.&.$.:. .
0120 - 76 40 77 08 0c 59 f5 42-11 93 8d 03 e8 9d 39 ac   v@w..Y.B......9.
0130 - 20 18 5b 29 f0 a0 33 9d-ea 1e bb b1 2d da 31 33    .[)..3.....-.13
0140 - 5e a6 32 b7 75 37 f3 63-5b 8e a0 00 15 9c 40 06   ^.2.u7.c[.....@.
0150 - 25 a0 55 a8 01 a0 3c 87-91 e1 36 6d 29 4e 75 d4   %.U...<...6m)Nu.
0160 - 23 e3 e2 0b e4 d7 7b 63-11 18 97 90 73 94 d7 7f   #.....{c....s...
0170 - 98 f5 31 0b 2b c1 d0 44-15 89 d2 16 90 91 b3 c1   ..1.+..D........
0180 - 82 1f de 17 80 d4 48 8e-20 e3 88 72 06 af 6a 33   ......H. ..r..j3
0190 - 9e be c6 70 dd 93 9a 0a-67 30 11 46 9d ac 15 2b   ...p....g0.F...+
01a0 - d7 44 90 ee 74 7a 46 68-ae d2 b3 07 b5 c1 09 6d   .D..tzFh.......m
01b0 - 17 19 2a 9c 1e 71 69 b4-12 54 81 ab 83 8e 4a 1b   ..*..qi..T....J.
01c0 - 97 aa 42 63 1f 12 6d 79-d2 7a 02 e2 74 bf b5 bc   ..Bc..my.z..t...
01d0 - 75 4b 01 82 d8 15 a4 22-96 71 08 84 b6 34 c1 34   uK.....".q...4.4
01e0 - b2 54 27 40 17 af 73 75-06 c0 4b 91 da 22 ab c4   .T'@..su..K.."..
01f0 - c1 11 09 63 8d 93 0e 47-b2 bb 6b 8b 9d 0d 74 64   ...c...G..k...td
0200 - a6 2b 81 82 c3 cd 0a ab-58 e7 e4 88 56 97 79 fa   .+......X...V.y.
0210 - 11 88 e7 55 c4 fe d9 10-ff 59 34 bc db c7 15 dc   ...U.....Y4.....
0220 - a6 f0 26 cd 1e 6a 42 8c-07 62 59 c5 a2 34 7a 68   ..&..jB..bY..4zh
0230 - 96 e0 28 94 08 10 b6 f0-78 93 b4 c6 6f d4 03 23   ..(.....x...o..#
0240 - c3 c1 17 f2 0c 77 c5 5b-2a f4 69 41 ba 8d c1 78   .....w.[*.iA...x
0250 - 19 11 16 c0 91 67 35 4b-bc c5 39 28 11 fc 09 54   .....g5K..9(...T
0260 - 4e 99 71 bd 7b 16 aa 37-30 3e bc ae 50 2c 98 df   N.q.{..70>..P,..
0270 - 2b b6 61 0a 61 f1 39 5f-64 eb 8a c4 5c 6c 48 33   +.a.a.9_d...\lH3
0280 - 84 6b 12 7a ca 38 9f cf-b9 b5 d3 3a 9c 2f e1 ca   .k.z.8.....:./..
0290 - 13 86 a2 35 53 0e 58 69-83 ee b3 14 86 52 62 34   ...5S.Xi.....Rb4
02a0 - 01 0e 1c a7 06 03 c8 77-b9 70 cb 8b 06 0f 8c b0   .......w.p......
02b0 - 9f 70 78 63 1b 15 54 d2-e5 33 d9 52 12 3f 15 93   .pxc..T..3.R.?..
02c0 - 3a ba 70 a3 c6 7d 38 21-2b f7 73 a4 07 54 22 7a   :.p..}8!+.s..T"z
02d0 - d3 98 25 c2 6b a1 a9 2a-dd a1 4b e1 d2 95 df f6   ..%.k..*..K.....
02e0 - 62 0e d6 1c 40 30 47 85-08 a3 9e 79 0b b4 96 19   b...@0G....y....
02f0 - ee b8 27 a9 20 93 80 00-a3 7a 63 70 3f 75 43 f4   ..'. ....zcp?uC.
0300 - 63 9a 57 6c 7d 46 14 c7-25 04 21 50 72 cd 95 52   c.Wl}F..%.!Pr..R
0310 - c2 bf eb 2c d8 49 c5 59-78 56 b0 ca 0a e1 06 a9   ...,.I.YxV......
0320 - bc 41 55 ad 36 8b 9a 9b-a5 5c 38 42 ee ac 6d 21   .AU.6....\8B..m!
0330 - a0 a9 76 83 46 23 86 ae-59 39 9d 6c 44 52 1f 01   ..v.F#..Y9.lDR..
0340 - 32 59 c6 2b 90 81 40 9f-1a 38 38 9a 90 36 bb 1e   2Y.+..@..88..6..
0350 - 41 20 7a 17 53 9b 86 bb-4a 49 7b 8f b3 97 84 00   A z.S...JI{.....
0360 - 6a cb 35 b9 5e f0 14 89-10 55 86 a3 30 7e 6b 03   j.5.^....U..0~k.
0370 - 39 2e bc 0f b8 66 79 a8-81 95 76 ac c5 fb f9 21   9....fy...v....!
0380 - e9 63 a8 76 70 63 d1 23-52 10 70 c4 83 ab 4a d8   .c.vpc.#R.p...J.
0390 - b5 7e 71 58 79 1b 62 75-e5 e4 a3 ca d3 32 18 19   .~qXy.bu.....2..
03a0 - 0f 3a 69 9d 08 84 06 af-e7 c0 16 23 36 6b cc 30   .:i........#6k.0
03b0 - 9b ca 1d 41 a1 ba b0 49-73 6a 15 72 ed 12 cb a1   ...A...Isj.r....
03c0 - a9 b4 c8 19 34 9b 83 c7-90 44 50 71 17 15 8e 89   ....4....DPq....
03d0 - 41 29 48 14 90 13 19 e1-00 cc e3 73 a8 f6 40 1c   A)H........s..@.
03e0 - 19 54 80 48 e1 18 8f 32-3b 0b 65 43 b1 47 10 fc   .T.H...2;.eC.G..
03f0 - 20 b0 e5 1b 6c 5b fc 08-08 f6 6b 33 54 c5 0f 14    ...l[....k3T...
0400 - a9 76 37 1e 83 e7 16 ce-91 5d ce 98 61 ee 54 1f   .v7......]..a.T.
0410 - a7 86 25 de 06 26 28 6a-37 7c d5 20 c3 9a 02 b4   ..%..&(j7|. ....
0420 - 7b 19 dc 4c f6 ba 7e 6d-36 65 f5 05 5a e2 2e a5   {..L..~m6e..Z...
0430 - 61 14 bd ec 1d 76 bb bb-d2 bf d0 8e 0f d0 9b 00   a....v..........
0440 - 1b 00 03 02 00 01                                 ......
read from 0x600003c98000 [0x7f80f800e203] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x600003c98000 [0x7f80f800e208] (2 bytes => 2 (0x2))
0000 - 02 28                                             .(
00B1D253F87F0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:907:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 1094 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x600003c98000 [0x7f80f480e400] (8192 bytes => 0)
$ openssl3 s_client -debug -connect www.downloads.1password.com:443 -tls1_3 -groups kyber512 -provider oqs
Connecting to 3.90.54.249
CONNECTED(00000006)
write to 0x600003b3c000 [0x7fd452011c00] (1110 bytes => 1110 (0x456))
0000 - 16 03 01 04 51 01 00 04-4d 03 03 a8 8b d5 ef 77   ....Q...M......w
0010 - e7 05 14 13 56 71 00 48-85 84 ae a6 5f 43 c8 5e   ....Vq.H...._C.^
0020 - d2 79 34 ef d1 70 89 da-d4 29 6c 20 a3 0a e6 f9   .y4..p...)l ....
0030 - f7 eb 4f 21 84 08 42 d5-0c b7 17 29 1f a1 be 47   ..O!..B....)...G
0040 - 48 04 1d 5d 28 aa 2d 6f-9d 21 fc 05 00 06 13 02   H..](.-o.!......
0050 - 13 03 13 01 01 00 03 fe-00 00 00 20 00 1e 00 00   ........... ....
0060 - 1b 77 77 77 2e 64 6f 77-6e 6c 6f 61 64 73 2e 31   .www.downloads.1
0070 - 70 61 73 73 77 6f 72 64-2e 63 6f 6d 00 0a 00 04   password.com....
0080 - 00 02 02 3a 00 23 00 00-00 16 00 00 00 17 00 00   ...:.#..........
0090 - 00 0d 00 84 00 82 04 03-05 03 06 03 08 07 08 08   ................
00a0 - 08 1a 08 1b 08 1c 08 09-08 0a 08 0b 08 04 08 05   ................
00b0 - 08 06 04 01 05 01 06 01-fe a0 fe a1 fe a2 fe a3   ................
00c0 - fe a4 fe a5 fe a6 fe d0-fe d3 fe d4 fe e1 fe e2   ................
00d0 - fe e3 fe e4 fe e5 fe d1-fe d5 fe e6 fe e7 fe e8   ................
00e0 - fe e9 fe ea fe d2 fe d6-fe eb fe ec fe ed fe d7   ................
00f0 - fe d8 fe d9 fe dc fe dd-fe de fe da fe db fe df   ................
0100 - fe e0 fe b3 fe b4 fe b5-fe b6 fe b7 fe b8 fe b9   ................
0110 - fe ba fe c2 fe c3 fe c4-00 2b 00 03 02 03 04 00   .........+......
0120 - 2d 00 02 01 01 00 33 03-26 03 24 02 3a 03 20 24   -.....3.&.$.:. $
0130 - 36 81 6d b4 4f 64 ab 7e-d2 73 3a 18 77 8a d3 4c   6.m.Od.~.s:.w..L
0140 - 14 ef 63 1e 7d 37 52 cb-48 17 5f 49 24 29 97 0e   ..c.}7R.H._I$)..
0150 - dc 08 13 1f 14 97 58 2a-5d c8 00 b3 50 cc 43 6f   ......X*]...P.Co
0160 - 43 7f f1 3a 62 65 c1 b9-3a 0a c9 40 69 11 7c ec   C..:be..:..@i.|.
0170 - aa 5e 95 52 d1 b4 9b af-01 6d 93 a7 09 e6 ba 83   .^.R.....m......
0180 - 37 40 93 e5 ec 60 f1 b5-4a df 3b 2f d0 04 c2 f3   7@...`..J.;/....
0190 - d7 b2 a4 f6 86 38 f9 46-de a4 c0 5e 78 95 f7 fc   .....8.F...^x...
01a0 - 2c 23 9c 37 c1 90 bf f5-c4 12 15 41 64 5e c5 21   ,#.7.......Ad^.!
01b0 - a1 38 c4 8f d3 11 77 b1-31 d4 c3 77 25 c8 af 89   .8....w.1..w%...
01c0 - 14 50 30 d2 a2 a7 6b 9d-29 01 7c bd 21 98 cb 20   .P0...k.).|.!.. 
01d0 - 32 35 3b b3 2e b0 08 06-a9 12 17 c3 bb 1f 03 72   25;............r
01e0 - 4c e2 8d 64 a7 37 dc 61-bb 51 d5 89 bf 93 74 48   L..d.7.a.Q....tH
01f0 - 6b 1c bd c7 2d 08 12 9d-be 66 b8 3c 05 c7 19 e7   k...-....f.<....
0200 - ae 09 c7 aa cd b1 38 ee-08 26 3f 48 78 e4 06 2b   ......8..&?Hx..+
0210 - 58 38 a1 2c 31 b5 81 c8-85 0a 35 58 87 7a bc d3   X8.,1.....5X.z..
0220 - 72 19 16 55 bd 92 e2 20-a2 58 a8 0b b9 0a 77 03   r..U... .X....w.
0230 - 3a 93 a5 97 66 05 bf 19-b6 2e bc c7 7e 3c a8 22   :...f.......~<."
0240 - 7c 3b c9 87 07 7f 5b 69-77 35 68 7f 4b 97 57 8f   |;....[iw5h.K.W.
0250 - 38 53 5b 09 62 1c 1b 0d-ee 72 09 9a f8 79 c2 34   8S[.b....r...y.4
0260 - 27 40 78 23 da a6 2c 30-94 ca 20 2c c0 7f c9 a4   '@x#..,0.. ,....
0270 - da eb 7c 6d e0 49 16 11-1a 20 81 5d 3e e6 98 5e   ..|m.I... .]>..^
0280 - 04 42 1a d4 99 d2 da 64-e3 ca 61 e6 25 6b a6 d7   .B.....d..a.%k..
0290 - a7 dd 4c 99 1e 3c 32 c5-01 63 ef 24 5c 15 88 0e   ..L..<2..c.$\...
02a0 - ba b2 2c 7a 97 4e 95 e5-6d ac ec 1d 7c 95 c4 29   ..,z.N..m...|..)
02b0 - ea 3c 56 47 8e 3f 05 ba-e0 d5 ad d4 69 ba 79 c5   .<VG.?......i.y.
02c0 - 35 83 63 91 25 32 54 4d-d2 67 5d fc a4 b2 f7 4b   5.c.%2TM.g]....K
02d0 - cd 10 17 f9 e8 c3 dc 28-1f 36 0b 08 8f 15 ce a4   .......(.6......
02e0 - 0b aa c6 34 47 f8 80 41-7d 19 37 10 b7 0d e6 88   ...4G..A}.7.....
02f0 - 6a bc 42 0c ff 39 67 16-32 b2 a0 e8 74 03 ab 1f   j.B..9g.2...t...
0300 - f4 87 b9 ad 5c b5 d5 15-c8 ca b1 9e 6e 9b 39 2d   ....\.......n.9-
0310 - c3 ba b1 4c 25 7c 37 63-5f dc 88 9d 6c 66 48 63   ...L%|7c_...lfHc
0320 - 35 4d 12 0c 71 fa 7f 58-0c 7b a8 7a 8e cc 67 62   5M..q..X.{.z..gb
0330 - 60 01 15 83 61 3e a8 e6-07 d2 a9 51 d4 65 66 41   `...a>.....Q.efA
0340 - dc 47 05 d2 18 81 79 41-c6 e5 1a 21 76 12 92 14   .G....yA...!v...
0350 - ce 32 28 84 49 13 28 af-09 17 35 f7 10 92 05 21   .2(.I.(...5....!
0360 - 75 c8 67 b3 5a 8c a5 6a-31 e3 4b 3e 42 bc 81 3f   u.g.Z..j1.K>B..?
0370 - 0b b7 ec 2c 9c 57 5c 0c-f8 f2 17 4b 68 65 0f 3c   ...,.W\....Khe.<
0380 - a1 6c 00 0e 4f 98 01 0e-65 64 e0 03 b1 6f 1b b0   .l..O...ed...o..
0390 - 33 d6 13 00 f3 c4 62 86-ad 8b 72 24 6f 45 06 08   3.....b...r$oE..
03a0 - a5 72 fb 75 a3 07 01 ab-a4 68 16 7c 14 94 94 e9   .r.u.....h.|....
03b0 - 0c 55 da c5 eb 81 ce 83-d5 14 24 11 0e 0a 31 2b   .U........$...1+
03c0 - d2 1a 45 4f a3 6c 66 66-3c 7b 49 04 bb 15 a5 08   ..EO.lff<{I.....
03d0 - 83 52 90 89 57 11 10 2c-3c 25 ae c9 9a 1d 17 20   .R..W..,<%..... 
03e0 - 35 d9 3a 97 30 85 60 c0-82 1d 71 a1 ba a6 94 23   5.:.0.`...q....#
03f0 - 18 00 4c 67 28 8c 88 13-59 c1 34 86 69 3a 23 67   ..Lg(...Y.4.i:#g
0400 - 38 01 d1 e1 ce 68 9c cb-bc ea 8a 28 77 91 4d c1   8....h.....(w.M.
0410 - 51 be f0 ce 1a 67 b3 fb-58 10 12 a7 8a 86 5c 5a   Q....g..X.....\Z
0420 - 3c 31 3e f8 c5 99 0e b6-23 50 c4 8c 61 c1 0a 44   <1>.....#P..a..D
0430 - 19 47 c1 3f 3a 79 86 7b-08 ec 05 64 c2 ea 59 15   .G.?:y.{...d..Y.
0440 - eb 07 9d e4 ff 44 dd 36-e5 6f c5 50 d6 fd 26 00   .....D.6.o.P..&.
0450 - 1b 00 03 02 00 01                                 ......
read from 0x600003b3c000 [0x7fd452018c03] (5 bytes => 0)
write to 0x600003b3c000 [0x7fd452011c00] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32                              ......2
00B1D253F87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:692:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 1117 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x600003b3c000 [0x7fd44f80e400] (8192 bytes => 0)
$ 
$ openssl3 s_client -debug -connect index.crates.io:443 -tls1_3 -groups kyber512 -provider oqs
Connecting to 18.165.83.98
CONNECTED(00000006)
write to 0x60000271c400 [0x7fc8cb012a00] (1098 bytes => 1098 (0x44A))
0000 - 16 03 01 04 45 01 00 04-41 03 03 fc 8d b0 08 c2   ....E...A.......
0010 - e4 8f ca db 49 02 c9 55-ce 26 9c c8 ea 82 46 98   ....I..U.&....F.
0020 - a6 8d 29 04 b4 c8 23 4d-99 14 2d 20 4d 44 d2 1b   ..)...#M..- MD..
0030 - 6e 05 00 8d eb 00 3a 69-01 21 b9 ee ef 21 00 7b   n.....:i.!...!.{
0040 - 4e e8 ac 1b f4 18 a3 13-79 39 66 54 00 06 13 02   N.......y9fT....
0050 - 13 03 13 01 01 00 03 f2-00 00 00 14 00 12 00 00   ................
0060 - 0f 69 6e 64 65 78 2e 63-72 61 74 65 73 2e 69 6f   .index.crates.io
0070 - 00 0a 00 04 00 02 02 3a-00 23 00 00 00 16 00 00   .......:.#......
0080 - 00 17 00 00 00 0d 00 84-00 82 04 03 05 03 06 03   ................
0090 - 08 07 08 08 08 1a 08 1b-08 1c 08 09 08 0a 08 0b   ................
00a0 - 08 04 08 05 08 06 04 01-05 01 06 01 fe a0 fe a1   ................
00b0 - fe a2 fe a3 fe a4 fe a5-fe a6 fe d0 fe d3 fe d4   ................
00c0 - fe e1 fe e2 fe e3 fe e4-fe e5 fe d1 fe d5 fe e6   ................
00d0 - fe e7 fe e8 fe e9 fe ea-fe d2 fe d6 fe eb fe ec   ................
00e0 - fe ed fe d7 fe d8 fe d9-fe dc fe dd fe de fe da   ................
00f0 - fe db fe df fe e0 fe b3-fe b4 fe b5 fe b6 fe b7   ................
0100 - fe b8 fe b9 fe ba fe c2-fe c3 fe c4 00 2b 00 03   .............+..
0110 - 02 03 04 00 2d 00 02 01-01 00 33 03 26 03 24 02   ....-.....3.&.$.
0120 - 3a 03 20 1b 93 29 e9 eb-90 36 55 4c c4 13 1d 17   :. ..)...6UL....
0130 - b9 63 8e 18 3e 3a f7 b1-61 f9 74 48 c2 49 6c e4   .c..>:..a.tH.Il.
0140 - a0 a8 57 4a c8 31 93 c1-37 41 ed 40 05 ee 53 6d   ..WJ.1..7A.@..Sm
0150 - 0a d9 54 17 2c 6c f0 b5-0e 72 a2 1b cd e6 72 e4   ..T.,l...r....r.
0160 - 97 63 57 ab 7c e3 e0 bf-b6 f7 4e 11 87 00 b6 38   .cW.|.....N....8
0170 - 14 0b 14 2f 8d 53 46 5e-25 25 c4 a6 19 0b b9 c8   .../.SF^%%......
0180 - 98 c3 4b 21 7c ac c5 e4-b8 63 5a 5b 65 02 70 fd   ..K!|....cZ[e.p.
0190 - e2 97 a9 62 0e 8b bc a4-50 22 6e 56 33 58 c6 94   ...b....P"nV3X..
01a0 - af 1a aa 06 0d 30 1e 06-da 57 61 4a 26 ab c0 8e   .....0...WaJ&...
01b0 - 11 55 1a 09 e5 64 e4 a9-79 46 c9 29 11 b2 83 6c   .U...d..yF.)...l
01c0 - 97 0a ea 9b 16 2f 27 b5-7d 88 a5 95 71 13 be 38   ...../'.}...q..8
01d0 - a6 f3 88 80 bc 94 22 14-0a 70 b9 61 4a c6 61 22   ......"..p.aJ.a"
01e0 - 9e 3b 94 68 61 20 df ea-9a 4b 3c 9b 97 f1 05 f9   .;.ha ...K<.....
01f0 - 72 0e ea 6a 7a 34 98 01-d6 23 cd 54 37 80 08 ac   r..jz4...#.T7...
0200 - 13 57 52 12 54 65 69 6d-90 54 d6 4b 21 07 fc 51   .WR.Teim.T.K!..Q
0210 - 31 14 19 27 41 45 c1 44-9f cc c4 7f 9c b3 58 c7   1..'AE.D......X.
0220 - 5b be f0 33 b3 88 e3 5a-67 05 72 17 db a8 00 5a   [..3...Zg.r....Z
0230 - b6 99 51 b7 d8 98 a3 b3-6b 64 17 43 5e 9d 0c 8b   ..Q.....kd.C^...
0240 - 50 d3 ce a6 b6 c3 6a 84-14 ba a9 5c 3e 84 29 da   P.....j....\>.).
0250 - 9c 17 1f 24 b1 e9 e9 12-7d 03 76 e6 32 ac b4 a0   ...$....}.v.2...
0260 - 11 98 b5 34 e5 18 16 a2-97 1f 5f 33 13 b8 2b 09   ...4......_3..+.
0270 - e4 07 77 d2 36 cf 1e ac-a3 c2 e2 17 57 8a 51 d2   ..w.6.......W.Q.
0280 - 12 9a 5f ac 4e 2a 3c c8-0a 40 8b e7 56 41 84 b2   .._.N*<..@..VA..
0290 - 56 46 d1 bf 05 27 1f 32-d1 07 a5 d2 96 55 e5 aa   VF...'.2.....U..
02a0 - 00 86 9e 4f b4 84 43 f7-be 08 d7 38 4a 23 67 ff   ...O..C....8J#g.
02b0 - fb 26 6d 78 75 a9 97 39-56 d7 72 99 45 71 8b 80   .&mxu..9V.r.Eq..
02c0 - 4c 2c fa c9 2e 56 98 c6-b9 2b c2 0c 0b a6 a2 34   L,...V...+.....4
02d0 - d8 47 5b d0 1a a2 c2 92-10 1c 19 c8 46 db 83 b6   .G[.........F...
02e0 - 6a 62 81 c7 3c e1 0c 4e-37 b6 47 dc 01 0d 2e 69   jb..<..N7.G....i
02f0 - 6a de 1b ba 49 8b 2e dd-c8 9b 75 49 30 b6 77 a1   j...I.....uI0.w.
0300 - e2 48 2d de 85 8d 29 56-ab 24 a9 48 dc b2 0f c2   .H-...)V.$.H....
0310 - d7 c4 ea 96 6d bd 68 21-b8 29 8f 8a ca 8c 1c 59   ....m.h!.).....Y
0320 - 01 16 83 03 55 bb 4e c4-2a 4c c3 28 bd 48 88 57   ....U.N.*L.(.H.W
0330 - 0e 82 26 bb 04 be c3 84-c9 22 2a 3b da d3 2b 9b   ..&......"*;..+.
0340 - 23 8e fa 08 3b 56 d5 8a-d9 81 10 67 ab 02 15 98   #...;V.....g....
0350 - b4 9c 11 c1 f9 26 51 a3-c2 c4 47 23 0d 9d e2 45   .....&Q...G#...E
0360 - 8b e4 9f 1a 76 0b 16 86-c8 e9 36 4c 61 22 b1 3c   ....v.....6La".<
0370 - 86 18 ae 4b 88 23 75 72-49 00 99 b2 bb b8 cf 4b   ...K.#urI......K
0380 - 8f 6b 03 0a 75 26 02 69-d2 77 4a 5a ab 82 ec ba   .k..u&.i.wJZ....
0390 - b2 e2 8e 57 57 53 33 96-1c 37 a4 77 bd 06 30 ce   ...WWS3..7.w..0.
03a0 - c3 76 7e d1 38 5d 0a c9-91 50 0d 70 88 10 c7 40   .v~.8]...P.p...@
03b0 - 49 d8 53 0e 4a fc 0f 9d-6b 55 da ec 0d ed e2 48   I.S.J...kU.....H
03c0 - fc 21 9a 1c a6 ae e4 64-42 1e 33 4d ed c1 5a 06   .!.....dB.3M..Z.
03d0 - b9 cf b8 69 02 d5 b6 9d-1b 33 38 74 98 af ed c4   ...i.....38t....
03e0 - 40 80 bb 15 0a ab 83 c4-f6 96 b6 31 48 54 54 0a   @..........1HTT.
03f0 - 26 60 b9 5c f2 2e 28 e5-c1 b2 db 60 4a a6 16 fc   &`.\..(....`J...
0400 - f7 48 52 e9 78 52 29 67-5d 14 5a b0 c1 3b f1 a7   .HR.xR)g].Z..;..
0410 - 3f a8 9b 02 fd d4 55 86-7c c9 23 90 36 db 86 28   ?.....U.|.#.6..(
0420 - ea 84 48 24 67 ea c8 aa-c2 f7 de 5c 2d cb 90 c1   ..H$g......\-...
0430 - ba 0f f2 be da 40 cf 54-f8 c6 f9 3d a3 b3 38 18   .....@.T...=..8.
0440 - a2 a3 53 00 1b 00 03 02-00 01                     ..S.......
read from 0x60000271c400 [0x7fc8cb018c03] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x60000271c400 [0x7fc8cb018c08] (2 bytes => 2 (0x2))
0000 - 01 00                                             ..
closed
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 1098 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x60000271c400 [0x7fc8c980e400] (8192 bytes => 0)
$ 

With OpenSSL-3.2.1 (released/stable, Macports-installed):

$ openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
$ openssl s_client -debug -connect www.ibm.com:443 -tls1_3 -groups kyber512 -provider oqs
Connecting to 23.34.93.246
CONNECTED(00000005)
write to 0x600002fdc300 [0x7ff470012600] (1094 bytes => 1094 (0x446))
0000 - 16 03 01 04 41 01 00 04-3d 03 03 55 e1 f6 09 47   ....A...=..U...G
0010 - c9 ea 11 91 09 a9 a0 e1-37 c4 70 0d ea 43 84 5d   ........7.p..C.]
0020 - 6b 45 2c 1f e6 02 db 5f-83 6f 68 20 eb c9 93 c5   kE,...._.oh ....
0030 - 90 e8 c3 d7 37 c1 e0 a2-56 1f ba da ce 14 d6 33   ....7...V......3
0040 - d1 7e b4 79 a2 a0 62 1e-ad d8 bc c1 00 06 13 02   .~.y..b.........
0050 - 13 03 13 01 01 00 03 ee-00 00 00 10 00 0e 00 00   ................
0060 - 0b 77 77 77 2e 69 62 6d-2e 63 6f 6d 00 0a 00 04   .www.ibm.com....
0070 - 00 02 02 3a 00 23 00 00-00 16 00 00 00 17 00 00   ...:.#..........
0080 - 00 0d 00 84 00 82 04 03-05 03 06 03 08 07 08 08   ................
0090 - 08 1a 08 1b 08 1c 08 09-08 0a 08 0b 08 04 08 05   ................
00a0 - 08 06 04 01 05 01 06 01-fe a0 fe a1 fe a2 fe a3   ................
00b0 - fe a4 fe a5 fe a6 fe d0-fe d3 fe d4 fe e1 fe e2   ................
00c0 - fe e3 fe e4 fe e5 fe d1-fe d5 fe e6 fe e7 fe e8   ................
00d0 - fe e9 fe ea fe d2 fe d6-fe eb fe ec fe ed fe d7   ................
00e0 - fe d8 fe d9 fe dc fe dd-fe de fe da fe db fe df   ................
00f0 - fe e0 fe b3 fe b4 fe b5-fe b6 fe b7 fe b8 fe b9   ................
0100 - fe ba fe c2 fe c3 fe c4-00 2b 00 03 02 03 04 00   .........+......
0110 - 2d 00 02 01 01 00 33 03-26 03 24 02 3a 03 20 04   -.....3.&.$.:. .
0120 - 60 5f 52 44 70 6e fc c6-54 6c 0a aa 74 8e 38 20   `_RDpn..Tl..t.8 
0130 - 41 4a 90 b6 5b 4b 92 9d-1c 63 a6 6a 4a f4 75 49   AJ..[K...c.jJ.uI
0140 - 1f e3 54 37 c4 64 66 60-6c 2b f2 6c f6 db b9 e2   ..T7.df`l+.l....
0150 - 1a 16 88 41 8a ce 8a 26-75 25 81 c7 5a bb e5 90   ...A...&u%..Z...
0160 - 13 85 42 9c 61 75 4b 19-12 6e e6 44 ce 3e ba 23   ..B.auK..n.D.>.#
0170 - d8 4b 63 d7 ec 0d bc 14-be 2f a7 9a 13 16 45 a3   .Kc....../....E.
0180 - e6 74 21 27 45 c5 c4 42-e1 38 9c 77 5c 0a 85 b9   .t!'E..B.8.w\...
0190 - 11 fd 15 26 05 a9 aa de-58 51 eb f6 51 9a 21 4a   ...&....XQ..Q.!J
01a0 - d2 10 b8 38 16 60 1d 43-c3 ed 77 78 f3 22 84 d1   ...8.`.C..wx."..
01b0 - a5 bb 95 57 2d a7 2a 42-54 93 78 b8 20 94 1f 11   ...W-.*BT.x. ...
01c0 - 96 ca 68 5d f4 52 20 41-8b 11 e1 31 72 b7 b3 2b   ..h].R A...1r..+
01d0 - 3a 93 58 9d 53 87 9f 2b-a3 91 40 16 73 37 4b fe   :.X.S..+..@.s7K.
01e0 - 47 bd c8 07 20 4f 2a 3a-e1 95 bd f7 43 74 6b d3   G... O*:....Ctk.
01f0 - b7 3c b5 11 0e c3 4f e9-a8 af 84 e8 44 2e b2 4b   .<....O.....D..K
0200 - c1 2c 82 76 f0 2f 73 cc-94 e2 30 1c ef 21 3d 04   .,.v./s...0..!=.
0210 - 4c b9 94 09 85 75 f7 11-d2 52 4a 6c 62 66 7e cc   L....u...RJlbf~.
0220 - 66 b6 a9 a6 fd 31 5c cc-85 1e d8 11 23 29 c0 8a   f....1\.....#)..
0230 - 56 27 cf c3 e7 0d e8 a0-8c 12 02 6e 3c 20 2c 14   V'.........n< ,.
0240 - e6 93 d3 c0 04 87 68 aa-7d e7 c2 01 12 cc f4 f4   ......h.}.......
0250 - 06 00 ca 61 13 56 6d ea-3b 62 af 65 c8 0a 04 a4   ...a.Vm.;b.e....
0260 - ab 94 89 78 15 37 80 73-b4 52 0c 3c d8 d8 ba fd   ...x.7.s.R.<....
0270 - 28 a2 68 2a b2 18 6c 29-c6 b8 59 56 4b 35 5f 69   (.h*..l)..YVK5_i
0280 - 71 11 19 ca ca ac 66 6c-0a 03 2c 90 17 fd 01 57   q.....fl..,....W
0290 - 1e c1 4a 9b 02 a4 7b 4c-7c 12 f4 3e 8e 6a 84 df   ..J...{L|..>.j..
02a0 - 34 76 5e b9 44 6d 4a 3a-a9 bc 1c f0 90 2d 2e 23   4v^.DmJ:.....-.#
02b0 - 2c f5 d8 6b 4d cb 40 b3-77 5d b1 d3 98 fc dc 48   ,..kM.@.w].....H
02c0 - 2a 44 a1 97 a8 0f cc 84-04 f8 33 b8 02 07 a3 87   *D........3.....
02d0 - a7 74 b9 5a 89 92 f8 31-7e 0a 83 a8 b3 a2 07 d7   .t.Z...1~.......
02e0 - cf 32 76 77 bb 84 09 ff-c0 96 f2 21 bc 54 36 28   .2vw.......!.T6(
02f0 - 49 e9 9c 4d e9 63 ea 99-20 90 18 09 50 40 66 f8   I..M.c.. ...P@f.
0300 - 1c 7c 2c 3b b0 93 82 79-2e c5 83 61 28 20 d8 f6   .|,;...y...a( ..
0310 - ab dd 7c 41 6d a6 69 79-63 4d b4 26 07 09 70 66   ..|Am.iycM.&..pf
0320 - 60 a6 04 63 45 ce 14 12-9c 12 53 4b 05 ec 9f 88   `..cE.....SK....
0330 - b3 48 6d bc 20 11 fb 06-19 80 87 09 4a 6d b0 5b   .Hm. .......Jm.[
0340 - 6c e9 41 8d 11 52 53 4a-61 aa 75 b9 9f 7b 43 6d   l.A..RSJa.u..{Cm
0350 - 65 37 11 3e c4 24 ed 20-9a 6c 27 80 72 62 1e d9   e7.>.$. .l'.rb..
0360 - fc 51 ba 93 b8 f9 79 19-7d a6 5c 4f 57 74 37 9b   .Q....y.}.\OWt7.
0370 - 1d f8 c9 c5 66 ba 86 92-02 a1 a9 54 a2 dd 76 26   ....f......T..v&
0380 - b5 36 23 29 8c 20 9e d3-a2 77 d7 09 a2 52 3e f7   .6#). ...w...R>.
0390 - 42 ce b1 90 72 23 09 1f-5b 4c 34 cd cc 4a 70 20   B...r#..[L4..Jp 
03a0 - 43 1c 61 5a 8b 45 4d f7-11 20 1d a5 3a 3f 04 4f   C.aZ.EM.. ..:?.O
03b0 - c6 fc 5e 0b e0 4d e1 80-bb 5f a6 98 26 8b 9f a0   ..^..M..._..&...
03c0 - ca 82 73 25 82 dd 43 8d-38 ac 70 f6 d5 0c 7e 41   ..s%..C.8.p...~A
03d0 - 40 53 29 4c 60 c5 8d 16-66 75 75 4a 30 cd 3b 41   @S)L`...fuuJ0.;A
03e0 - 54 09 ad 1b ba 6b 31 2c-90 ec b2 12 b2 29 5a 60   T....k1,.....)Z`
03f0 - 7b 11 67 f6 6f 48 95 32-68 79 16 80 f2 bc 41 d6   {.g.oH.2hy....A.
0400 - c1 a1 c3 2c 11 51 c7 20-04 a9 be ea 5b 51 8a 03   ...,.Q. ....[Q..
0410 - 8a 4b 33 6f f6 57 b1 e7-1b 47 58 a1 7c 50 2d 5f   .K3o.W...GX.|P-_
0420 - bd 25 fd de ea 83 92 b2-6f 10 fd 77 1e 63 b4 72   .%......o..w.c.r
0430 - f9 df eb 6e 66 7e 42 c0-d7 e1 cd 13 d9 51 31 00   ...nf~B......Q1.
0440 - 1b 00 03 02 00 01                                 ......
read from 0x600002fdc300 [0x7ff470019003] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x600002fdc300 [0x7ff470019008] (2 bytes => 2 (0x2))
0000 - 02 28                                             .(
00B1D253F87F0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:865:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 1094 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x600002fdc300 [0x7ff46d00e400] (8192 bytes => 0)
$ openssl s_client -debug -connect www.downloads.1password.com:443 -tls1_3 -groups kyber512 -provider oqs
Connecting to 34.202.144.145
CONNECTED(00000006)
write to 0x600000fce000 [0x7f8e5e817e00] (1110 bytes => 1110 (0x456))
0000 - 16 03 01 04 51 01 00 04-4d 03 03 7a 5a 4c be db   ....Q...M..zZL..
0010 - d1 01 f4 b7 2e 47 a0 5e-f5 d7 3d 8d 15 d1 a8 97   .....G.^..=.....
0020 - 5d 18 95 ed db ce e8 55-0f 00 13 20 91 9d 53 15   ]......U... ..S.
0030 - 3e d2 8d e0 06 7b 53 bb-be c2 36 b2 b9 d5 a3 47   >....{S...6....G
0040 - 40 98 25 3f 54 cb 1d 55-cd ed 84 76 00 06 13 02   @.%?T..U...v....
0050 - 13 03 13 01 01 00 03 fe-00 00 00 20 00 1e 00 00   ........... ....
0060 - 1b 77 77 77 2e 64 6f 77-6e 6c 6f 61 64 73 2e 31   .www.downloads.1
0070 - 70 61 73 73 77 6f 72 64-2e 63 6f 6d 00 0a 00 04   password.com....
0080 - 00 02 02 3a 00 23 00 00-00 16 00 00 00 17 00 00   ...:.#..........
0090 - 00 0d 00 84 00 82 04 03-05 03 06 03 08 07 08 08   ................
00a0 - 08 1a 08 1b 08 1c 08 09-08 0a 08 0b 08 04 08 05   ................
00b0 - 08 06 04 01 05 01 06 01-fe a0 fe a1 fe a2 fe a3   ................
00c0 - fe a4 fe a5 fe a6 fe d0-fe d3 fe d4 fe e1 fe e2   ................
00d0 - fe e3 fe e4 fe e5 fe d1-fe d5 fe e6 fe e7 fe e8   ................
00e0 - fe e9 fe ea fe d2 fe d6-fe eb fe ec fe ed fe d7   ................
00f0 - fe d8 fe d9 fe dc fe dd-fe de fe da fe db fe df   ................
0100 - fe e0 fe b3 fe b4 fe b5-fe b6 fe b7 fe b8 fe b9   ................
0110 - fe ba fe c2 fe c3 fe c4-00 2b 00 03 02 03 04 00   .........+......
0120 - 2d 00 02 01 01 00 33 03-26 03 24 02 3a 03 20 05   -.....3.&.$.:. .
0130 - 89 39 b1 e0 1f 33 1c 48-7b e3 79 93 92 42 cb c3   .9...3.H{.y..B..
0140 - 7c e8 37 cd 0a bb bb d4-07 77 cd 9c 4c 71 f1 55   |.7......w..Lq.U
0150 - 55 7b 06 1d e7 54 53 d2-7c ba 27 27 a6 78 3a 76   U{...TS.|.''.x:v
0160 - 35 89 0e a4 1a 91 87 24-66 13 58 78 3a 61 47 cc   5......$f.Xx:aG.
0170 - 39 c5 37 95 7d 46 58 d4-79 74 fa 54 37 c2 07 ac   9.7.}FX.yt.T7...
0180 - 4c 05 59 f6 87 24 d5 12-24 7e c0 12 e4 17 be 4b   L.Y..$..$~.....K
0190 - 50 93 e9 19 19 79 d8 5a-f8 46 43 8b 40 51 d3 79   P....y.Z.FC.@Q.y
01a0 - 3d 43 9b bb 28 72 a1 ca-d7 be 78 59 c9 75 88 5c   =C..(r....xY.u.\
01b0 - 32 0c c6 9c 8b 95 6e 17-27 84 10 ae 79 64 bb d2   2.....n.'...yd..
01c0 - 98 90 1f f2 56 cc 30 11-a5 b5 9c a6 f8 ba ed f9   ....V.0.........
01d0 - 29 79 d0 43 5c 4b 8b 22-87 3a 85 3a c7 31 07 97   )y.C\K.".:.:.1..
01e0 - 9d 38 ad ce f5 04 db 84-a0 23 68 a3 9d b4 8f 5d   .8.......#h....]
01f0 - b5 74 d7 d1 80 39 d0 0d-43 c2 46 6c c3 b6 5c 2b   .t...9..C.Fl..\+
0200 - 01 a8 46 8d 34 24 1e 19-4c 35 2f 23 78 8d bc 73   ..F.4$..L5/#x..s
0210 - 84 d0 25 69 33 bd f0 6a-51 c7 f9 94 e3 c3 6a a4   ..%i3..jQ.....j.
0220 - e4 c6 3b 60 63 40 d5 47-cb 16 c6 7c c3 5e 6d 18   ..;`c@.G...|.^m.
0230 - 49 e4 a7 3f 5b 37 21 7e-c0 45 45 9c b5 7b 04 a4   I..?[7!~.EE..{..
0240 - 95 a1 96 e0 a3 b7 b3 8b-a2 07 f0 c9 07 e5 6f 74   ..............ot
0250 - 75 69 ed 81 b1 81 58 62-86 43 9b 60 f2 23 7f 1c   ui....Xb.C.`.#..
0260 - ca 18 e6 7d 35 7b 13 7f-3a 38 ec d6 be e3 da 7b   ...}5{..:8.....{
0270 - 2a c1 c6 dd 37 b8 72 02-4f 60 69 23 0f 47 10 97   *...7.r.O`i#.G..
0280 - ea 9c c3 79 72 7a 4c 0a-3f 4c b8 b2 eb a9 ba a0   ...yrzL.?L......
0290 - 0c 67 2c 5d 95 2c 18 54-53 ad b5 38 2f f0 3b 94   .g,].,.TS..8/.;.
02a0 - ce f0 c7 fd 33 14 9b d8-6d 25 fb 13 c7 41 25 f1   ....3...m%...A%.
02b0 - ac 88 81 a4 c5 03 78 16-22 10 c4 e7 b9 2e 9f d5   ......x.".......
02c0 - 18 d9 89 8a 68 02 09 20-3a 69 e0 b3 19 e8 25 7a   ....h.. :i....%z
02d0 - c0 c3 b3 f6 dc 0f f7 13-72 f7 4c 88 c6 4c 2a 85   ........r.L..L*.
02e0 - b9 3f 5e 32 bf 7f 90 ae-95 45 26 c8 e2 76 ac e4   .?^2.....E&..v..
02f0 - 05 d3 87 59 f8 80 12 75-87 29 9e db 95 f9 18 bc   ...Y...u.)......
0300 - 4f 8b b8 f1 32 61 e3 09-2e b7 49 96 e9 42 84 ba   O...2a....I..B..
0310 - 49 80 e2 07 99 ad 71 9e-41 49 b4 d2 88 49 ea 79   I.....q.AI...I.y
0320 - 27 0c e4 b7 89 37 8b 57-c3 49 a8 a0 4d 08 84 50   '....7.W.I..M..P
0330 - 64 87 b0 51 d9 66 23 16-8d 5f 5c 50 7b d3 bb 82   d..Q.f#.._\P{...
0340 - f2 52 33 09 19 44 55 47-82 35 7f 92 24 8a d4 05   .R3..DUG.5..$...
0350 - 6e 7f 53 cf 20 74 64 8f-4c a7 57 c0 2b 89 ec 41   n.S. td.L.W.+..A
0360 - 06 ba b4 2d fc 6f 93 6b-2e 62 f5 cd 93 d4 18 f8   ...-.o.k.b......
0370 - a2 81 c5 84 88 4c f1 a2-19 b0 b4 39 5c 47 52 8a   .....L.....9\GR.
0380 - a7 8b c8 ad 3b d5 c7 df-a5 32 ef a7 bf ab 44 50   ....;....2....DP
0390 - b7 e4 1f 12 63 23 17 56-43 46 c0 28 61 c3 cf 63   ....c#.VCF.(a..c
03a0 - 30 ca 60 55 12 fa 10 a1-a4 f8 88 3f 9b 06 59 73   0.`U.......?..Ys
03b0 - 92 d4 69 b9 bb 44 1d 09-b0 26 57 b7 a7 64 14 3d   ..i..D...&W..d.=
03c0 - 3c 7c b2 48 e2 61 74 93-6b 7c a3 47 13 83 ad 1a   <|.H.at.k|.G....
03d0 - 72 8e bb 35 1f fd 12 97-61 60 47 46 73 c4 ba c8   r..5....a`GFs...
03e0 - c3 a0 81 cd 7d 73 81 a5-fb ba 2e 78 7a 8d 02 75   ....}s.....xz..u
03f0 - 25 2b 49 24 46 38 18 f5-55 7d 01 47 f0 70 7d 55   %+I$F8..U}.G.p}U
0400 - 34 55 29 db 9a 45 82 30-b5 48 a4 4e c2 17 54 a7   4U)..E.0.H.N..T.
0410 - 6b 4c c8 a2 a3 72 79 e4-54 1d d9 f3 18 7b f3 87   kL...ry.T....{..
0420 - 48 32 7d 4d 8b 22 70 fc-af d3 46 3a 85 62 9e 47   H2}M."p...F:.b.G
0430 - fc 84 15 3a 3b e8 4b ec-e6 7a 6b d4 dc b3 6f 03   ...:;.K..zk...o.
0440 - c4 bd 09 35 e9 b2 02 42-42 f6 56 7c 8e 15 61 00   ...5...BB.V|..a.
0450 - 1b 00 03 02 00 01                                 ......
read from 0x600000fce000 [0x7f8e5e823e03] (5 bytes => 0)
write to 0x600000fce000 [0x7f8e5e817e00] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32                              ......2
00B1D253F87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:650:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 1117 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x600000fce000 [0x7f8e5d80e400] (8192 bytes => 0)
$ 
$ openssl s_client -debug -connect index.crates.io:443 -tls1_3 -groups kyber512 -provider oqs
Connecting to 18.165.83.98
CONNECTED(00000006)
write to 0x60000265e700 [0x7f7818823000] (1098 bytes => 1098 (0x44A))
0000 - 16 03 01 04 45 01 00 04-41 03 03 56 31 a8 ce d7   ....E...A..V1...
0010 - 00 a3 b9 91 7b 9e 05 8e-9f e2 8e ef 4c 21 44 57   ....{.......L!DW
0020 - e8 0f e2 08 2a 10 0f 8f-81 30 64 20 32 20 9b b6   ....*....0d 2 ..
0030 - b2 77 23 5c f9 cf 61 77-f4 4a 13 cb 00 02 36 1f   .w#\..aw.J....6.
0040 - 2d 7c 28 19 e8 b8 55 5c-80 b4 1e 18 00 06 13 02   -|(...U\........
0050 - 13 03 13 01 01 00 03 f2-00 00 00 14 00 12 00 00   ................
0060 - 0f 69 6e 64 65 78 2e 63-72 61 74 65 73 2e 69 6f   .index.crates.io
0070 - 00 0a 00 04 00 02 02 3a-00 23 00 00 00 16 00 00   .......:.#......
0080 - 00 17 00 00 00 0d 00 84-00 82 04 03 05 03 06 03   ................
0090 - 08 07 08 08 08 1a 08 1b-08 1c 08 09 08 0a 08 0b   ................
00a0 - 08 04 08 05 08 06 04 01-05 01 06 01 fe a0 fe a1   ................
00b0 - fe a2 fe a3 fe a4 fe a5-fe a6 fe d0 fe d3 fe d4   ................
00c0 - fe e1 fe e2 fe e3 fe e4-fe e5 fe d1 fe d5 fe e6   ................
00d0 - fe e7 fe e8 fe e9 fe ea-fe d2 fe d6 fe eb fe ec   ................
00e0 - fe ed fe d7 fe d8 fe d9-fe dc fe dd fe de fe da   ................
00f0 - fe db fe df fe e0 fe b3-fe b4 fe b5 fe b6 fe b7   ................
0100 - fe b8 fe b9 fe ba fe c2-fe c3 fe c4 00 2b 00 03   .............+..
0110 - 02 03 04 00 2d 00 02 01-01 00 33 03 26 03 24 02   ....-.....3.&.$.
0120 - 3a 03 20 45 55 7b 69 03-71 87 d2 ae 1b f0 1e 33   :. EU{i.q......3
0130 - 21 c9 51 f6 89 dc f0 cd-6f a2 ae 3d f3 37 8f 42   !.Q.....o..=.7.B
0140 - 6e c0 89 7d e9 68 4c 01-b8 3c 33 cb 34 34 27 86   n..}.hL..<3.44'.
0150 - ee 59 50 d8 e3 7b e9 6a-43 f8 45 8c dc 5a a0 a6   .YP..{.jC.E..Z..
0160 - 56 7c 38 93 73 95 91 08-53 e0 84 94 16 6b a8 32   V|8.s...S....k.2
0170 - 5d fc e5 29 d2 6b 96 bb-0c ab e4 36 3b 8f c5 1d   ]..).k.....6;...
0180 - 22 94 18 e8 a1 0a 08 2b-c1 7b b3 29 fc 15 cc 10   "......+.{.)....
0190 - d4 99 c7 9c 66 58 e5 87-ec bc 92 48 12 7d 7c 59   ....fX.....H.}|Y
01a0 - cb 6b da 20 24 d5 80 7d-e5 1f 30 e2 b7 82 32 1e   .k. $..}..0...2.
01b0 - 2f f1 18 fd b9 93 f3 c5-15 8c b1 3e 18 3b 3a 7c   /..........>.;:|
01c0 - 7b b6 f5 30 57 97 03 8f-23 43 4b 96 96 02 59 08   {..0W...#CK...Y.
01d0 - 7e 18 43 50 24 5a 93 b6-f8 9f d7 98 91 84 6c c0   ~.CP$Z........l.
01e0 - 4c b7 9a a8 7a 55 f5 12-18 a0 e5 1f b4 50 3a 9c   L...zU.......P:.
01f0 - 42 8e cb 9b 07 05 61 57-51 4a 81 91 74 80 38 1b   B.....aWQJ..t.8.
0200 - 41 14 07 33 a7 80 36 7e-95 4f da 31 b0 c6 ea a1   A..3..6~.O.1....
0210 - d3 a5 69 d5 a8 5b 71 fa-6a 2d 31 9b b8 37 6c d6   ..i..[q.j-1..7l.
0220 - 51 15 b4 ca 71 06 e2 3d-20 34 af c7 33 9c 37 19   Q...q..= 4..3.7.
0230 - 81 4d 1a 13 77 40 6a 23-e5 6a a6 db 57 15 b7 5d   .M..w@j#.j..W..]
0240 - c4 58 66 0e a9 60 9c 44-94 2b 54 c1 56 72 ca fa   .Xf..`.D.+T.Vr..
0250 - 23 a8 76 52 ab 4e b3 61-4e b3 55 17 43 36 b1 50   #.vR.N.aN.U.C6.P
0260 - 5d 29 78 64 02 ac b3 5c-47 6c 31 cb 5d 2b 29 77   ])xd...\Gl1.]+)w
0270 - 43 74 c6 3f 90 58 65 85-02 b2 3a 82 f8 52 34 2c   Ct.?.Xe...:..R4,
0280 - 20 82 3a 06 af 53 e0 6f-54 e2 0b b9 0c cb 88 a2    .:..S.oT.......
0290 - a5 3c d3 62 fe a7 ac 4d-3b 4f b8 b9 96 e1 61 9a   .<.b...M;O....a.
02a0 - 38 56 31 30 1a 99 a0 eb-0b c0 a0 98 e3 72 74 35   8V10.........rt5
02b0 - e9 4c c1 5a 6c 55 61 2b-23 09 64 be a2 37 9b b5   .L.ZlUa+#.d..7..
02c0 - 52 57 70 90 24 c7 20 7d-78 ba ac a6 4d 71 9b ac   RWp.$. }x...Mq..
02d0 - 8e 67 23 0c f4 8d f6 53-4b 00 47 57 07 87 93 04   .g#....SK.GW....
02e0 - 9a a5 00 c5 bb 81 92 0d-f6 52 bc e8 eb a0 c7 57   .........R.....W
02f0 - 8f aa 8c 45 c2 3c 31 40-f0 c7 e9 b8 92 26 64 9e   ...E.<1@.....&d.
0300 - f9 eb ca f4 c7 08 20 0b-93 1d 57 3f ca 82 ad 6e   ...... ...W?...n
0310 - 75 b2 67 b4 5f 18 f8 56-07 42 b8 ca ba 53 54 cb   u.g._..V.B...ST.
0320 - 37 77 ba c6 42 3b 8e ee-24 05 9a 39 05 c2 51 bd   7w..B;..$..9..Q.
0330 - 50 54 8e b1 36 6d dc 63-1c 64 83 4e 75 b0 36 7c   PT..6m.c.d.Nu.6|
0340 - 26 46 8f a6 b2 3a fb 47-bd f1 27 2b 80 89 9f 18   &F...:.G..'+....
0350 - ae 13 e0 9a a3 05 4a e8-1c b9 5a 29 ac 44 2a 4e   ......J...Z).D*N
0360 - 58 31 55 3f 9b 21 bb 8a-2e 32 7a 28 b7 a2 1d 7f   X1U?.!...2z(....
0370 - 22 c9 14 fa 7c 2f 9a 31-c0 a0 1e a3 d1 96 d7 66   "...|/.1.......f
0380 - 65 1b 73 8d 99 7c 6f 45-18 4a 5f 57 86 10 0b 61   e.s..|oE.J_W...a
0390 - ef 9a 2f 87 0a 31 6a 02-18 fc 9a 18 6a 99 c8 59   ../..1j.....j..Y
03a0 - d6 0f ed e5 0e 32 d3 46-52 f0 56 98 eb c4 1d 77   .....2.FR.V....w
03b0 - 4a 09 c7 3a 7a 00 81 85-84 39 8f a2 be cb c5 a2   J..:z....9......
03c0 - 8f 56 9a e6 e2 a7 d0 51-19 7a 94 3a b9 69 8e a1   .V.....Q.z.:.i..
03d0 - 4a c1 46 e9 02 c8 fb 8d-1b 0c 06 2a 41 2d 70 0b   J.F........*A-p.
03e0 - 2d 06 42 28 91 b4 3d a1-e4 72 ce 45 12 d6 f9 5b   -.B(..=..r.E...[
03f0 - 29 da 6e 4c 8b 7a f1 92-a7 41 f9 07 48 27 88 e3   ).nL.z...A..H'..
0400 - 4c 30 a7 40 15 de e1 21-cf 7b 26 7d 62 0c 31 31   L0.@...!.{&}b.11
0410 - 7d 1d 31 0a 17 29 84 96-92 57 22 47 b3 7a 15 ce   }.1..)...W"G.z..
0420 - dc 2c 65 71 7c 4c 31 61-3f aa fc e1 4a 5a 63 25   .,eq|L1a?...JZc%
0430 - 6b 58 58 11 40 f8 62 9d-ab c4 b7 a7 64 8c 6f 68   kXX.@.b.....d.oh
0440 - ef eb 7c 00 1b 00 03 02-00 01                     ..|.......
read from 0x60000265e700 [0x7f781b808203] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x60000265e700 [0x7f781b808208] (2 bytes => 2 (0x2))
0000 - 01 00                                             ..
closed
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 1098 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x60000265e700 [0x7f781880e200] (8192 bytes => 0)
$ 

[iyanmv]

Another example:

fwupd will fail to get updates when oqsprovider is enabled.

Perform operation? [Y|n]: 
Downloading…             [                    \                  ]
failed to download file: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to fwupd.org:443

[baentsch]

Let me try to sum this all up:

• Some servers fail to properly complete a handshake, depending on oqsprovider being active or not, right?
• Looking at the software-stack independent tests by @mouse07410 I'm seeing www.ibm.com "properly" failing as it doesn't handle Kyber512, right (or does/should it support Kyber512)? www.downloads.1password.com fails differently, but also not surprisingly (unless it does support Kyber512: Does it?)
• So which servers now hang with oqsprovider active and work OK without oqsprovider active (using openssl s_client to eliminate any other software stack impact) -- using a group/KEM they support?

[levitte]

It isn't clear to me if the servers that were tested against are using the oqsprovider or not. What I get out of that the outputs shown here is it may as well be that they respond in different (possibly faulty) ways when faced with cipher suites they do not know... but, TLS isn't my area of expertise, so I can't do much more than relay my impression

[iyanmv]

I agree with @levitte. I don't think that the servers where I observe this issue support any PQ KEM. It's just that they fail to do the TLS handshake after the client offers PQ algs. They terminate rather than continue with a traditional KEM.

Regarding this @baentsch

So which servers now hang with oqsprovider active and work OK without oqsprovider active (using openssl s_client to eliminate any other software stack impact) -- using a group/KEM they support?

With the latest server I observed the issue, you can try to replicate the following

echo Q | openssl s_client -connect fwupd.org:443  # It works
echo Q | openssl s_client -provider oqsprovider -connect fwupd.org:443  # It fails

[iyanmv]

Oh, can it be that when -provider oqsprovider is passed, only TLS 1.3 is ever used, so if the server does not support TLS 1.3, it fails to downgrade to TLS 1.2 and continue with the default provider?

[baentsch]

Well, this error is simple: The second command (o)misses the default provider:

echo Q | openssl s_client -connect fwupd.org:443 # It works
echo Q | openssl s_client -provider oqsprovider -connect fwupd.org:443 # It fails

OK if run as such

> echo Q | openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443

[iyanmv]

Well, this error is simple: The second command (o)misses the default provider:

echo Q | openssl s_client -connect fwupd.org:443 # It works
echo Q | openssl s_client -provider oqsprovider -connect fwupd.org:443 # It fails

OK if run as such

> echo Q | openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443

(I didn't need to add the default manually because I have it enabled in the config file) But even adding -provider default still fails for me.

[iyanmv]

echo Q | openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443
Connecting to 52.37.189.50
CONNECTED(00000003)
40A7F3DFBC7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:645:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 454 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[baentsch]

Interesting. It worked for me both for the system openssl (3.0.2) and the latest "master" build:

$ OPENSSL_MODULES=_build/lib openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
$ OPENSSL_MODULES=_build/lib openssl s_client -connect fwupd.org:443 -provider oqsprovider -provider default
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = fwupd.org
verify return:1
---
Certificate chain
 0 s:CN = fwupd.org
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 21 00:00:00 2023 GMT; NotAfter: Aug 18 23:59:59 2024 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCBLegAwIBAgIQDamSmqqEGnwWKTPxnsR0UjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDcyMTAwMDAwMFoXDTI0MDgxODIzNTk1OVowFDES
MBAGA1UEAxMJZnd1cGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwKR4xLltzre3+vc3QsCt/It3XgqyWRHgxEzf4wRSnHqMG4YFw6D/+oU2zm0y
fl/+OuqPmKT4ub58W8+LluPWyOJVNzKa2Ip0hevcNLzRSPdwjqFoxlIFKIS+YZo+
iW4rMYxMvQO1tJdkkKSWxAYPvsw+jcFcC7O2ibWQd5UluJUqqttExpj/O433sWkM
dQlmsx85UAXY9dHqqJAEx0iYyYPgo9GFwQv8w9FAMejFfYS6/HjAI/e7pEDJVRvY
OB9KM/1wD4oAYufN8jcuvZi/HgpiYmWNE7FdYodd+g+dYCCcmYRoJNl3cMb7jlFy
9qKJniF7Y6aj96oO3r7MUntapQIDAQABo4IC8zCCAu8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFKX2KafEg1sO6OBxj51UBv0Y6KCh
MCMGA1UdEQQcMBqCCWZ3dXBkLm9yZ4INd3d3LmZ3dXBkLm9yZzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9jcmwucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNy
bDATBgNVHSAEDDAKMAgGBmeBDAECATB1BggrBgEFBQcBAQRpMGcwLQYIKwYBBQUH
MAGGIWh0dHA6Ly9vY3NwLnIybTAyLmFtYXpvbnRydXN0LmNvbTA2BggrBgEFBQcw
AoYqaHR0cDovL2NydC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY2VyMAwG
A1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrO
xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiXXwIvoAAAQDAEgwRgIhALQ/j39R
HRp23Au9w4YiFNTS7CkmViifZ1NvmH8KkHZlAiEA9hAFnzQBMlgOMfFXviajlFdM
a6A+foxp6vzNEq91VzQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiE
cwAAAYl18CLjAAAEAwBHMEUCIQDAesn/tkOWewSAjwj2HpY3IXpuvhykcizlswLz
MRxNIgIgFKdc+YDZUityA6JWnW4h2rI/DO4lw82nGglX1b/Ya6kAdwDatr9rP7W2
Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYl18CLYAAAEAwBIMEYCIQCQdcWV
yj/PMbExCF8GgP0kUAH1QUK268LYH7szpKSwgwIhAJFk3Gx3EnXg96/aDOA8iaZs
2q0mzgEkzvpe1eM5vS3YMA0GCSqGSIb3DQEBCwUAA4IBAQAJBRibA1ALf2TR0N2a
s+7j96vI8YO0+AhFUy87yxKZdR/OmM6Jy8ezY2XU7nv/gfC46Ii5fVYEpal6sTpA
JXn3tdlcvAzWHR9MRmHdXSaspUKddcW2JdHrmipW1VD2CYRyvf+dpTMi+qv81fLo
wuiNrBXm3gKwFWjimlOExQAeEgl4Unk/K9LJROacFM9f+S+nbMekbPaRhiEyAEm6
Esf66kq7u/BwPEUCd2wJks5NC8HUHf8csf9K7Hx9cX1aZHSMmDGuKIMER1yDCEiw
sIWi2ElkG+5VUwD9UVhj0bxt4b1vkwHNoZqvMp/SdXGKJUdi1Ygj+2dNKiPqGmkL
mKk5
-----END CERTIFICATE-----
subject=CN = fwupd.org
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5578 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4ABA4644AC7C52DE2220E4AB9601B139F1AE41552DA44DFD7672C1FBA8BB1C1C
    Session-ID-ctx: 
    Master-Key: 6FA171C6466C85CA0EE59F12BCA8D4B2FDD011210AB6ED8414ACC30A0AD4F79E49A52B9275DACEB4755E3CED0C562B8C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 6d 6b 0e 96 cc 23 53 02-4a df ed 97 48 7f 3d c4   mk...#S.J...H.=.
    0010 - e2 e5 f8 68 98 1b 8f 6f-a5 96 40 f8 69 26 fd 77   ...h...o..@.i&.w
    0020 - 9e 8c a6 5c 07 73 f4 64-3b a2 07 6d 6a 9a 9a d9   ...\.s.d;..mj...
    0030 - b9 3e d9 63 2c 5e 61 10-23 cf e5 1d a3 67 28 df   .>.c,^a.#....g(.
    0040 - fd 5e 61 12 a7 0c b1 0e-a0 4d 2c e3 1b f2 cb 87   .^a......M,.....
    0050 - cb db c0 6a 7a 68 ed 19-1e e4 d4 72 54 db fd fd   ...jzh.....rT...
    0060 - 31 26 93 ea 6b f0 86 18-46                        1&..k...F

    Start Time: 1714055509
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
Q
DONE

$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl version
OpenSSL 3.4.0-dev  (Library: OpenSSL 3.4.0-dev )

$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443 
Connecting to 2600:1f14:414:5602::6ea1
CONNECTED(00000003)
depth=3 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C=US, O=Amazon, CN=Amazon Root CA 1
verify return:1
depth=1 C=US, O=Amazon, CN=Amazon RSA 2048 M02
verify return:1
depth=0 CN=fwupd.org
verify return:1
---
Certificate chain
 0 s:CN=fwupd.org
   i:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 21 00:00:00 2023 GMT; NotAfter: Aug 18 23:59:59 2024 GMT
 1 s:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   i:C=US, O=Amazon, CN=Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C=US, O=Amazon, CN=Amazon Root CA 1
   i:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   i:C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCBLegAwIBAgIQDamSmqqEGnwWKTPxnsR0UjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDcyMTAwMDAwMFoXDTI0MDgxODIzNTk1OVowFDES
MBAGA1UEAxMJZnd1cGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwKR4xLltzre3+vc3QsCt/It3XgqyWRHgxEzf4wRSnHqMG4YFw6D/+oU2zm0y
fl/+OuqPmKT4ub58W8+LluPWyOJVNzKa2Ip0hevcNLzRSPdwjqFoxlIFKIS+YZo+
iW4rMYxMvQO1tJdkkKSWxAYPvsw+jcFcC7O2ibWQd5UluJUqqttExpj/O433sWkM
dQlmsx85UAXY9dHqqJAEx0iYyYPgo9GFwQv8w9FAMejFfYS6/HjAI/e7pEDJVRvY
OB9KM/1wD4oAYufN8jcuvZi/HgpiYmWNE7FdYodd+g+dYCCcmYRoJNl3cMb7jlFy
9qKJniF7Y6aj96oO3r7MUntapQIDAQABo4IC8zCCAu8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFKX2KafEg1sO6OBxj51UBv0Y6KCh
MCMGA1UdEQQcMBqCCWZ3dXBkLm9yZ4INd3d3LmZ3dXBkLm9yZzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9jcmwucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNy
bDATBgNVHSAEDDAKMAgGBmeBDAECATB1BggrBgEFBQcBAQRpMGcwLQYIKwYBBQUH
MAGGIWh0dHA6Ly9vY3NwLnIybTAyLmFtYXpvbnRydXN0LmNvbTA2BggrBgEFBQcw
AoYqaHR0cDovL2NydC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY2VyMAwG
A1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrO
xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiXXwIvoAAAQDAEgwRgIhALQ/j39R
HRp23Au9w4YiFNTS7CkmViifZ1NvmH8KkHZlAiEA9hAFnzQBMlgOMfFXviajlFdM
a6A+foxp6vzNEq91VzQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiE
cwAAAYl18CLjAAAEAwBHMEUCIQDAesn/tkOWewSAjwj2HpY3IXpuvhykcizlswLz
MRxNIgIgFKdc+YDZUityA6JWnW4h2rI/DO4lw82nGglX1b/Ya6kAdwDatr9rP7W2
Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYl18CLYAAAEAwBIMEYCIQCQdcWV
yj/PMbExCF8GgP0kUAH1QUK268LYH7szpKSwgwIhAJFk3Gx3EnXg96/aDOA8iaZs
2q0mzgEkzvpe1eM5vS3YMA0GCSqGSIb3DQEBCwUAA4IBAQAJBRibA1ALf2TR0N2a
s+7j96vI8YO0+AhFUy87yxKZdR/OmM6Jy8ezY2XU7nv/gfC46Ii5fVYEpal6sTpA
JXn3tdlcvAzWHR9MRmHdXSaspUKddcW2JdHrmipW1VD2CYRyvf+dpTMi+qv81fLo
wuiNrBXm3gKwFWjimlOExQAeEgl4Unk/K9LJROacFM9f+S+nbMekbPaRhiEyAEm6
Esf66kq7u/BwPEUCd2wJks5NC8HUHf8csf9K7Hx9cX1aZHSMmDGuKIMER1yDCEiw
sIWi2ElkG+5VUwD9UVhj0bxt4b1vkwHNoZqvMp/SdXGKJUdi1Ygj+2dNKiPqGmkL
mKk5
-----END CERTIFICATE-----
subject=CN=fwupd.org
issuer=C=US, O=Amazon, CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5578 bytes and written 525 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A5ABBCAD7B60FDC204D3F4AA46C2530636DD941FDA07217A8503B6730F4B39ED
    Session-ID-ctx: 
    Master-Key: CE470EB96F3E1849AC9D2988FB29F3C295FDC33B3C4AEC61AECAC2D94B387B67D8E9912E7A682117977FE8A5A6A10232
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 39 2b 77 f6 3f dd cc d4-17 1a 3c 0a 2a b3 36 96   9+w.?.....<.*.6.
    0010 - ba 4f 42 f1 e0 7e 7c f7-b0 72 d0 5b f1 fb 17 53   .OB..~|..r.[...S
    0020 - 1f 2d da fe ba 4f 0e 28-9a 46 3d 9c fb e5 af 69   .-...O.(.F=....i
    0030 - 2a 61 b8 d3 fb b3 75 85-86 95 96 c2 f2 2e 9b ef   *a....u.........
    0040 - 06 66 3f 06 62 72 59 54-d6 d6 0a 72 8a 8c 4e 0f   .f?.brYT...r..N.
    0050 - b1 72 12 e8 73 e1 5a 9c-07 9c bb 52 7b ca 1b 80   .r..s.Z....R{...
    0060 - ae e1 ab e0 4d 53 75 7c-69                        ....MSu|i

    Start Time: 1714055690
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
Q
DONE

--> What's your openssl version?

[iyanmv]

--> What's your openssl version?

$ openssl -version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)

[mouse07410]

I want to bring to everybody's attention the fact that up until Apr 12th, OpenSSL and oqs-provider worked fine with all of the above sites. So, presumably, the fact that oqs advertizes Kyber has little to do with this failure - as I am sure it was doing that before Apr 12th.

It could be the upgrade to OpenSSL-3.2.1, which was installed on my machine on Apr 9th - so, if oqs-provider wasn't changed between Apr 9 and Apr 15, then OpenSSL-3.2.1 is the culprit.

[baentsch]

It could be the upgrade to OpenSSL-3.2.1

Nope: Just built openssl 3.2.1 (on Linux x64) and everything works just fine:

$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl list -verbose -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.1
    status: active
    build info: 3.2.1
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443 
Connecting to 2600:1f14:414:5602::6ea1
CONNECTED(00000003)
depth=3 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C=US, O=Amazon, CN=Amazon Root CA 1
verify return:1
depth=1 C=US, O=Amazon, CN=Amazon RSA 2048 M02
verify return:1
depth=0 CN=fwupd.org
verify return:1
---
Certificate chain
 0 s:CN=fwupd.org
   i:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 21 00:00:00 2023 GMT; NotAfter: Aug 18 23:59:59 2024 GMT
 1 s:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   i:C=US, O=Amazon, CN=Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C=US, O=Amazon, CN=Amazon Root CA 1
   i:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   i:C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCBLegAwIBAgIQDamSmqqEGnwWKTPxnsR0UjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDcyMTAwMDAwMFoXDTI0MDgxODIzNTk1OVowFDES
MBAGA1UEAxMJZnd1cGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwKR4xLltzre3+vc3QsCt/It3XgqyWRHgxEzf4wRSnHqMG4YFw6D/+oU2zm0y
fl/+OuqPmKT4ub58W8+LluPWyOJVNzKa2Ip0hevcNLzRSPdwjqFoxlIFKIS+YZo+
iW4rMYxMvQO1tJdkkKSWxAYPvsw+jcFcC7O2ibWQd5UluJUqqttExpj/O433sWkM
dQlmsx85UAXY9dHqqJAEx0iYyYPgo9GFwQv8w9FAMejFfYS6/HjAI/e7pEDJVRvY
OB9KM/1wD4oAYufN8jcuvZi/HgpiYmWNE7FdYodd+g+dYCCcmYRoJNl3cMb7jlFy
9qKJniF7Y6aj96oO3r7MUntapQIDAQABo4IC8zCCAu8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFKX2KafEg1sO6OBxj51UBv0Y6KCh
MCMGA1UdEQQcMBqCCWZ3dXBkLm9yZ4INd3d3LmZ3dXBkLm9yZzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9jcmwucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNy
bDATBgNVHSAEDDAKMAgGBmeBDAECATB1BggrBgEFBQcBAQRpMGcwLQYIKwYBBQUH
MAGGIWh0dHA6Ly9vY3NwLnIybTAyLmFtYXpvbnRydXN0LmNvbTA2BggrBgEFBQcw
AoYqaHR0cDovL2NydC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY2VyMAwG
A1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrO
xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiXXwIvoAAAQDAEgwRgIhALQ/j39R
HRp23Au9w4YiFNTS7CkmViifZ1NvmH8KkHZlAiEA9hAFnzQBMlgOMfFXviajlFdM
a6A+foxp6vzNEq91VzQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiE
cwAAAYl18CLjAAAEAwBHMEUCIQDAesn/tkOWewSAjwj2HpY3IXpuvhykcizlswLz
MRxNIgIgFKdc+YDZUityA6JWnW4h2rI/DO4lw82nGglX1b/Ya6kAdwDatr9rP7W2
Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYl18CLYAAAEAwBIMEYCIQCQdcWV
yj/PMbExCF8GgP0kUAH1QUK268LYH7szpKSwgwIhAJFk3Gx3EnXg96/aDOA8iaZs
2q0mzgEkzvpe1eM5vS3YMA0GCSqGSIb3DQEBCwUAA4IBAQAJBRibA1ALf2TR0N2a
s+7j96vI8YO0+AhFUy87yxKZdR/OmM6Jy8ezY2XU7nv/gfC46Ii5fVYEpal6sTpA
JXn3tdlcvAzWHR9MRmHdXSaspUKddcW2JdHrmipW1VD2CYRyvf+dpTMi+qv81fLo
wuiNrBXm3gKwFWjimlOExQAeEgl4Unk/K9LJROacFM9f+S+nbMekbPaRhiEyAEm6
Esf66kq7u/BwPEUCd2wJks5NC8HUHf8csf9K7Hx9cX1aZHSMmDGuKIMER1yDCEiw
sIWi2ElkG+5VUwD9UVhj0bxt4b1vkwHNoZqvMp/SdXGKJUdi1Ygj+2dNKiPqGmkL
mKk5
-----END CERTIFICATE-----
subject=CN=fwupd.org
issuer=C=US, O=Amazon, CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5578 bytes and written 525 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B760CAB64EACA3D2A251E1889FBDF51B2A46362A314256A58AB027D67A0D7865
    Session-ID-ctx: 
    Master-Key: 26DE1BAFC1F0AB0C00975F8C539174ACB163B20F14972EE9762DD9CD5988F6A21B1C40839F4E287D9AF77DD386553F44
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 1e ac f0 0c ae 8d e3 3f-a9 b7 55 72 9b 91 d1 01   .......?..Ur....
    0010 - ba 76 e0 64 36 83 8c 89-97 3e 26 c0 70 43 4b ae   .v.d6....>&.pCK.
    0020 - 3a 7d 94 06 18 ef a7 0d-22 02 bf fd b0 6e 3e fc   :}......"....n>.
    0030 - 37 27 3b 22 43 dc a7 3d-9b 89 e6 74 98 aa 79 4d   7';"C..=...t..yM
    0040 - e0 54 0c ff 52 d4 9d 96-c5 31 19 37 ae 1d 40 19   .T..R....1.7..@.
    0050 - 75 3d 3d 58 3a 61 f7 d8-0b dd b7 30 41 e0 7d d7   u==X:a.....0A.}.
    0060 - 27 34 ee 59 96 17 d2 ff-b9                        '4.Y.....

    Start Time: 1714111263
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
Q
DONE

What clearly is visible is that the server runs TLS 1.2, so anyway all "(oqs)provider logic" should not trigger anyway.

if oqs-provider wasn't changed between Apr 9 and Apr 15

Nope, too: This time period was the 0.6.0 "release hiatus".

As you can reproduce this @iyanmv @mouse07410 , could you please take a close look at my 3.2.1 log and yours to spot differences?

[iyanmv]

I did a git bisect of the oqsprovider using the OpenSSL from Arch Linux repos (3.2.1) and the liboqs fixed to the 0.10.0 release and this is the commit where running echo Q | openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443 starts to fail for me.

19e5a975a249d11e38937de80651bc855bb7ec3c is the first bad commit
commit 19e5a975a249d11e38937de80651bc855bb7ec3c
Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date:   Sat Feb 24 07:34:02 2024 +0100

    first cut adding ML-* (#348)
    
    * introducing ML-* algorithms
    
    * split KEX testing in 2 and add openssl bug warning to README
    
    * clarify utility of KEM OIDs

 ALGORITHMS.md                          | 108 ++++++----
 CONFIGURE.md                           |  11 +-
 README.md                              |   9 +
 oqs-template/generate.py               |   8 +-
 oqs-template/generate.yml              |  79 ++++++-
 oqs-template/generate_oid_nid_table.py |  16 +-
 oqs-template/generatehelpers.py        |   8 +-
 oqs-template/oqs-kem-info.md           | 184 +++++++++--------
 oqs-template/oqs-sig-info.md           | 283 ++++++++++++-------------
 oqsprov/oqs_decode_der2key.c           |  40 ++++
 oqsprov/oqs_encode_key2any.c           | 176 ++++++++++++++++
 oqsprov/oqs_kmgmt.c                    | 165 ++++++++++++---
 oqsprov/oqs_prov.h                     | 309 +++++++++++++++++++++++++++
 oqsprov/oqsdecoders.inc                |  60 ++++++
 oqsprov/oqsencoders.inc                | 181 ++++++++++++++++
 oqsprov/oqsprov.c                      | 367 ++++++++++++++++++++++++---------
 oqsprov/oqsprov_capabilities.c         | 244 +++++++++++++++-------
 oqsprov/oqsprov_keys.c                 |  21 +-
 scripts/common.py                      |  28 ++-
 scripts/release-test-ci.sh             |   2 +-
 scripts/test_tls_full.py               |  39 +++-
 21 files changed, 1828 insertions(+), 510 deletions(-)

[iyanmv]

And I can only reproduce if I enable all the algs in oqs-template/generate.yml, if I use the default one from the repo it also works.

This is what I'm doing when generating the package for Arch:

prepare() {
    # Enable additional algorithms supported by liboqs
    # See: https://github.com/open-quantum-safe/oqs-provider/issues/210
    cd ${pkgname}
    sed -i -e "s/enable: false/enable: true/g" oqs-template/generate.yml

    # Some files are needed from the liboqs source code or generate.py will fail
    LIBOQS_SRC_DIR="${srcdir}/liboqs-${_pkgverliboqs}" python oqs-template/generate.py
}

So this is the generate.yml I pass to the Python script:

# This is the master document for ID interoperability for KEM IDs, p-hybrid KEM IDs, SIG (O)IDs
# Next free plain KEM ID: 0x024A, p-hybrid: 0x2F4A, X-hybrid: 0x2FB6
kems:
  -
    family: 'FrodoKEM'
    name_group: 'frodo640aes'
    nid: '0x0200'
    nid_hybrid: '0x2F00'
    oqs_alg: 'OQS_KEM_alg_frodokem_640_aes'
    extra_nids:
      current:
        - hybrid_group: "x25519"
          nid: '0x2F80'
  -
    family: 'FrodoKEM'
    name_group: 'frodo640shake'
    nid: '0x0201'
    nid_hybrid: '0x2F01'
    oqs_alg: 'OQS_KEM_alg_frodokem_640_shake'
    extra_nids:
      current:
        - hybrid_group: "x25519"
          nid: '0x2F81'
  -
    family: 'FrodoKEM'
    name_group: 'frodo976aes'
    nid: '0x0202'
    nid_hybrid: '0x2F02'
    oqs_alg: 'OQS_KEM_alg_frodokem_976_aes'
    extra_nids:
      current:
        - hybrid_group: "x448"
          nid: '0x2F82'
  -
    family: 'FrodoKEM'
    name_group: 'frodo976shake'
    nid: '0x0203'
    nid_hybrid: '0x2F03'
    oqs_alg: 'OQS_KEM_alg_frodokem_976_shake'
    extra_nids:
      current:
        - hybrid_group: "x448"
          nid: '0x2F83'
  -
    family: 'FrodoKEM'
    name_group: 'frodo1344aes'
    nid: '0x0204'
    nid_hybrid: '0x2F04'
    oqs_alg: 'OQS_KEM_alg_frodokem_1344_aes'
  -
    family: 'FrodoKEM'
    name_group: 'frodo1344shake'
    nid: '0x0205'
    nid_hybrid: '0x2F05'
    oqs_alg: 'OQS_KEM_alg_frodokem_1344_shake'
  -
    family: 'BIKE'
    name_group: 'bike1l1cpa'
    bit_security: 128
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0206'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp256_r1
          nid: '0x2F06'
    oqs_alg: 'OQS_KEM_alg_bike1_l1_cpa'
  -
    family: 'BIKE'
    name_group: 'bike1l3cpa'
    bit_security: 192
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0207'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp384_r1
          nid: '0x2F07'
    oqs_alg: 'OQS_KEM_alg_bike1_l3_cpa'
  -
    family: 'CRYSTALS-Kyber'
    name_group: 'kyber512'
    nid: '0x023A'
    oid: '1.3.6.1.4.1.22554.5.6.1'
    nid_hybrid: '0x2F3A'
    hybrid_oid: '1.3.6.1.4.1.22554.5.7.1'
    oqs_alg: 'OQS_KEM_alg_kyber_512'
    extra_nids:
      current:
        - hybrid_group: "x25519"
          hybrid_oid: '1.3.6.1.4.1.22554.5.8.1'
          nid: '0x2F39'
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x020F'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp256_r1
          nid: '0x2F0F'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: x25519
          nid: '0x2F26'
  -
    family: 'CRYSTALS-Kyber'
    name_group: 'kyber768'
    nid: '0x023C'
    oid: '1.3.6.1.4.1.22554.5.6.2'
    nid_hybrid: '0x2F3C'
    extra_nids:
      current:
        - hybrid_group: "x448"
          nid: '0x2F90'
        - hybrid_group: "x25519"
          nid: '0x6399'
        - hybrid_group: "p256"
          nid: '0x639A'
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0210'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp384_r1
          nid: '0x2F10'
    oqs_alg: 'OQS_KEM_alg_kyber_768'
  -
    family: 'CRYSTALS-Kyber'
    name_group: 'kyber1024'
    nid: '0x023D'
    oid: '1.3.6.1.4.1.22554.5.6.3'
    nid_hybrid: '0x2F3D'
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0211'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp521_r1
          nid: '0x2F11'
    oqs_alg: 'OQS_KEM_alg_kyber_1024'
  -
    family: 'ML-KEM'
    name_group: 'mlkem512'
    nid: '0x0247'
    oid: '1.3.6.1.4.1.22554.5.6.1'
    nid_hybrid: '0x2F47'
    hybrid_oid: '1.3.6.1.4.1.22554.5.7.1'
    oqs_alg: 'OQS_KEM_alg_ml_kem_512'
    extra_nids:
      current:
        - hybrid_group: "x25519"
          hybrid_oid: '1.3.6.1.4.1.22554.5.8.1'
          nid: '0x2FB2'
  -
    family: 'ML-KEM'
    name_group: 'mlkem768'
    nid: '0x0248'
    oid: '1.3.6.1.4.1.22554.5.6.2'
    nid_hybrid: '0x2F48'
    oqs_alg: 'OQS_KEM_alg_ml_kem_768'
    extra_nids:
      current:
        - hybrid_group: "x448"
          nid: '0x2FB3'
        - hybrid_group: "x25519"
          nid: '0x2FB4'
        - hybrid_group: "p256"
          nid: '0x2FB5'
  -
    family: 'ML-KEM'
    name_group: 'mlkem1024'
    nid: '0x0249'
    oid: '1.3.6.1.4.1.22554.5.6.3'
    nid_hybrid: '0x2F49'
    oqs_alg: 'OQS_KEM_alg_ml_kem_1024'
  -
    family: 'BIKE'
    name_group: 'bike1l1fo'
    bit_security: 128
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0223'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp256_r1
          nid: '0x2F23'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: "x25519"
          nid: '0x2F28'
    oqs_alg: 'OQS_KEM_alg_bike1_l1_fo'
  -
    family: 'BIKE'
    name_group: 'bike1l3fo'
    bit_security: 192
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0224'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp384_r1
          nid: '0x2F24'
    oqs_alg: 'OQS_KEM_alg_bike1_l3_fo'
  -
    family: 'BIKE'
    name_group: 'bikel1'
    implementation_version: '5.1'
    nid: '0x0241'
    nid_hybrid: '0x2F41'
    oqs_alg: 'OQS_KEM_alg_bike_l1'
    extra_nids:
      current:
        - hybrid_group: "x25519"
          nid: '0x2FAE'
      old:
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x0238'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: x25519
          nid: '0x2F37'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp256_r1
          nid: '0x2F38'
  -
    family: 'BIKE'
    name_group: 'bikel3'
    implementation_version: '5.1'
    nid: '0x0242'
    nid_hybrid: '0x2F42'
    oqs_alg: 'OQS_KEM_alg_bike_l3'
    extra_nids:
      current:
        - hybrid_group: "x448"
          nid: '0x2FAF'
      old:
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x023B'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp384_r1
          nid: '0x2F3B'
  -
    family: 'BIKE'
    name_group: 'bikel5'
    implementation_version: '5.1'
    nid: '0x0243'
    nid_hybrid: '0x2F43'
    oqs_alg: 'OQS_KEM_alg_bike_l5'
  -
    family: 'CRYSTALS-Kyber'
    name_group: 'kyber90s512'
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x0229'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp256_r1
          nid: '0x2F29'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x023E'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp256_r1
          nid: '0x2F3E'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: x25519
          nid: '0x2FA9'
    oqs_alg: 'OQS_KEM_alg_kyber_512_90s'
  -
    family: 'CRYSTALS-Kyber'
    name_group: 'kyber90s768'
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x022A'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp384_r1
          nid: '0x2F2A'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x023F'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp384_r1
          nid: '0x2F3F'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: x448
          nid: '0x2FAA'
    oqs_alg: 'OQS_KEM_alg_kyber_768_90s'
  -
    family: 'CRYSTALS-Kyber'
    name_group: 'kyber90s1024'
    extra_nids:
      old:
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          nid: '0x022B'
        - implementation_version: NIST Round 2 submission
          nist-round: 2
          hybrid_group: secp521_r1
          nid: '0x2F2B'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x0240'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp521_r1
          nid: '0x2F40'
    oqs_alg: 'OQS_KEM_alg_kyber_1024_90s'
  -
    family: 'HQC'
    name_group: 'hqc128'
    nid: '0x0244'
    nid_hybrid: '0x2F44'
    oqs_alg: 'OQS_KEM_alg_hqc_128'
    extra_nids:
      current:
        - hybrid_group: "x25519"
          nid: '0x2FB0'
      old:
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x022C'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp256_r1
          nid: '0x2F2C'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: x25519
          nid: '0x2FAC'
  -
    family: 'HQC'
    name_group: 'hqc192'
    nid: '0x0245'
    nid_hybrid: '0x2F45'
    oqs_alg: 'OQS_KEM_alg_hqc_192'
    extra_nids:
      current:
        - hybrid_group: "x448"
          nid: '0x2FB1'
      old:
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x022D'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp384_r1
          nid: '0x2F2D'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: x448
          nid: '0x2FAD'
  -
    family: 'HQC'
    name_group: 'hqc256'
    nid: '0x0246'
    nid_hybrid: '0x2F46'
    oqs_alg: 'OQS_KEM_alg_hqc_256'
    extra_nids:
      old:
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          nid: '0x022E'
        - implementation_version: NIST Round 3 submission
          nist-round: 3
          hybrid_group: secp521_r1
          nid: '0x2F2E'

kem_nid_end: '0x0250'
kem_nid_hybrid_end: '0x2FFF'
# need to edit ssl_local.h macros IS_OQS_KEM_CURVEID and IS_OQS_KEM_HYBRID_CURVEID with the above _end values

# Next free signature ID: 0xfed7
sigs:
  # -
    # iso (1)
    # identified-organization (3)
    # reserved (9999)
    # oqs_sig_default (1)
    # disabled
    #variants:
    #  -
    #    name: 'oqs_sig_default'
    #    pretty_name: 'OQS Default Signature Algorithm'
    #    oqs_meth: 'OQS_SIG_alg_default'
    #    oid: '1.3.9999.1.1'
    #    code_point: '0xfe00'
    #    enable: true
    #    mix_with: [{'name': 'p256',
    #                'pretty_name': 'ECDSA p256',
    #                'oid': '1.3.9999.1.2',
    #                'code_point': '0xfe01'},
    #               {'name': 'rsa3072',
    #                'pretty_name': 'RSA3072',
    #                'oid': '1.3.9999.1.3',
    #                'code_point': '0xfe02'}]
  -
    # OID scheme for hybrid variants of Dilithium:
    # iso (1)
    # identified-organization (3)
    # reserved (9999)
    # dilithium (2)
    # OID scheme for plain Dilithium:
    # iso (1)
    # identified-organization (3)
    # dod (6)
    # internet (1)
    # private (4)
    # enterprise (1)
    # IBM (2)
    # qsc (267)
    # Dilithium-r3 (7)
    family: 'CRYSTALS-Dilithium'
    variants:
      -
        name: 'dilithium2'
        pretty_name: 'Dilithium2'
        oqs_meth: 'OQS_SIG_alg_dilithium_2'
        oid: '1.3.6.1.4.1.2.267.7.4.4'
        code_point: '0xfea0'
        supported_encodings: ['draft-uni-qsckeys-dilithium-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.2.7.1',
                    'code_point': '0xfea1'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.2.7.2',
                    'code_point': '0xfea2'}]
      -
        name: 'dilithium3'
        pretty_name: 'Dilithium3'
        oqs_meth: 'OQS_SIG_alg_dilithium_3'
        oid: '1.3.6.1.4.1.2.267.7.6.5'
        code_point: '0xfea3'
        supported_encodings: ['draft-uni-qsckeys-dilithium-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p384',
                    'pretty_name': 'ECDSA p384',
                    'oid': '1.3.9999.2.7.3',
                    'code_point': '0xfea4'}]
      -
        name: 'dilithium5'
        pretty_name: 'Dilithium5'
        oqs_meth: 'OQS_SIG_alg_dilithium_5'
        oid: '1.3.6.1.4.1.2.267.7.8.7'
        code_point: '0xfea5'
        supported_encodings: ['draft-uni-qsckeys-dilithium-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.2.7.4',
                    'code_point': '0xfea6'}]
      -
        name: 'dilithium2_aes'
        pretty_name: 'Dilithium2_AES'
        oqs_meth: 'OQS_SIG_alg_dilithium_2_aes'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.6.1.4.1.2.267.11.4.4'
              code_point: '0xfea7'
              supported_encodings: ['draft-uni-qsckeys-dilithium-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.2.11.1',
                          'code_point': '0xfea8'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.2.11.2',
                          'code_point': '0xfea9'}]
      -
        name: 'dilithium3_aes'
        pretty_name: 'Dilithium3_AES'
        oqs_meth: 'OQS_SIG_alg_dilithium_3_aes'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.6.1.4.1.2.267.11.6.5'
              code_point: '0xfeaa'
              supported_encodings: ['draft-uni-qsckeys-dilithium-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.2.11.3',
                          'code_point': '0xfeab'}]
      -
        name: 'dilithium5_aes'
        pretty_name: 'Dilithium5_AES'
        oqs_meth: 'OQS_SIG_alg_dilithium_5_aes'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.6.1.4.1.2.267.11.8.7'
              code_point: '0xfeac'
              supported_encodings: ['draft-uni-qsckeys-dilithium-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.2.11.4',
                          'code_point': '0xfead'}]
  -
    family: 'ML-DSA'
    variants:
      -
        name: 'mldsa44'
        pretty_name: 'ML-DSA-44'
        oqs_meth: 'OQS_SIG_alg_ml_dsa_44'
        oid: '1.3.6.1.4.1.2.267.12.4.4'
        code_point: '0xfed0'
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.7.1',
                    'code_point': '0xfed3'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.7.2',
                    'code_point': '0xfed4'}]
      -
        name: 'mldsa65'
        pretty_name: 'ML-DSA-65'
        oqs_meth: 'OQS_SIG_alg_ml_dsa_65'
        oid: '1.3.6.1.4.1.2.267.12.6.5'
        code_point: '0xfed1'
        enable: true
        mix_with: [{'name': 'p384',
                    'pretty_name': 'ECDSA p384',
                    'oid': '1.3.9999.7.3',
                    'code_point': '0xfed5'}]
      -
        name: 'mldsa87'
        pretty_name: 'ML-DSA-87'
        oqs_meth: 'OQS_SIG_alg_ml_dsa_87'
        oid: '1.3.6.1.4.1.2.267.12.8.7'
        code_point: '0xfed2'
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.7.4',
                    'code_point': '0xfed6'}]
  -
    # iso (1)
    # identified-organization (3)
    # reserved (9999)
    # falcon (3)
    family: 'Falcon'
    variants:
      -
        name: 'falcon512'
        pretty_name: 'Falcon-512'
        oqs_meth: 'OQS_SIG_alg_falcon_512'
        oid: '1.3.9999.3.6'
        code_point: '0xfeae'
        supported_encodings: ['draft-uni-qsckeys-falcon-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.3.7',
                    'code_point': '0xfeaf'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.3.8',
                    'code_point': '0xfeb0'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.3.1'
              code_point: '0xfe0b'
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.3.2',
                          'code_point': '0xfe0c'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.3.3',
                          'code_point': '0xfe0d'}]
      -
        name: 'falcon1024'
        pretty_name: 'Falcon-1024'
        oqs_meth: 'OQS_SIG_alg_falcon_1024'
        oid: '1.3.9999.3.9'
        code_point: '0xfeb1'
        supported_encodings: ['draft-uni-qsckeys-falcon-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.3.10',
                    'code_point': '0xfeb2'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.3.4'
              code_point: '0xfe0e'
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.3.5',
                          'code_point': '0xfe0f'}]
  -
    family: 'SPHINCS-Haraka'
    variants:
      -
        name: 'sphincsharaka128frobust'
        pretty_name: 'SPHINCS+-Haraka-128f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_128f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.1.1'
              code_point: '0xfe42'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.1.2',
                          'code_point': '0xfe43'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.1.3',
                          'code_point': '0xfe44'}]
      -
        name: 'sphincsharaka128fsimple'
        pretty_name: 'SPHINCS+-Haraka-128f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_128f_simple'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.1.4'
              code_point: '0xfe45'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.1.5',
                          'code_point': '0xfe46'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.1.6',
                          'code_point': '0xfe47'}]
      -
        name: 'sphincsharaka128srobust'
        pretty_name: 'SPHINCS+-Haraka-128s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_128s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.1.7'
              code_point: '0xfe48'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.1.8',
                          'code_point': '0xfe49'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.1.9',
                          'code_point': '0xfe4a'}]
      -
        name: 'sphincsharaka128ssimple'
        pretty_name: 'SPHINCS+-Haraka-128s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_128s_simple'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.1.10'
              code_point: '0xfe4b'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.1.11',
                          'code_point': '0xfe4c'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.1.12',
                          'code_point': '0xfe4d'}]
      -
        name: 'sphincsharaka192frobust'
        pretty_name: 'SPHINCS+-Haraka-192f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_192f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.2.1'
              code_point: '0xfe4e'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.2.2',
                          'code_point': '0xfe4f'}]
      -
        name: 'sphincsharaka192fsimple'
        pretty_name: 'SPHINCS+-Haraka-192f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_192f_simple'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.2.3'
              code_point: '0xfe50'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.2.4',
                          'code_point': '0xfe51'}]
      -
        name: 'sphincsharaka192srobust'
        pretty_name: 'SPHINCS+-Haraka-192s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_192s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.2.5'
              code_point: '0xfe52'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.2.6',
                          'code_point': '0xfe53'}]
      -
        name: 'sphincsharaka192ssimple'
        pretty_name: 'SPHINCS+-Haraka-192s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_192s_simple'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.2.7'
              code_point: '0xfe54'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.2.8',
                          'code_point': '0xfe55'}]
      -
        name: 'sphincsharaka256frobust'
        pretty_name: 'SPHINCS+-Haraka-256f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_256f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.3.1'
              code_point: '0xfe56'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.3.2',
                          'code_point': '0xfe57'}]
      -
        name: 'sphincsharaka256fsimple'
        pretty_name: 'SPHINCS+-Haraka-256f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_256f_simple'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.3.3'
              code_point: '0xfe58'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.3.4',
                          'code_point': '0xfe59'}]
      -
        name: 'sphincsharaka256srobust'
        pretty_name: 'SPHINCS+-Haraka-256s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_256s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.3.5'
              code_point: '0xfe5a'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.3.6',
                          'code_point': '0xfe5b'}]
      -
        name: 'sphincsharaka256ssimple'
        pretty_name: 'SPHINCS+-Haraka-256s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_haraka_256s_simple'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.3.7'
              code_point: '0xfe5c'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.3.8',
                          'code_point': '0xfe5d'}]
  -
    family: 'SPHINCS-SHA2'
    variants:
      -
        name: 'sphincssha26128frobust'
        pretty_name: 'SPHINCS+-SHA256-128f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha256_128f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.4.1'
              code_point: '0xfe5e'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.4.2',
                          'code_point': '0xfe5f'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.4.3',
                          'code_point': '0xfe60'}]
      -
        name: 'sphincssha2128fsimple'
        pretty_name: 'SPHINCS+-SHA2-128f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha2_128f_simple'
        oid: '1.3.9999.6.4.13'
        code_point: '0xfeb3'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.6.4.14',
                    'code_point': '0xfeb4'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.6.4.15',
                    'code_point': '0xfeb5'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.4.4'
              code_point: '0xfe61'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.4.5',
                          'code_point': '0xfe62'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.4.6',
                          'code_point': '0xfe63'}]
      -
        name: 'sphincssha256128srobust'
        pretty_name: 'SPHINCS+-SHA256-128s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha256_128s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.4.7'
              code_point: '0xfe64'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.4.8',
                          'code_point': '0xfe65'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.4.9',
                          'code_point': '0xfe66'}]
      -
        name: 'sphincssha2128ssimple'
        pretty_name: 'SPHINCS+-SHA2-128s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha2_128s_simple'
        oid: '1.3.9999.6.4.16'
        code_point: '0xfeb6'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.6.4.17',
                    'code_point': '0xfeb7'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.6.4.18',
                    'code_point': '0xfeb8'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.4.10'
              code_point: '0xfe67'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.4.11',
                          'code_point': '0xfe68'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.4.12',
                          'code_point': '0xfe69'}]
      -
        name: 'sphincssha256192frobust'
        pretty_name: 'SPHINCS+-SHA256-192f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha256_192f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.5.1'
              code_point: '0xfe6a'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.5.2',
                          'code_point': '0xfe6b'}]
      -
        name: 'sphincssha2192fsimple'
        pretty_name: 'SPHINCS+-SHA2-192f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha2_192f_simple'
        oid: '1.3.9999.6.5.10'
        code_point: '0xfeb9'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p384',
                    'pretty_name': 'ECDSA p384',
                    'oid': '1.3.9999.6.5.11',
                    'code_point': '0xfeba'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.5.3'
              code_point: '0xfe6c'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.5.4',
                          'code_point': '0xfe6d'}]
      -
        name: 'sphincssha256192srobust'
        pretty_name: 'SPHINCS+-SHA256-192s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha256_192s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.5.5'
              code_point: '0xfe6e'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.5.6',
                          'code_point': '0xfe6f'}]
      -
        name: 'sphincssha2192ssimple'
        pretty_name: 'SPHINCS+-SHA2-192s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha2_192s_simple'
        oid: '1.3.9999.6.5.12'
        code_point: '0xfebb'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p384',
                    'pretty_name': 'ECDSA p384',
                    'oid': '1.3.9999.6.5.13',
                    'code_point': '0xfebc'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.5.7'
              code_point: '0xfe70'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.5.8',
                          'code_point': '0xfe71'}]
      -
        name: 'sphincssha256256frobust'
        pretty_name: 'SPHINCS+-SHA256-256f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha256_256f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.6.1'
              code_point: '0xfe72'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.6.2',
                          'code_point': '0xfe73'}]
      -
        name: 'sphincssha2256fsimple'
        pretty_name: 'SPHINCS+-SHA2-256f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha2_256f_simple'
        oid: '1.3.9999.6.6.10'
        code_point: '0xfebd'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.6.6.11',
                    'code_point': '0xfebe'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.6.3'
              code_point: '0xfe74'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.6.4',
                          'code_point': '0xfe75'}]
      -
        name: 'sphincssha256256srobust'
        pretty_name: 'SPHINCS+-SHA256-256s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha256_256s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.6.5'
              code_point: '0xfe76'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.6.6',
                          'code_point': '0xfe77'}]
      -
        name: 'sphincssha2256ssimple'
        pretty_name: 'SPHINCS+-SHA2-256s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_sha2_256s_simple'
        oid: '1.3.9999.6.6.12'
        code_point: '0xfec0'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.6.6.13',
                    'code_point': '0xfec1'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.6.7'
              code_point: '0xfe78'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.6.8',
                          'code_point': '0xfe79'}]
  -
    family: 'SPHINCS-SHAKE'
    variants:
      -
        name: 'sphincsshake256128frobust'
        pretty_name: 'SPHINCS+-SHAKE256-128f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake256_128f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.7.1'
              code_point: '0xfe7a'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.7.2',
                          'code_point': '0xfe7b'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.7.3',
                          'code_point': '0xfe7c'}]
      -
        name: 'sphincsshake128fsimple'
        pretty_name: 'SPHINCS+-SHAKE-128f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake_128f_simple'
        oid: '1.3.9999.6.7.13'
        code_point: '0xfec2'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.6.7.14',
                    'code_point': '0xfec3'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.6.7.15',
                    'code_point': '0xfec4'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.7.4'
              code_point: '0xfe7d'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.7.5',
                          'code_point': '0xfe7e'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.7.6',
                          'code_point': '0xfe7f'}]
      -
        name: 'sphincsshake256128srobust'
        pretty_name: 'SPHINCS+-SHAKE256-128s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake256_128s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.7.7'
              code_point: '0xfe80'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.7.8',
                          'code_point': '0xfe81'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.7.9',
                          'code_point': '0xfe82'}]
      -
        name: 'sphincsshake128ssimple'
        pretty_name: 'SPHINCS+-SHAKE-128s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake_128s_simple'
        oid: '1.3.9999.6.7.16'
        code_point: '0xfec5'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p256',
                    'pretty_name': 'ECDSA p256',
                    'oid': '1.3.9999.6.7.17',
                    'code_point': '0xfec6'},
                   {'name': 'rsa3072',
                    'pretty_name': 'RSA3072',
                    'oid': '1.3.9999.6.7.18',
                    'code_point': '0xfec7'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.7.10'
              code_point: '0xfe83'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p256',
                          'pretty_name': 'ECDSA p256',
                          'oid': '1.3.9999.6.7.11',
                          'code_point': '0xfe84'},
                         {'name': 'rsa3072',
                          'pretty_name': 'RSA3072',
                          'oid': '1.3.9999.6.7.12',
                          'code_point': '0xfe85'}]
      -
        name: 'sphincsshake256192frobust'
        pretty_name: 'SPHINCS+-SHAKE256-192f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake256_192f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.8.1'
              code_point: '0xfe86'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.8.2',
                          'code_point': '0xfe87'}]
      -
        name: 'sphincsshake192fsimple'
        pretty_name: 'SPHINCS+-SHAKE-192f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake_192f_simple'
        oid: '1.3.9999.6.8.10'
        code_point: '0xfec8'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p384',
                    'pretty_name': 'ECDSA p384',
                    'oid': '1.3.9999.6.8.11',
                    'code_point': '0xfec9'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.8.3'
              code_point: '0xfe88'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.8.4',
                          'code_point': '0xfe89'}]
      -
        name: 'sphincsshake256192srobust'
        pretty_name: 'SPHINCS+-SHAKE256-192s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake256_192s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.8.5'
              code_point: '0xfe8a'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.8.6',
                          'code_point': '0xfe8b'}]
      -
        name: 'sphincsshake192ssimple'
        pretty_name: 'SPHINCS+-SHAKE-192s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake_192s_simple'
        oid: '1.3.9999.6.8.12'
        code_point: '0xfeca'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p384',
                    'pretty_name': 'ECDSA p384',
                    'oid': '1.3.9999.6.8.13',
                    'code_point': '0xfecb'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.8.7'
              code_point: '0xfe8c'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p384',
                          'pretty_name': 'ECDSA p384',
                          'oid': '1.3.9999.6.8.8',
                          'code_point': '0xfe8d'}]
      -
        name: 'sphincsshake256256frobust'
        pretty_name: 'SPHINCS+-SHAKE256-256f-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake256_256f_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.9.1'
              code_point: '0xfe8e'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.9.2',
                          'code_point': '0xfe8f'}]
      -
        name: 'sphincsshake256fsimple'
        pretty_name: 'SPHINCS+-SHAKE-256f-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake_256f_simple'
        oid: '1.3.9999.6.9.10'
        code_point: '0xfecc'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.6.9.11',
                    'code_point': '0xfecd'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.9.3'
              code_point: '0xfe90'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.9.4',
                          'code_point': '0xfe91'}]
      -
        name: 'sphincsshake256256srobust'
        pretty_name: 'SPHINCS+-SHAKE256-256s-robust'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake256_256s_robust'
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.9.5'
              code_point: '0xfe92'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.9.6',
                          'code_point': '0xfe93'}]
      -
        name: 'sphincsshake256ssimple'
        pretty_name: 'SPHINCS+-SHAKE-256s-simple'
        oqs_meth: 'OQS_SIG_alg_sphincs_shake_256s_simple'
        oid: '1.3.9999.6.9.12'
        code_point: '0xfece'
        supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
        enable: true
        mix_with: [{'name': 'p521',
                    'pretty_name': 'ECDSA p521',
                    'oid': '1.3.9999.6.9.13',
                    'code_point': '0xfecf'}]
        extra_nids:
          old:
            - implementation_version: NIST Round 3 submission
              nist-round: 3
              oid: '1.3.9999.6.9.7'
              code_point: '0xfe94'
              supported_encodings: ['draft-uni-qsckeys-sphincsplus-00/sk-pk']
              mix_with: [{'name': 'p521',
                          'pretty_name': 'ECDSA p521',
                          'oid': '1.3.9999.6.9.8',
                          'code_point': '0xfe95'}]

[iyanmv]

Only now I saw the warning in the README file

A limitation present in older OpenSSL versions is the number of default groups supported: openssl/openssl#23624 , e.g., passing to SSL_CTX_set1_groups. Therefore caution is advised activating all KEMs supported by oqsprovider: This may lead to openssl crashing, depending on the OpenSSL version used: The problem is gone in OpenSSL "master" branch and (will be gone) in the releases 3.3.0, 3.2.2., 3.1.6 and 3.0.14.

So perhaps what I observe is just openssl/openssl#23624 ? I'm using a version where this was not fixed. I will be happy to report back when Arch updates to the new OpenSSL version.

I don't know if it's exactly what @mouse07410 originally reported because he didn't mention changing the generate.yml file to enable more algs.

[baentsch]

And I can only reproduce if I enable all the algs

Ahh....

So perhaps what I observe is just openssl/openssl#23624 ?

Well, yes, that's a very high likelihood: You could confirm if the same setting (with all algs enabled) works OK for you using openssl "master" (where this is fixed).

[mouse07410]

I don't recall changing generate.yml file, but the file is 1473 frigging lines - making it next to impossible to check.

But I blew away my copy of the repo, re-cloned it a-fresh, and repeated the test - so I can be sure that oqs-templates/generate.yml is the default version, and not something tampered with my me.

So far, result is rather sad: the problem remains.

Neither OpenSSL-3.4.0-dev, nor OpenSSL-3.2.1 were able to connect to https://index.crates.io:443 with oqs-provider enabled.

When I disable oqs-provider - connection succeeds:

$ echo Q | openssl s_client -proxy myserver:8000 -trace -debug -msg -showcerts -connect index.crates.io:443
CONNECTED(00000005)
write to 0x6000029a4400 [0x7fea91829000] (70 bytes => 70 (0x46))
0000 - 43 4f 4e 4e 45 43 54 20-69 6e 64 65 78 2e 63 72   CONNECT index.cr
0010 - 61 74 65 73 2e 69 6f 3a-34 34 33 20 48 54 54 50   ates.io:443 HTTP
0020 - 2f 31 2e 30 0d 0a 50 72-6f 78 79 2d 43 6f 6e 6e   /1.0..Proxy-Conn
0030 - 65 63 74 69 6f 6e 3a 20-4b 65 65 70 2d 41 6c 69   ection: Keep-Ali
0040 - 76 65 0d 0a 0d 0a                                 ve....
read from 0x6000029a4400 [0x7fea91821c00] (4096 bytes => 39 (0x27))
0000 - 48 54 54 50 2f 31 2e 30-20 32 30 30 20 43 6f 6e   HTTP/1.0 200 Con
0010 - 6e 65 63 74 69 6f 6e 20-65 73 74 61 62 6c 69 73   nection establis
0020 - 68 65 64 0d 0a 0d 0a                              hed....
>>> TLS 1.0, RecordHeader [length 0005]
    16 03 01 01 59
>>> TLS 1.3, Handshake [length 0159], ClientHello
    01 00 01 55 03 03 74 81 2c df b0 22 55 23 f3 ef
    07 b1 f0 1b 99 e8 96 c8 4e 50 74 40 8a f9 fd 11
    f3 72 1e 28 15 26 20 79 ec c1 e2 0c 89 e3 ba 8e
    19 88 bc 41 dd f7 d8 6c ea b3 81 94 ac d3 dd d3
.  .  .
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5578 bytes and written 484 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
>>> TLS 1.2, RecordHeader [length 0005]
    17 03 03 00 13
>>> TLS 1.2, InnerContent [length 0001]
    15
write to 0x600003338500 [0x7fc76c810203] (24 bytes => 24 (0x18))
0000 - 17 03 03 00 13 ec 21 e9-80 b7 da 68 55 b4 3b da   ......!....hU.;.
0010 - e3 bf f9 e0 dd 14 71 7c-                          ......q|
>>> TLS 1.3, Alert [length 0002], warning close_notify
    01 00
read from 0x600003338500 [0x7fc76a80e400] (8192 bytes => 0)
$ 

[mouse07410]

Yes, I am talking about openssl.cnf and don't see any reasons to not have such settings as a system default. You can easily override the default settings via passing a custom OpenSSL configuration file, if necessary.

However, the current openssl.cnf does not include such settings. So, somebody has to add that support to OpenSSL, and then backport it to the stable release(s).

How would it deal with algorithms from providers that are disabled at the moment (for whatever reason)?
On top of that, I'm not crazy about writing down all the algorithms to the tune of ...:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:... from all the providers, that I want supported system-wide. Who's going to do that? @beldmit you, perhaps? @baentsch maybe you? Or will OpenSSL maintainers just add the keyword default that would include all the algorithms from all the enabled providers, and we'll be back at square one?

Which is why being able to specify for a provider what algorithms it should advertise to TLS, seems easier in the short term.

---

I was indeed counting wrong the enabled sig algs (I think I was only counting those provided by oqsprovider). When I checked with wireshark, there were many more.

That merely means that the actual limit that was exceeded when 60+ algorithms from oqsprovider were added, was larger than 64.

[beldmit]

Before answering I kindly ask you to make your tone less personal.

Yes, I am talking about openssl.cnf and don't see any reasons to not have such settings as a system default. You can easily override the default settings via passing a custom OpenSSL configuration file, if necessary.

However, the current openssl.cnf does not include such settings. So, somebody has to add that support to OpenSSL, and then backport it to the stable release(s).

openssl.cnf is a configuration file. It means it can be tuned on each and every system (or left unchanged if it's not necessary). OpenSSL supports and documents this configuration for ages.

How would it deal with algorithms from providers that are disabled at the moment (for whatever reason)? On top of that, I'm not crazy about writing down all the algorithms to the tune of ...:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:... from all the providers, that I want supported system-wide. Who's going to do that? @beldmit you, perhaps? @baentsch maybe you? Or will OpenSSL maintainers just add the keyword default that would include all the algorithms from all the enabled providers, and we'll be back at square one?

It should be done by the same person who installed and activated the particular provider, right?
If a particular setting (e.g. SignatureAlgorithms) is omitted, then no limits are applied so there is no need to provide the default keyword.

Which is why being able to specify for a provider what algorithms it should advertise to TLS, seems easier in the short term.

Let me disagree.

[iyanmv]

Perhaps this section in the USAGE.md could be expanded a little bit to satisfy @mouse07410 with a warning about that some TLS servers may fail if too many sig algs are offered by the client and how to avoid the problem with a "safe" (short enough) selection of signature algorithms as an example (like in this comment but perhaps using the same Groups from https://github.com/open-quantum-safe/oqs-demos/blob/main/nginx/fulltest/Dockerfile#L25-L26).

I think the main problem for @mouse07410 (please, correct me if I understood you wrong) is that, at the moment, some servers fail when oqsprovider is used with the default enabled sig algs and with the default OpenSSL config file.

[baentsch]

Perhaps this section in the USAGE.md could be expanded a little bit

That's precisely the quick "fix" I also had in mind. I just wanted to experiment a bit with different settings to propose something tested/validated against these "bad" servers -- and maybe already add that into a recommended default "openssl.cnf" (can't be the test one as we then could not test all sigalgs in TLS any more). Anyone beating me to a PR along those lines very welcome :)

[mouse07410]

Before answering I kindly ask you to make your tone less personal.

Yes, of course. My apologies.

openssl.cnf is a configuration file. It means it can be tuned on each and every system (or left unchanged if it's not necessary). OpenSSL supports and documents this configuration for ages.

Of course. But first, somebody would have to add what you propose to the code that deals with this file, and I suspect it's more work than you're portraying.

Second, and more importantly - it will require much more knowledge of the normal user of the "guts" of the OpenSSL than IMHO is reasonable to expect.

For example, I have no clue what signature (or KEM, or whatever) algorithms OpenSSL supports through all of its providers, and even less so - what algorithms it exports via TLS.

I don't think it's fair to expect a "normal" user - even if/when this .cnf feature gets suported! - to list all the algorithms he needs "his" TLS to support, merely because one provider offers a few extra signature algorithms that "break the back of the camel".

Perhaps this section in the USAGE.md could be expanded a little bit to satisfy @mouse07410 with a warning about that some TLS servers may fail if too many sig algs are offered by the client and how to avoid the problem with a "safe" (short enough) selection of signature algorithms as an example (like in #399 (comment)

No. I don't need this warning - I need to know what exactly to put into openssl.cnf file so that (a) I can use all the algorithms that all of the providers offer within something like pkeyutl, but (b) exclude from TLS some algorithms that I know oqsprovider offers.

And I asked (perhaps, in an impolite way) who is going to provide that text suitable for direct includion into openssl.cnf. Surely, you don't expect a user to be knowledgable enough to do that?!

That's precisely the quick "fix" I also had in mind.

I'm pretty sure this "fix" will not work for me. Thankfully, there's generate.yml file. I guess I can live with several non-NIST PQ signature algorithms omitted from crypto.

[baentsch]

Surely, you don't expect a user to be knowledgable enough to do that?!

Surely not. I tried to state that I'll give it a go but stupidly got lost doing that as my "Linux Foundation allergy" on other issues sapped all my energy. Getting too old. Sorry.

somebody would have to add what you propose to the code that deals with this file, and I suspect it's more work than you're portraying.

My idea was to add code to the oqsprovider code generator targeting (generating) a "recommended default" openssl.cnf listing 2 or 3 classic algs and then all plain NIST PQ std algs (plus some documentation around that, of course). But doing that with sufficient automation that it survives future external contributions indeed needs some more work.

[mouse07410]

OK, so here are the alternatives that I see:

1. Do nothing, except for maybe documenting the problem in the README.md, suggesting that if a user needs to TLS-communicate with a "sensitive" server, she should edit generate.yml file, disabling signatures she doesn't need, and rebuilding oqs-provider. This will completely remove disabled sigs (neither TLS nor pkeyutl or cms would have access to them).
2. Get OpenSSL to support/implement [ssl-signatures] option in openssl.cnf, and add examples to README.md or USAGE.md, giving the exact strings the user would put in that openssl.cnf field to achieve the goal of having all sigs available in cms and fewer in TLS. As other providers change and/or get added, the values of those example strings would need to change to keep up.
3. Add OSSL_CAPABILITY_TLS_SIGALG_ADVERTISE config flag to the oqs-provider. The only dependency then would be internal to this provider, all the PQ signature algorithms would be available to commands like cms, and "sensitive" servers would be OK with ClientHello received from this installation.

Needless to say, I prefer (3), while currently using (1). I don't think (2) is sustainable in the long run, unless the community agrees to (a) add such support, and (b) maintain such strings.

[beldmit]

[2] is supported in OpenSSL so I strongly prefer this solution. Installing oqsprovider is not a common configuration and anyway implies changing the openssl.cnf file for activation

[mouse07410]

[2] is supported in OpenSSL so I strongly prefer this solution.

Are you saying that [ssl-signatures] parameter in openssl.cnf is already supported? If so, references, please? Ideally - both to the code that implements it and to the man page that describes it?

Installing oqsprovider is not a common configuration and anyway implies changing the openssl.cnf file for activation

Yes. But even an otherwise-ignorant user like yours-truly can add a few trivial lines to openssl.cnf that enable oqsprovider. And the process is both short enough and well-documented.

While listing all the acceptable signature algorithms, especially when you factor in the providers, is IMHO an insurmountable task - and the one that no one can expect normal users to perform.

So, unless there are "cribs", aka - examples of complete parameter-strings that would preserve the current TLS behavior with the Classic algorithms and give "sub-strings" to append for adding algorithms from providers (probably, for every provider) - I'm strongly against the [2], because it is the best in theory but very much unusable in practice.

[beldmit]

https://openssl.org/docs/man3.2/man5/config.html, SSL Configuration
https://openssl.org/docs/man3.2/man3/SSL_CONF_cmd.html

It is here since 1.1.1

But I totally agree that the provider-specific examples of these commands are necessary

[mouse07410]

https://openssl.org/docs/man3.2/man5/config.html, SSL Configuration

Sorry, I must be dense today - but I did not find anything there that lists signatures algorithms that should be allowed/enabled for TLS. :-(

[beldmit]

Quoting:

Each configuration section consists of name/value pairs that are parsed by SSL_CONF_cmd(3), which will be called by SSL_CTX_config() or SSL_config(), appropriately.

[mouse07410]

@beldmit thanks, but I still don't understand. I cannot find field sig-signatures, or a similarly-named field anywhere in the OpenSSL codebase (master branch). I noticed the flag -sigalgs apparently available in openssl s_client command-line, but I don't see how it translates to availability in openssl.cnf. Would you mind showing exactly how to add entries to the OpenSSL config file now? And if you know - where to get the complete list of the supported algorithms in a format suitable for inclusion in the config file?

IMHO, yet another example of stuff not being ready for a "normal" user. Because if to accomplish even such a simple step one has to ask experts - it's not ready by my book.

[beldmit]

It's named SignatureAlgorithms. And yes, any documentation contribution to OpenSSL is welcome

[mouse07410]

It's named SignatureAlgorithms. And yes, any documentation contribution to OpenSSL is welcome

It makes sense that those who understand the subject contribute documentation. E.g., what would you expect me to contrbute - my questions to you?

[beldmit]

Sorry, let me disagree. I'm aware of the structure of the documentation and know where to look for it. If you find not obvious the entry point to the documentation, please let me know what you think to be a valid starting point to look.

[mouse07410]

If you find not obvious the entry point to the documentation, please let me know what you think to be a valid starting point to look.

Oh sure! Where do I begin? :-)

First, an obvious place for me to learn about the contents of the config file would be (unsurprisingly!) something like man openssl-config or man config. OK, present. I proceed down the page and find [ssl_configuration]. OK, excellent. It further points me at [client_tls_config] and [server_tls_config]. Great - but what are the values that I can put there? Here I stumble. Either there should be a list of all of the supported keys/parameter-names/whatever, or a reference like "to see the list of all the keys do man config-tls". And then - for each key needs to be a list of all the possible/legal values, and/or a way to get it (in the correct/required syntax).

How's that for the beginning? ;-)

[beldmit]

So the config manual page cuurently has the wording

Each configuration section consists of name/value pairs that are parsed by SSL_CONF_cmd(3)

What's wrong here and could you please submit a PR to make it better?

[mouse07410]

What's wrong here?

The mere fact that neither a list (let alone a complete list) of the keys and their allowed values is given, nor is the format (suitable for inclusion in openssl.cnf) of those mentioned in SSL_CONF_cmd specified. Also, as I said before - lack of the list of all the algorithms in format suitable for direct inclusion in openssl.cnf.

As I also already said, it's impractical to expect a normal user to know those.

could you please submit a PR to make it better?

If I knew the answers to the above questions - I wouldn't bother asking people here and spending my time on this discussion. Instead, I would've just edited openssl.cnf and got done with it. Unfortunately, I don't have those answers - so, here I am. :-(

[baentsch]

What's wrong here and could you please submit a PR to make it better?

First step done in openssl/openssl#24499

@mouse07410 The list of default-active sigalgs is indeed documented in SSL_CONF_cmd(3), though not in a way that it can be written down immediately. Also, it's dependent on the activated providers (as clarified in the PR above just created) which is tedious but a consequence of the dynamic provider concept.

@beldmit Are you aware of a facility within openssl to extract all such (currently registered) algorithm combinations along the lines (but extending to all permitted configurable sigalg combinations) of openssl list -signature-algorithms?

[baentsch]

And another question if I may, @beldmit : Do you know where the semantics of "..." is documented as you used it in your "crypto_policy" example above? When "playing around" with a .cnf file now generated as part of an enhanced oqsprovider generator script, these three dots make a massive difference as to what works and what doesn't.

[beldmit]

@baentsch In Fedora we ship oqsprovider/liboqs and have the corresponding PQ policy. Currently it provides all the algorithms supported by liboqs

[baentsch]

@baentsch In Fedora we ship oqsprovider/liboqs and have the corresponding PQ policy.

Thanks for letting me know, but my question pertains to openssl (config options in general). Should we create a separate discussion item there?

Currently it provides all the algorithms supported by liboqs

So does this mean you disable there all hybrid and composite algs, thus working around this issue by supporting fewer than 64 sigalgs?

[mouse07410]

The list of default-active sigalgs is indeed documented in SSL_CONF_cmd(3), though not in a way that it can be written down immediately.

Which is one of my points - a user would have to figure out how to write them down in a proper form. I don't think such an expectation is reasonable.

Also, it's dependent on the activated providers (as clarified in the PR above just created) which is tedious but a consequence of the dynamic provider concept.

Which is my other point - we can't get away from dynamic providers (nor do we want to), so the process becomes not merely tedious, but requiring an expert.

I say again - this is a nice theoretic solution that has no room in the ugly practical world.

[baentsch]

I don't think such an expectation is reasonable.

Which is my other point - we can't get away from dynamic providers (nor do we want to), so the process becomes not merely tedious, but requiring an expert.

I completely agree. Hence my question above

Are you aware of a facility within openssl to extract all such (currently registered) algorithm combinations along the lines (but extending to all permitted configurable sigalg combinations) of openssl list -signature-algorithms?

Now raised in openssl/openssl#24522 to get input from the openssl community. Also tagging @levitte @mattcaswell @romen fyi.

[mouse07410]

So far, all this discussion strengthened my conviction that the only practical doable-now way is to allow every provider (starting with this one) to define a subset of all the algorithms it supports that it will offer/expose to TLS.

[beldmit]

Unfortunately no, see my comment openssl/openssl#24535 (comment)