Skip to main content
Version: v44

Configuring PQC Key Exchange Prioritization for Nginx and TLS 1.3

note

These instructions are only applicable to PrivX single-server deployments, and HA deployments where the load balancer uses TLS-passthrough.

In HA deployments with TLS-terminating load balancer, you will need to configure your load balancer to prefer PQC groups.

You can configure Nginx on PrivX Servers to prefer post-quantum cryptography (PQC) key-exchange algorithms for client-to-PrivX TLS connections:

  1. Ensure the operating system provides OpenSSL 3.5.0 or newer for Nginx. On RHEL and Rocky Linux, this requires RHEL/Rocky 9.7 or later. For more information, see the Red Hat Enterprise Linux 9.7 release notes.

  2. On the PrivX Server, configure Nginx to prefer PQC key-exchange groups. For example, define the following in /etc/nginx/conf.d/privx.conf:

    ssl_ecdh_curve X25519MLKEM768:X25519:secp521r1;

    Restart Nginx to apply your changes.