Feature Request: Post-Quantum Cryptography (PQC) support #2962
Description
I'm relaying a feature request from one of our customers for adding Post-Quantum Cryptography (PQC) support to Nmap so the idea can be discussed with anyone else interested. Here's a summary of their request:
- https://test.openquantumsafe.org/ provides numerous SSL endpoints for testing some of which requires PQC algorithms to complete a SSL handshake, eg. port 6001 but not port 6000:
- Nmap obtains SSL certificate info for port 6000 (which doesn't require PGC algorithms), but fails for 6001 (which does). Here's an example against test.openquantumsafe.org:
% nmap -p6000 -sC 158.177.128.14
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-07 10:17 CEST
Nmap scan report for e.80.b19e.ip4.static.sl-reverse.com (158.177.128.14)
Host is up (0.022s latency).
PORT STATE SERVICE
6000/tcp open X11
| ssl-cert: Subject: commonName=test.openquantumsafe.org
| Subject Alternative Name: DNS:test.openquantumsafe.org
| Not valid before: 2024-06-13T07:34:15
|_Not valid after: 2025-06-13T07:34:15
|_ssl-date: TLS randomness does not represent time
Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds
% nmap -p6001 -sC 158.177.128.14
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-07 10:17 CEST
Nmap scan report for e.80.b19e.ip4.static.sl-reverse.com (158.177.128.14)
Host is up (0.023s latency).
PORT STATE SERVICE
6001/tcp open X11:1
Nmap done: 1 IP address (1 host up) scanned in 5.19 seconds
Customer would like Nmap to be able to list all ciphers presented by a PQC-supporting endpoint. They wrote that "We use Nmap extensively in our software that we provide to our customers. And we would like to clarify to our customers if their SSL endpoints are PQC-enabled. Such that our customers quickly can obtain a list of all their endpoints that need further setup in order to be ready for PQC."