Skip to content

Clarify TLS scans without non-PQC probing#15

Open
leemeo3 wants to merge 1 commit into
anvilsecure:mainfrom
leemeo3:codex/clarify-tls-nonpqc
Open

Clarify TLS scans without non-PQC probing#15
leemeo3 wants to merge 1 commit into
anvilsecure:mainfrom
leemeo3:codex/clarify-tls-nonpqc

Conversation

@leemeo3

@leemeo3 leemeo3 commented Jun 11, 2026

Copy link
Copy Markdown

Summary

  • encode nonpqc_algos as null when a TLS scan did not run non-PQC group probes
  • add an info log that points users to --test-nonpqc-algos when no configured PQC groups are detected
  • add unit coverage for the TLS non-PQC result encoding helper

Why

Issue #13 reports TLS scan output where the connection succeeds (error: null) but all algorithm lists are empty. I reproduced the same default-scan shape with www.openssl.org:443 and badssl.com:443.

The default TLS scan only probes configured PQC groups unless --test-nonpqc-algos is supplied. Returning nonpqc_algos: [] made that look like non-PQC groups were tested and none were found. Returning null keeps the existing optional field semantics and distinguishes "not tested" from an empty tested result.

Validation

  • rustfmt --edition 2021 --check src/tls.rs
  • cargo test
  • cargo build
  • ./target/debug/pqcscan tls-scan -t www.openssl.org:443 -o /tmp/pqcscan-openssl-after-default.json
  • ./target/debug/pqcscan tls-scan -t www.openssl.org:443 --test-nonpqc-algos -o /tmp/pqcscan-openssl-after-nonpqc.json
  • ./target/debug/pqcscan tls-scan -t pq.cloudflareresearch.com:443 -o /tmp/pqcscan-cloudflare-after.json

Notes

Full cargo fmt --check and cargo clippy --all-targets --all-features still fail on existing baseline issues outside the scope of this patch.

@leemeo3 leemeo3 mentioned this pull request Jun 12, 2026
@leemeo3 leemeo3 changed the title [codex] Clarify TLS scans without non-PQC probing Clarify TLS scans without non-PQC probing Jun 12, 2026
@leemeo3
leemeo3 marked this pull request as ready for review June 12, 2026 00:53
@leemeo3

leemeo3 commented Jun 12, 2026

Copy link
Copy Markdown
Author

Rechecked this with a local OpenSSL TLS server restricted to classical groups (X25519:P-256), so the reproduction does not depend on an external endpoint.

On current origin/main, a default TLS scan against that local server reproduces the reported shape:

  • error: null
  • pqc_supported: false
  • pqc_algos: []
  • hybrid_algos: []
  • nonpqc_algos: []

With --test-nonpqc-algos on origin/main, the same server reports SECP256R1 and X25519, confirming the server is reachable and has classical TLS groups.

On this PR branch, the same default scan returns nonpqc_algos: null and logs the --test-nonpqc-algos hint, while --test-nonpqc-algos still reports SECP256R1 and X25519.

Validation:

  • cargo test -> pass (2 tests)
  • rustfmt --edition 2021 --check src/tls.rs -> pass

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant