[PM-27864] Add PQC TLS Support

[Warfields]

🎟️ Tracking

N/A I thought this would be fun, and increase the security of my hosted server.

📔 Objective

This will allow clients and browsers to use quantum resistant TLS for connections if they support it and also enables TLS 1.3 support (with 1.2 fallback) for clients supporting TLS 1.3. This change was inspired by this Cloudflare post about the state of the post-quantum internet in 2025. I noticed that my browser was just using X25519 and I knew how to fix it, so this PR was born.

This is the reasoning behind the specific version of MLKEM over X25519 that is set as default.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[bitwarden-bot]

Thank you for your contribution! We've added this to our internal tracking system for review.
ID: PM-27864
Link: https://bitwarden.atlassian.net/browse/PM-27864

Details on our contribution process can be found here: https://contributing.bitwarden.com/contributing/pull-requests/community-pr-process.

[Warfields]

CI is failing because I don't have the correct permissions.

User Warfields does not have the necessary access for this repository.

[addisonbeck]

I'm assuming you didn't test this yourself. What steps would you recommend we take to test?

[Warfields]

I'm assuming you didn't test this yourself. What steps would you recommend we take to test?

@addisonbeck, Sorry about the long reply. I was on vacation and just got back. The easy way to test this would be to build without SslCurves set in the build config and then load up the site with TLS enabled. Once that is done do the following

1. In either chrome or chromium (They have PQC enabled by default)
2. Open devtools
3. Navigate to the privacy/security tab.
4. View the security overview

5. Look at the connection section and look for X25519MLKEM768

The above picture is an example of what you should see if this works.

[addisonbeck]

I'm okay sending this to QA. We'll need a second opinion from @vgrassia or someone else from the BRE team first though.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.48%. Comparing base (2ce9827) to head (9907c28).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6547      +/-   ##
==========================================
- Coverage   56.49%   56.48%   -0.01%     
==========================================
  Files        2003     2003              
  Lines       88287    88287              
  Branches     7881     7881              
==========================================
- Hits        49874    49873       -1     
- Misses      36581    36582       +1     
  Partials     1832     1832              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Warfields]

@addisonbeck @vgrassia I do not have permission to kick off the required CI. could one of you do so and merge?

[vgrassia]

The linter is failing because of the formatting.

[github-actions]

Checkmarx One – Scan Summary & Details – b1aa5322-1998-4cb7-8e80-6d7462a7e4b5

Great job! No new security vulnerabilities introduced in this pull request

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud