Hybrid TLS fails - OQS-Haproxy - OQS-Curl & Go

[Gpkmr]

Hello Team !
I need help with my PoC on Hybrid TLS. The setup has been completed and the validation via openssl is also success. But it fails when validating using CURL and Go.

More details to follow.

Goal: To do a PoC on Hybrid TLS and try to access our APIs.

1. Generated a self-signed Hybrid TLS certificate via oqs-openssl using p256_dilithium2 as the algorithm
2. Setup a reverese proxy server using oqs-haproxy
3. Used the generated self-signed certificate to terminate the hybrid TLS
4. Added our test API in the Haproxy config
5. I am getting a successful response if I test with oqs-openssl
6. But, it doesn't work if I use oqs-curl, Standard Go 1.24.4 or Cloudflare Go.

So Haproxy is rejecting the negotiation ?

Here is the my Haproxy config - I followed the same template from oqs-demo repo.

global
    maxconn 50000
    cpu-map auto:1/1-4 0-3
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    timeout connect 15s
    timeout client 45s
    timeout server 45s
    log global
    mode http
    maxconn 3000

listen stats
    bind *:8484
    stats enable
    stats uri /
    stats refresh 5s

frontend oqs.ha.proxy
    bind :8088
    bind :4433 ssl crt /opt/haproxy/certkey.pem curves kyber768:p384_kyber768
    http-request redirect scheme https unless { ssl_fc }

    acl sample_acl hdr(host) -i my.pqc.com
    use_backend sample_backend if sample_acl

    default_backend web_servers

backend web_servers
    balance roundrobin
    cookie SERVERUSED insert indirect nocache
    option httpchk HEAD /
    default-server check maxconn 20
    # just 2 plain servers for simplicity/demo purposes:
    server server1 127.0.0.1:8181 cookie server1
    server server2 127.0.0.1:8182 cookie server2

backend sample_backend
    balance roundrobin
    option httpchk GET /
    default-server check maxconn 20
    server sample_server1 myapi.pqc.com:80

Test using OpenSSL (minimal output) - Success

$ openssl s_client -connect my.pqc.com:443 -CAfile /opt/cert/ca.crt

---
No client certificate CA names sent
Peer signature type: p256_dilithium2
---
SSL handshake has read 8225 bytes and written 1657 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 128 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Test using oqs-curl - Fail

curl https://my.pqc.com
curl: (35) TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure

Test using Go code - Fail

go run pqc_v1.go  
                                                                   
Request failed: Post https://my.pqc.com: remote error: tls: handshake failure

Here are my questions

1. Why oqs-openssl works and not oqs-curl & Go ? Am i missing something in the Haproxy config ?
2. I also tried oqs-nginx but the pod throws error upons pod startup, I tested with both p256_dilithium2 & p384_dilithium3 self-signed certificates.

2025/07/08 07:23:05 [emerg] 14#0: SSL_CTX_use_certificate("/opt/nginx/pki/server.crt") failed (SSL: error:03000072:digital envelope routines::decode error error:0A00018F:SSL routines::ee key too small)

nginx: [emerg] SSL_CTX_use_certificate("/opt/nginx/pki/server.crt") failed (SSL: error:03000072:digital envelope routines::decode error error:0A00018F:SSL routines::ee key too small)

3. How do I make this work ?

[davidkel]

Are you building the oqs-demos from source or are you pulling down the published versions from dockerhub ? Curious to know if they may be some problem with the published versions or something in the local build. Standard go has no support at all for any QSC certificate schemes so don't expect that to work. Cloudflare go does have some extras I believe but I have never tried it.

[Gpkmr]

I am pulling the container images from the oqs dockerhub.

[davidkel]

I've done some testing. I pulled the following images from dockerhub

• openquantumsafe/oqs-ossl3:latest
• openquantumsafe/nginx:latest
• openquantumsafe/haproxy:latest
• openquantumsafe/nodejs:latest
  openquantumsafe/curl:latest

I note that oqs-ossl3:latest is older than the other 4, and that is significant.
oqs-ossl3 still supports kyber and dilithium, however all the other images (which are newer than that date) don't appear to support kyber and dilithium any more (and that will include hybrid). I suspect that the oqs haproxy image you are using is not the same version as mine so must still support these old algorithms which is why you can get haproxy to work.

kyber and dilithium have been superceded by mlkem and mldsa. So the best way forward for you I think would be to stop using the old algorithms and make sure you have the latest haproxy image downloaded.

I don't know if there was a bug in oqs that lost these old algorithms or whether they have actually been removed and the documentation just not updated but personally I think it best to not be using those algorithms anymore anyway.

Hopefully that should help you move your POC forward