post-quantum tls . single rust binary . MIT/Apache

who actually ships post-quantum TLS today?

the IETF TLS WG ships X25519MLKEM768 (codepoint 0x11ec) as the canonical hybrid post-quantum key exchange. browsers, edge networks and modern Rust TLS stacks have it on. most other servers are still classical. before 2030 a lot of TLS traffic that exists today will retroactively become readable to a sufficiently large quantum computer. pqfetch is the simplest possible answer to "is my server in the safe set?": connect with a client that prefers post-quantum hybrid, report the negotiated kex.

crates.io → github

pqfetch scans cloudflare/github/openai and a built-in curated list

curated scan, mid-2026

14 of 17 big-name hosts already ship the hybrid kex.

$ pqfetch --curated

host                tls   kx               pq?
cloudflare.com      1.3   X25519MLKEM768   yes
google.com          1.3   X25519MLKEM768   yes
youtube.com         1.3   X25519MLKEM768   yes
github.com          1.3   X25519            no
amazon.com          1.3   X25519            no
apple.com           1.3   X25519MLKEM768   yes
microsoft.com       1.3   secp256r1         no
openai.com          1.3   X25519MLKEM768   yes
anthropic.com       1.3   X25519MLKEM768   yes
meta.com            1.3   X25519MLKEM768   yes
facebook.com        1.3   X25519MLKEM768   yes
x.com               1.3   X25519MLKEM768   yes
wikipedia.org       1.3   X25519MLKEM768   yes
stackoverflow.com   1.3   X25519MLKEM768   yes
rust-lang.org       1.3   X25519MLKEM768   yes
crates.io           1.3   X25519MLKEM768   yes
docs.rs             1.3   X25519MLKEM768   yes

how it works

three columns, no wireshark.

tcp connect, drive a tls handshake

uses rustls 0.23 with the prefer-post-quantum feature flag and the aws-lc-rs crypto provider, which exposes X25519MLKEM768 in its set of supported kx groups. the client offers it; the server picks.

read the negotiated group out

after handshake completes, ClientConnection::negotiated_key_exchange_group() tells us what was actually used. that's the column you care about.

three columns, one per host

tls protocol version, named group of the kex, and a bool for whether the kex is hybrid pq. --json emits one object per line for dashboards. --curated is a built-in well-known list.

what it does not tell you

not whether the server's certificate uses post-quantum signatures (separate transition; ML-DSA isn't deployed yet). not whether the application protocol on top of TLS is post-quantum (it never is by definition). just the kex.

why now

harvest now, decrypt later.

most TLS traffic that crosses the internet today is exchanged via X25519. X25519 is broken by a sufficiently large quantum computer. if a state-level adversary captures and stores ciphertext now, and ten years from now they have a CRQC, that ten-year-old ciphertext becomes readable. that's the harvest-now-decrypt-later threat, and it's why the standards bodies pushed hybrid PQ TLS out two years before any actual quantum computer was a credible attacker.

so the question isn't "will my TLS be quantum-safe in 2035." the question is "is my TLS quantum-safe today, because anything not protected today is in someone's archive." pqfetch is the dumbest possible tool that answers it for any server you point it at.

install

one binary, three columns.

$ cargo install pqfetch
$ pqfetch --curated

precompiled binaries for macOS arm/x64, Linux arm/x64 and Windows ship via GitHub releases.