You have probably seen the term "post-quantum cryptography" enough times to glaze over it. The headlines tend to focus on a vague future event: a quantum computer somewhere will eventually break RSA, and at that point you should have moved on. That framing makes it easy to file PQC under "worry about it in 2030." The framing is wrong.
The actual threat is happening now, and it has a name: harvest now, decrypt later. An attacker does not need a quantum computer today to hurt you. They only need to capture your encrypted traffic today and keep it on a hard drive. The decryption can wait. Storage is cheap, and the attacker is patient.
That is the part this post is about — what "harvest now, decrypt later" (HNDL) actually means for the kind of data NXLog Agent moves around your network, and what we have done to make sure NXLog Agent’s TLS stack is ready for the new NIST post-quantum standards. The second half of the post is a working test that proves it: a quantum-safe certificate chain, an mTLS connection between two agent instances, and a handshake verified with OpenSSL.
What "harvest now, decrypt later" actually means
The mechanics are straightforward. An adversary sits on a network — a hostile ISP, a compromised cloud tenant, a tapped fiber run — and records encrypted traffic as it passes. They cannot read it. Today’s TLS is not breakable with classical computers. So they do not try. They archive the ciphertext and wait.
At some point in the next decade, a cryptographically relevant quantum computer will exist. Most credible forecasts place this between 2030 and 2035; the U.S. NSA, CISA, and NIST treat it as inevitable enough to mandate migration timelines. On that day, every RSA, ECDH, and ECDSA-protected message ever recorded becomes readable. The conversation that mattered most is now the one the attacker has had on their shelf the longest.
And that is the optimistic version. The "Q-Day is comfortably twenty years away" forecast is starting to look about as durable as Bill Gates' supposed claim that 640 KB of RAM would be enough for anyone. Every twelve months brings a new milestone — qubit counts climbing, error correction improving, vendors hitting roadmap targets earlier than they themselves expected. The honest answer is that nobody knows. The unhonest answer is to assume you have until 2035. If the data on your network needs to stay confidential past 2030, the time to act on that is now, regardless of when Q-Day actually lands. And AI can accelerate everything.
Why this is an enterprise problem, not a consumer one
Most consumer data ages out fast. The exact balance on your checking account last Tuesday is uninteresting in 2040, and the credentials that protected it will have rotated dozens of times. The economics of HNDL do not work against that kind of data.
Enterprise data is the opposite. Consider what crosses your internal networks every day and ask how long it will still be sensitive:
-
Patents and trade secrets that take twenty years to expire.
-
Source code and engineering designs for products that ship for a decade.
-
M&A deal documents, board minutes, and strategy decks whose contents shape competitive position long after they were written.
-
Medical records and genomic data that identify a person for their lifetime.
-
Classified communications subject to multi-decade declassification rules.
-
Critical infrastructure operations data — network diagrams, OT configs, control system traffic — that an adversary can use against you whenever they finally read it.
-
Telemetry data indentifying authors, stakeholders or other parties involved in classified meetings or decisions through internal systems.
All of this travels over TLS today. All of it is a candidate for harvesting today. None of it can wait until 2034 to start being protected with quantum-resistant cryptography, because the data that needs to stay secret until 2034 needs quantum-resistant protection now. To put this in perspective: how much data from the Second World War and Cold War eras is still classified decades after it was collected, archived, and supposedly relevant?
The standards have landed
In August 2024, NIST published the first three finalized post-quantum standards. Two of them are what concern us here:
-
FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, formerly CRYSTALS-Kyber): The quantum-safe replacement for ECDH and Diffie-Hellman key exchange.
-
FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium): The quantum-safe replacement for RSA and ECDSA signatures, including the signatures inside X.509 certificates.
A third standard, FIPS 205 (SLH-DSA), provides a conservative hash-based signature alternative. ML-DSA comes in three parameter sets that map to NIST security levels:
-
ML-DSA-44: Security level 2, roughly equivalent to AES-128.
-
ML-DSA-65: Security level 3, roughly equivalent to AES-192.
-
ML-DSA-87: Security level 5, roughly equivalent to AES-256.
The pieces to put these standards into TLS 1.3 in production are now in place. Major cloud providers have started. Cloudflare and AWS run PQC-enabled services in production today. Google is piloting hybrid TLS configurations. Microsoft has work underway in Azure, but Windows itself — the Schannel TLS stack in Windows 11 and Windows Server 2022 — does not yet support PQC natively, which means on Windows the practical path runs through OpenSSL.
That is the path NXLog Agent already supports. OpenSSL 3.5 added native ML-KEM, ML-DSA, and SLH-DSA, including the TLS 1.3 hybrid key exchange group X25519MLKEM768. NXLog Agent’s TLS modules — im_ssl and om_ssl — use OpenSSL underneath. On a host with OpenSSL 3.5 or later, NXLog Agent can negotiate post-quantum TLS today. The rest of this post shows that.
The testbed
The setup is a single RHEL 9 host running NXLog Agent 6.13 (the generic build) against OpenSSL 3.5.1. Both endpoints — sender and receiver — live on the same agent instance so the handshake is reproducible.
The agent config drives synthetic events from im_testgen through om_ssl over TLS 1.3, with im_ssl listening on the receiving side and routing to om_null.
Both sides require mutual TLS:
<Input in1>
Module im_testgen
MaxCount 10
Exec sleep(1000);
</Input>
<Output out1>
Module om_ssl
Host 127.0.0.1:514
LocalPort 55555
CAFile /opt/nxlog/var/lib/nxlog/cert/ca.crt
CertFile /opt/nxlog/var/lib/nxlog/cert/client.crt
CertKeyFile /opt/nxlog/var/lib/nxlog/cert/client.key
SSLProtocol TLSv1.3
SSLCiphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
</Output>
<Input in2>
Module im_ssl
ListenAddr 0.0.0.0:514
CAFile /opt/nxlog/var/lib/nxlog/cert/ca.crt
CertFile /opt/nxlog/var/lib/nxlog/cert/server.crt
CertKeyFile /opt/nxlog/var/lib/nxlog/cert/server.key
AllowUntrusted FALSE
SSLProtocol TLSv1.3
SSLCiphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
TLSCertLog TRUE
TLSConnectLog TRUE
</Input>
<Output out2>
Module om_null
</Output>Nothing in the agent config above mentions PQC explicitly. That is the point. NXLog Agent does not need to know that the certificates it loads use a post-quantum signature algorithm, or that the key exchange group is hybrid. OpenSSL handles both, and NXLog Agent inherits the capability.
A quantum-safe certificate chain
The interesting work happens before NXLog Agent starts: generating a CA and two leaf certificates whose keys and signatures are ML-DSA, not RSA or ECDSA.
With OpenSSL 3.5, this is a one-flag change — -algorithm ML-DSA-65 replaces -algorithm RSA or -algorithm EC.
The CA key:
openssl genpkey -algorithm ML-DSA-65 -out ca/ca.key
openssl req \
-new -x509 \
-config openssl-pqc.cnf \
-extensions v3_ca \
-subj "/C=ES/ST=Valencia/L=Valencia/O=MyDomain Labs/CN=mydomain.com" \
-key ca/ca.key \
-days 3650 \
-out ca/ca.crtThe server and client certificates are signed by this CA using the same algorithm.
Each openssl req generates an ML-DSA-65 key; each openssl ca issues a certificate signed with ML-DSA-65.
The full sequence — including the openssl-pqc.cnf that ties everything together — is in the test report.
What matters here is what comes out the other side:
The certificate looks like any other X.509 certificate to anything that does not care about the algorithm details.
It has a Subject, an Issuer, a SAN, and an Extended Key Usage.
The difference is in two places: Public Key Algorithm: ML-DSA-65, and the signature on the certificate is itself ML-DSA-65.
With these dropped into the agent’s certificate directory:
Agent-to-agent over post-quantum mTLS
Restart the agent instance, and the two TLS endpoints inside it handshake successfully on the first attempt:
2026-05-15 03:33:51 INFO [CORE|main] nxlog-6.13.10718 started on Linux
2026-05-15 03:33:51 INFO [im_ssl|in2] listening on 0.0.0.0:514
2026-05-15 03:33:51 INFO [om_ssl|out1] connecting to 127.0.0.1:514
2026-05-15 03:33:51 INFO [im_ssl|in2] connection accepted from 127.0.0.1:55555
2026-05-15 03:33:51 INFO [om_ssl|out1] tcp connection established with 127.0.0.1:514
2026-05-15 03:33:51 INFO [im_ssl|in2] SSL handshake successful;
RemoteIP: 127.0.0.1; Cipher: TLS_AES_256_GCM_SHA384; Protocol: TLSv1.3The handshake completes over TLS 1.3 with the expected AES-256-GCM-SHA384 cipher.
The agent’s own log does not surface which signature algorithm or which key-exchange group was negotiated — those are TLS-layer details that im_ssl does not currently expose.
To confirm the post-quantum primitives actually got used, we run the same handshake one more time with openssl s_client as the client.
Proving the algorithms with OpenSSL s_client
OpenSSL’s test client lets us request specific signature algorithms and key-exchange groups, and reports exactly what was negotiated. The flags that matter:
openssl s_client -connect 127.0.0.1:514 \
-CAfile /opt/nxlog/var/lib/nxlog/cert/ca.crt \
-cert /opt/nxlog/var/lib/nxlog/cert/client.crt \
-key /opt/nxlog/var/lib/nxlog/cert/client.key \
-sigalgs "mldsa65:ECDSA+SHA256" \
-groups "X25519MLKEM768:x25519:P-256" \
-tls1_3The -sigalgs list offers ML-DSA-65 first, with ECDSA as a fallback.
The -groups list offers the hybrid X25519MLKEM768 group first, with classical curves as fallbacks.
If the agent did not support PQC, the connection would still succeed using the fallbacks — which is exactly the kind of silent regression you want a test to catch.
It does not fall back. The agent picks the post-quantum options on both ends:
Three lines from that output are the whole result:
-
Peer signature type: mldsa65: The certificate chain is verified using FIPS 204 ML-DSA-65 signatures. -
Negotiated TLS1.3 group: X25519MLKEM768: The session keys came from a hybrid handshake that combines classical X25519 with FIPS 203 ML-KEM-768. An attacker has to break both to recover the session key. -
Verify return code: 0 (ok): The full chain validates end-to-end.
And the underlying record protection remains the TLS 1.3 standard cipher, AES-256-GCM-SHA384, which is already considered quantum-resistant for the bulk-data phase. The post-quantum work is concentrated where it matters: the authentication that proves the peers are who they say they are, and the key exchange that establishes the shared secret.
Where this leaves NXLog Agent today: PQC-ready out of the box
The result is that any agent instance running on a host with OpenSSL 3.5 or later is PQC-ready today — it can already transport its data over a post-quantum mTLS channel, end to end, using NIST-standardized algorithms, without changes to NXLog Agent itself. On Linux this is available now. On Windows and MacOS, it depends on the Schannel roadmap, but agents that link against OpenSSL get there immediately.
A few honest caveats:
- Handshake size grows
-
Post-quantum certificates and signatures are larger than their classical counterparts. The
s_clientoutput reports about 16 KB read and 15 KB written for the handshake. For long-lived connections that ship millions of events afterward, this is rounding error. For short connections it is something to measure. - Algorithm visibility is still emerging
-
The agent’s
im_ssllog line reports the cipher and protocol but not the signature algorithm or KEM group. For now the way to confirm PQC was actually used is at the OpenSSL layer or via packet capture. We are looking at exposing this directly in NXLog Agent logs. - Hybrid is the right choice for now
-
X25519MLKEM768 combines a classical and a post-quantum key exchange so the channel stays secure if either one turns out to have a problem. Most production deployments should run hybrid until the post-quantum primitives have more years of attack on them.
Why move now
Q-Day is a future event, and the exact date is genuinely uncertain. What is not uncertain is the asymmetry: the cost of moving your traffic to post-quantum TLS in 2026 is a configuration change. The cost of moving it in 2034 is the same change, plus eight years of data you sent in the clear from the attacker’s perspective.
If the data NXLog Agent moves for you matters in 2040, it needs PQC in 2026. NXLog Agent supports it today. The standards are final. The OpenSSL implementation is shipping. The only remaining step is to issue the certificates and turn it on.
Find full TLS configuration details in Transfer data over the network with TLS/SSL. If you want help planning the post-quantum readiness path for your existing NXLog deployment — auditing where classical TLS is still in use, sizing the impact of PQC-ready certificates, or working out a phased rollout — reach out to us through the links below.
