Simulate Connections
Fire simulated TLS connections through Qveil to demonstrate policy enforcement in real time. Current policy: AUDIT Change →
Simulates a client using X25519MLKEM768 — the NIST-standardized ML-KEM-768 hybrid key exchange.
This is the post-quantum TLS handshake that protects against harvest-now-decrypt-later attacks.
Always allowed regardless of policy mode.
- Key exchange:
X25519MLKEM768 - Classical component: X25519 (backward compat)
- PQC component: ML-KEM-768 (FIPS 203)
- Result: Allowed + logged
Simulates a legacy client using X25519 — classical elliptic curve key exchange, vulnerable to
harvest-now-decrypt-later attacks. In enforce mode, this connection is blocked at the gateway.
In audit mode, it's logged and flagged but allowed through.
- Key exchange:
X25519(classical) - PQC: None — quantum-vulnerable
- Audit mode result: Allowed + flagged
- Enforce mode result: BLOCKED (403)
What's Happening
Qveil inspects the TLS key exchange group negotiated in the ClientHello. The nginx OQS
(Open Quantum Safe) module reads $ssl_curve — if it's X25519MLKEM768, the
connection is quantum-safe. Everything else is classical.
Every connection decision is written to a structured JSON audit log and can be streamed into Qledger for immutable, ML-DSA-65 signed compliance evidence. The backend service never sees the TLS layer — it just receives plain HTTP, completely unmodified.