Testing and Verification Guide

This guide provides comprehensive testing procedures to verify your PQC SSL deployment is working correctly.

Table of Contents

1. Pre-Deployment Checks 2. Service Verification 3. Port Connectivity Tests 4. SSL/TLS Certificate Tests 5. Browser Testing 6. Performance Testing 7. Security Validation

---

Pre-Deployment Checks

Before going live, verify all prerequisites are met.

DNS Configuration

\\\bash

Verify DNS resolution for both domains

dig example.com +short dig pqc.example.com +short

Should both resolve to your server's IP address

Alternative using nslookup

nslookup example.com nslookup pqc.example.com \\\

Certificate Files

\\\bash

Verify traditional SSL certificate

openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -text -noout

Verify PQC certificate

openssl x509 -in /opt/pqc/certificates/pqc.example.com.crt -text -noout

Check certificate expiration dates

openssl x509 -in /opt/pqc/certificates/pqc.example.com.crt -noout -enddate \\\

File Permissions

\\\bash

Private keys should be 600 (readable only by owner)

ls -l /opt/pqc/certificates/*.key ls -l /etc/letsencrypt/live/example.com/privkey.pem

Certificates should be 644 (readable by all)

ls -l /opt/pqc/certificates/*.crt \\\

---

Service Verification

Check All Services Status

\\\bash

HAProxy

systemctl status haproxy systemctl is-active haproxy

Nginx (or Apache)

systemctl status nginx systemctl is-active nginx

PQC Demo Server

systemctl status pqc-demo systemctl is-active pqc-demo \\\

Expected Output

All services should show:

  • Active: active (running)
  • Enabled: enabled (start on boot)

Check Service Logs

\\\bash

HAProxy logs

journalctl -u haproxy -n 50 --no-pager

Nginx logs

journalctl -u nginx -n 50 --no-pager tail -f /var/log/nginx/error.log

PQC server logs

journalctl -u pqc-demo -n 50 --no-pager \\\

---

Port Connectivity Tests

Check Listening Ports

\\\bash

All required ports should be listening

ss -tlnp | grep -E ':(80|443|8080|9443)'

Alternative using netstat

netstat -tlnp | grep -E ':(80|443|8080|9443)' \\\

Expected Output

\\\ *:80 LISTEN - Nginx/Apache (HTTP redirect) *:443 LISTEN - HAProxy (SNI router) 127.0.0.1:8080 LISTEN - Nginx/Apache (traditional SSL) 127.0.0.1:9443 LISTEN - BoringSSL (PQC SSL) \\\

Test Port Connectivity

\\\bash

Test from localhost

nc -zv localhost 80 nc -zv localhost 443 nc -zv localhost 8080 nc -zv localhost 9443

Test from external IP (if different)

nc -zv YOUR_SERVER_IP 80 nc -zv YOUR_SERVER_IP 443 \\\

---

SSL/TLS Certificate Tests

Test Traditional SSL Site (Main Domain)

\\\bash

Test SSL handshake

openssl s_client -connect example.com:443 -servername example.com < /dev/null

Check certificate chain

openssl s_client -connect example.com:443 -servername example.com -showcerts < /dev/null

Verify certificate matches domain

openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \ openssl x509 -noout -text | grep -A1 "Subject:" \\\

Test PQC Demo Site

\\\bash

Test PQC SSL locally

openssl s_client -connect localhost:9443 -servername pqc.example.com < /dev/null

Test through HAProxy (from external)

openssl s_client -connect pqc.example.com:443 -servername pqc.example.com < /dev/null \\\

Verify Certificate Details

\\\bash

Extract certificate information

echo | openssl s_client -connect pqc.example.com:443 -servername pqc.example.com 2>/dev/null | \ openssl x509 -noout -text | grep -E "Subject:|Issuer:|Not Before:|Not After:" \\\

Test HTTP to HTTPS Redirect

\\\bash

Should return 301 redirect

curl -I http://example.com curl -I http://pqc.example.com

Follow redirects

curl -IL http://example.com curl -IL http://pqc.example.com \\\

---

Browser Testing

Traditional Site Testing

Test with any modern browser:

1. Chrome/Edge/Firefox/Safari - Visit \https://example.com\ - Click the padlock icon - Verify certificate is valid - Check certificate issuer (e.g., Let's Encrypt)

2. Expected Results: - No certificate warnings - Green padlock or "Secure" indicator - Site loads normally

PQC Demo Site Testing

Test with Qromium browser (PQC-enabled):

1. Download Qromium - Get from https://pqcnow.com - Install on your device

2. Visit PQC Site - Open \https://pqc.example.com\ in Qromium - Click security indicator - Verify certificate shows ML-DSA-65

3. Expected Results: - Valid PQC certificate - ML-DSA-65 signature algorithm visible - No security warnings

Test with Standard Browsers (Chrome, Firefox):

1. Visit \https://pqc.example.com\ 2. Expected: Certificate error (normal - browsers don't support PQC yet) 3. This confirms PQC certificates are properly installed

Certificate Inspection

In Qromium browser: 1. Click padlock/security indicator 2. Click "Certificate" or "Connection is secure" 3. Verify: - Subject: Your domain - Issuer: PQCNow CA - Signature Algorithm: ML-DSA-65 - Valid From/To: Check dates

---

Performance Testing

Response Time Test

\\\bash

Test traditional site response time

time curl -I https://example.com

Test PQC site response time

time curl -k -I https://pqc.example.com

Multiple requests

for i in {1..10}; do time curl -s -o /dev/null -w "%{time_total}\n" https://example.com done \\\

Load Testing with Apache Bench

\\\bash

Install Apache Bench

apt install apache2-utils -y

Test traditional site

ab -n 1000 -c 10 https://example.com/

Test PQC site (if accessible via curl -k)

ab -n 1000 -c 10 -k https://pqc.example.com/ \\\

HAProxy Statistics

If you enabled HAProxy stats (port 8404):

\\\bash

View stats via curl

curl http://localhost:8404/stats

Or open in browser

http://your-server-ip:8404/stats

\\\

---

Security Validation

SSL/TLS Security Scan

Using SSL Labs (for traditional site only):

1. Visit https://www.ssllabs.com/ssltest/ 2. Enter \example.com\ 3. Wait for scan to complete 4. Target Grade: A or A+

Security Headers Check

\\\bash

Check security headers on traditional site

curl -I https://example.com | grep -E "Strict-Transport|X-Frame|X-Content|X-XSS"

Expected headers:

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

\\\

Cipher Suite Testing

\\\bash

Test supported cipher suites

nmap --script ssl-enum-ciphers -p 443 example.com

Test TLS versions

openssl s_client -tls1_2 -connect example.com:443 < /dev/null openssl s_client -tls1_3 -connect example.com:443 < /dev/null \\\

---

Automated Testing Script

Create a comprehensive test script:

\\\bash #!/bin/bash

save as: test-pqc-deployment.sh

echo "=== PQC Deployment Test Suite ===" echo ""

Test 1: Service Status

echo "1. Checking service status..." systemctl is-active --quiet haproxy && echo "โœ“ HAProxy running" || echo "โœ— HAProxy not running" systemctl is-active --quiet nginx && echo "โœ“ Nginx running" || echo "โœ— Nginx not running" systemctl is-active --quiet pqc-demo && echo "โœ“ PQC server running" || echo "โœ— PQC server not running" echo ""

Test 2: Port Listening

echo "2. Checking listening ports..." ss -tln | grep -q ":80 " && echo "โœ“ Port 80 listening" || echo "โœ— Port 80 not listening" ss -tln | grep -q ":443 " && echo "โœ“ Port 443 listening" || echo "โœ— Port 443 not listening" ss -tln | grep -q ":8080 " && echo "โœ“ Port 8080 listening" || echo "โœ— Port 8080 not listening" ss -tln | grep -q ":9443 " && echo "โœ“ Port 9443 listening" || echo "โœ— Port 9443 not listening" echo ""

Test 3: HTTP to HTTPS Redirect

echo "3. Testing HTTP to HTTPS redirect..." HTTP_CODE=\$(curl -s -o /dev/null -w "%{http_code}" http://example.com) [ "\$HTTP_CODE" = "301" ] && echo "โœ“ HTTP redirect working" || echo "โœ— HTTP redirect failed (code: \$HTTP_CODE)" echo ""

Test 4: Traditional SSL

echo "4. Testing traditional SSL..." curl -s -I https://example.com | grep -q "HTTP/2 200" && \ echo "โœ“ Traditional SSL site accessible" || \ echo "โœ— Traditional SSL site not accessible" echo ""

Test 5: PQC Server

echo "5. Testing PQC server..." curl -k -s -I https://localhost:9443 | grep -q "HTTP" && \ echo "โœ“ PQC server responding" || \ echo "โœ— PQC server not responding" echo ""

echo "=== Test Complete ===" \\\

Run the script:

\\\bash chmod +x test-pqc-deployment.sh ./test-pqc-deployment.sh \\\

---

Continuous Monitoring

Set Up Health Checks

\\\bash

Create a monitoring script

cat > /usr/local/bin/check-pqc-health.sh << 'EOF' #!/bin/bash

Health check for PQC deployment

Check if PQC server is responding

if ! curl -k -s -f https://localhost:9443 > /dev/null; then echo "PQC server down, restarting..." systemctl restart pqc-demo fi

Check HAProxy

if ! systemctl is-active --quiet haproxy; then echo "HAProxy down, restarting..." systemctl restart haproxy fi EOF

chmod +x /usr/local/bin/check-pqc-health.sh

Add to crontab (every 5 minutes)

(crontab -l 2>/dev/null; echo "*/5 * * * * /usr/local/bin/check-pqc-health.sh") | crontab - \\\

---

Troubleshooting Failed Tests

If any tests fail, consult:

---

Test Checklist

Use this checklist before going live:

  • [ ] All services running (HAProxy, Nginx/Apache, PQC server)
  • [ ] All ports listening (80, 443, 8080, 9443)
  • [ ] DNS resolves correctly for both domains
  • [ ] HTTP redirects to HTTPS for both sites
  • [ ] Traditional site works in all browsers
  • [ ] PQC site works in Qromium browser
  • [ ] Certificates valid and not expired
  • [ ] Security headers present
  • [ ] No errors in service logs
  • [ ] SSL Labs grade A or A+ (traditional site)
  • [ ] Performance acceptable (<500ms response time)

---

Support

If you encounter issues during testing:

  • Technical Support: support@pqcnow.com
  • Documentation: https://pqcnow.com/docs/