Testing and Verification Guide

This guide provides comprehensive testing procedures to verify your PQC SSL deployment is working correctly.

Table of Contents

1. Pre-Deployment Checks 2. Service Verification 3. Port Connectivity Tests 4. SSL/TLS Certificate Tests 5. Browser Testing 6. Performance Testing 7. Security Validation

---

Pre-Deployment Checks

Before going live, verify all prerequisites are met.

DNS Configuration

# Verify DNS resolution for both domains
dig example.com +short
dig pqc.example.com +short

# Should both resolve to your server's IP address

# Alternative using nslookup
nslookup example.com
nslookup pqc.example.com

Certificate Files

# Verify traditional SSL certificate
openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -text -noout

# Verify PQC certificate
openssl x509 -in /opt/pqc/certificates/pqc.example.com.crt -text -noout

# Check certificate expiration dates
openssl x509 -in /opt/pqc/certificates/pqc.example.com.crt -noout -enddate

File Permissions

# Private keys should be 600 (readable only by owner)
ls -l /opt/pqc/certificates/*.key
ls -l /etc/letsencrypt/live/example.com/privkey.pem

# Certificates should be 644 (readable by all)
ls -l /opt/pqc/certificates/*.crt

---

Service Verification

Check All Services Status

# HAProxy
systemctl status haproxy
systemctl is-active haproxy

# Nginx (or Apache)
systemctl status nginx
systemctl is-active nginx

# PQC Demo Server
systemctl status pqc-demo
systemctl is-active pqc-demo

Expected Output

All services should show:

• Active: active (running)
• Enabled: enabled (start on boot)

Check Service Logs

# HAProxy logs
journalctl -u haproxy -n 50 --no-pager

# Nginx logs
journalctl -u nginx -n 50 --no-pager
tail -f /var/log/nginx/error.log

# PQC server logs
journalctl -u pqc-demo -n 50 --no-pager

---

Port Connectivity Tests

Check Listening Ports

# All required ports should be listening
ss -tlnp | grep -E ':(80|443|8080|9443)'

# Alternative using netstat
netstat -tlnp | grep -E ':(80|443|8080|9443)'

Expected Output

*:80        LISTEN   - Nginx/Apache (HTTP redirect)
*:443       LISTEN   - HAProxy (SNI router)
127.0.0.1:8080   LISTEN   - Nginx/Apache (traditional SSL)
127.0.0.1:9443   LISTEN   - BoringSSL (PQC SSL)

Test Port Connectivity

# Test from localhost
nc -zv localhost 80
nc -zv localhost 443
nc -zv localhost 8080
nc -zv localhost 9443

# Test from external IP (if different)
nc -zv YOUR_SERVER_IP 80
nc -zv YOUR_SERVER_IP 443

---

SSL/TLS Certificate Tests

Test Traditional SSL Site (Main Domain)

# Test SSL handshake
openssl s_client -connect example.com:443 -servername example.com < /dev/null

# Check certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcerts < /dev/null

# Verify certificate matches domain
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \
  openssl x509 -noout -text | grep -A1 "Subject:"

Test PQC Demo Site

# Test PQC SSL locally
openssl s_client -connect localhost:9443 -servername pqc.example.com < /dev/null

# Test through HAProxy (from external)
openssl s_client -connect pqc.example.com:443 -servername pqc.example.com < /dev/null

Verify Certificate Details

# Extract certificate information
echo | openssl s_client -connect pqc.example.com:443 -servername pqc.example.com 2>/dev/null | \
  openssl x509 -noout -text | grep -E "Subject:|Issuer:|Not Before:|Not After:"

Test HTTP to HTTPS Redirect

# Should return 301 redirect
curl -I http://example.com
curl -I http://pqc.example.com

# Follow redirects
curl -IL http://example.com
curl -IL http://pqc.example.com

---

Browser Testing

Traditional Site Testing

Test with any modern browser:

1. Chrome/Edge/Firefox/Safari - Visit https://example.com - Click the padlock icon - Verify certificate is valid - Check certificate issuer (e.g., Let's Encrypt)

2. Expected Results: - No certificate warnings - Green padlock or "Secure" indicator - Site loads normally

PQC Demo Site Testing

Test with Qromium browser (PQC-enabled):

1. Download Qromium - Get from https://pqcnow.com - Install on your device

2. Visit PQC Site - Open https://pqc.example.com in Qromium - Click security indicator - Verify certificate shows ML-DSA-65

3. Expected Results: - Valid PQC certificate - ML-DSA-65 signature algorithm visible - No security warnings

Test with Standard Browsers (Chrome, Firefox):

1. Visit https://pqc.example.com 2. Expected: Certificate error (normal - browsers don't support PQC yet) 3. This confirms PQC certificates are properly installed

Certificate Inspection

In Qromium browser: 1. Click padlock/security indicator 2. Click "Certificate" or "Connection is secure" 3. Verify: - Subject: Your domain - Issuer: PQCNow CA - Signature Algorithm: ML-DSA-65 - Valid From/To: Check dates

---

Performance Testing

Response Time Test

# Test traditional site response time
time curl -I https://example.com

# Test PQC site response time  
time curl -k -I https://pqc.example.com

# Multiple requests
for i in {1..10}; do
  time curl -s -o /dev/null -w "%{time_total}\n" https://example.com
done

Load Testing with Apache Bench

# Install Apache Bench
apt install apache2-utils -y

# Test traditional site
ab -n 1000 -c 10 https://example.com/

# Test PQC site (if accessible via curl -k)
ab -n 1000 -c 10 -k https://pqc.example.com/

HAProxy Statistics

If you enabled HAProxy stats (port 8404):

# View stats via curl
curl http://localhost:8404/stats

# Or open in browser
# http://your-server-ip:8404/stats

---

Security Validation

SSL/TLS Security Scan

Using SSL Labs (for traditional site only):

1. Visit https://www.ssllabs.com/ssltest/ 2. Enter example.com 3. Wait for scan to complete 4. Target Grade: A or A+

Security Headers Check

# Check security headers on traditional site
curl -I https://example.com | grep -E "Strict-Transport|X-Frame|X-Content|X-XSS"

# Expected headers:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# X-Frame-Options: SAMEORIGIN
# X-Content-Type-Options: nosniff
# X-XSS-Protection: 1; mode=block

Cipher Suite Testing

# Test supported cipher suites
nmap --script ssl-enum-ciphers -p 443 example.com

# Test TLS versions
openssl s_client -tls1_2 -connect example.com:443 < /dev/null
openssl s_client -tls1_3 -connect example.com:443 < /dev/null

---

Automated Testing Script

Create a comprehensive test script:

#!/bin/bash
# save as: test-pqc-deployment.sh

echo "=== PQC Deployment Test Suite ==="
echo ""

# Test 1: Service Status
echo "1. Checking service status..."
systemctl is-active --quiet haproxy && echo "✓ HAProxy running" || echo "✗ HAProxy not running"
systemctl is-active --quiet nginx && echo "✓ Nginx running" || echo "✗ Nginx not running"
systemctl is-active --quiet pqc-demo && echo "✓ PQC server running" || echo "✗ PQC server not running"
echo ""

# Test 2: Port Listening
echo "2. Checking listening ports..."
ss -tln | grep -q ":80 " && echo "✓ Port 80 listening" || echo "✗ Port 80 not listening"
ss -tln | grep -q ":443 " && echo "✓ Port 443 listening" || echo "✗ Port 443 not listening"
ss -tln | grep -q ":8080 " && echo "✓ Port 8080 listening" || echo "✗ Port 8080 not listening"
ss -tln | grep -q ":9443 " && echo "✓ Port 9443 listening" || echo "✗ Port 9443 not listening"
echo ""

# Test 3: HTTP to HTTPS Redirect
echo "3. Testing HTTP to HTTPS redirect..."
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://example.com)
[ "$HTTP_CODE" = "301" ] && echo "✓ HTTP redirect working" || echo "✗ HTTP redirect failed (code: $HTTP_CODE)"
echo ""

# Test 4: Traditional SSL
echo "4. Testing traditional SSL..."
curl -s -I https://example.com | grep -q "HTTP/2 200" && \
  echo "✓ Traditional SSL site accessible" || \
  echo "✗ Traditional SSL site not accessible"
echo ""

# Test 5: PQC Server
echo "5. Testing PQC server..."
curl -k -s -I https://localhost:9443 | grep -q "HTTP" && \
  echo "✓ PQC server responding" || \
  echo "✗ PQC server not responding"
echo ""

echo "=== Test Complete ==="

Run the script:

chmod +x test-pqc-deployment.sh
./test-pqc-deployment.sh

---

Continuous Monitoring

Set Up Health Checks

# Create a monitoring script
cat > /usr/local/bin/check-pqc-health.sh << 'EOF'
#!/bin/bash
# Health check for PQC deployment

# Check if PQC server is responding
if ! curl -k -s -f https://localhost:9443 > /dev/null; then
    echo "PQC server down, restarting..."
    systemctl restart pqc-demo
fi

# Check HAProxy
if ! systemctl is-active --quiet haproxy; then
    echo "HAProxy down, restarting..."
    systemctl restart haproxy
fi
EOF

chmod +x /usr/local/bin/check-pqc-health.sh

# Add to crontab (every 5 minutes)
(crontab -l 2>/dev/null; echo "*/5 * * * * /usr/local/bin/check-pqc-health.sh") | crontab -

---

Troubleshooting Failed Tests

If any tests fail, consult:

• Troubleshooting Guide for common issues
• Configuration Reference to verify settings
• Service logs: journalctl -u service-name -f

Test Checklist

Use this checklist before going live:

• [ ] All services running (HAProxy, Nginx/Apache, PQC server)
• [ ] All ports listening (80, 443, 8080, 9443)
• [ ] DNS resolves correctly for both domains
• [ ] HTTP redirects to HTTPS for both sites
• [ ] Traditional site works in all browsers
• [ ] PQC site works in Qromium browser
• [ ] Certificates valid and not expired
• [ ] Security headers present
• [ ] No errors in service logs
• [ ] SSL Labs grade A or A+ (traditional site)
• [ ] Performance acceptable (<500ms response time)

Support

If you encounter issues during testing:

• Technical Support: support@pqcnow.com
• Documentation: https://pqcnow.com/docs/