fix: correct CNSA 2.0 attribution, OpenSSL min version, and timeout types (#4)

- DEFAULT_TIMEOUT: int → float (10.0) across constants.py, checker.py,
  tls_utils.py; remove spurious int() cast in assessor.py
- OPENSSL_MIN_VERSION: (3, 0) → (3, 5) — OpenSSL 3.0-3.4 have no native
  PQC hybrid group support; error message and verdict.py reason updated
- X25519MLKEM768 standard: "CNSA 2.0" → "BSI TR-02102-2" (X25519 is
  128-bit security, below CNSA 2.0's P-384 minimum)
- SecP256r1MLKEM768 standard: "CNSA 2.0" → "draft-ietf-tls-mlkem"
  (P-256 is 128-bit security, below CNSA 2.0 threshold)
- mlkem768x25519-sha256 SSH standard: add "BSI TR-02102-4" (2024)
- Add test_returns_false_when_version_34 to test_constants.py (246 tests)
- Bump version to 0.6.1

Author: t0kubetsu

CHANGELOG.md

@@ -11,6 +11,41 @@ Version numbers follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html
 
 ---
 
+## [0.6.1] — 2026-06-24
+
+### Fixed
+- `constants.py`: `DEFAULT_TIMEOUT` type corrected from `int` to `float` (`10.0`),
+  consistent with the platform-wide convention (`timeout` is always `float`).
+- `constants.py`: `OPENSSL_MIN_VERSION` raised from `(3, 0)` to `(3, 5)` — OpenSSL
+  3.0–3.4 have no native PQC hybrid group support; `X25519MLKEM768`,
+  `SecP256r1MLKEM768`, and `SecP384r1MLKEM1024` require OpenSSL ≥ 3.5.
+  Error message updated to reflect the new minimum and name the affected groups.
+- `constants.py` (`PQC_GROUPS`): `X25519MLKEM768` standard corrected from
+  `"CNSA 2.0"` to `"BSI TR-02102-2"` — X25519 is 128-bit security, below CNSA
+  2.0's P-384 minimum; BSI TR-02102-2 (2024) explicitly approves this hybrid.
+  `SecP256r1MLKEM768` standard corrected from `"CNSA 2.0"` to
+  `"draft-ietf-tls-mlkem"` — P-256 is 128-bit security, below the CNSA 2.0
+  threshold. Only `SecP384r1MLKEM1024` (P-384 + ML-KEM-1024) qualifies for
+  CNSA 2.0, unchanged.
+- `constants.py` (`SSH_PQC_GROUPS`): `mlkem768x25519-sha256` standard updated to
+  include `"BSI TR-02102-4"` — BSI TR-02102-4 (2024) explicitly recommends
+  this X25519+ML-KEM-768 hybrid for SSH.
+- `assessor.py`: removed spurious `int()` cast on `timeout` before passing to
+  `check_tls()` — callers may supply a fractional timeout and the cast was
+  silently truncating it.
+- `checker.py`, `tls_utils.py`: `timeout` parameter type annotation corrected
+  from `int` to `float` to match the call chain and platform convention.
+- `verdict.py`: failure reason for unrecognised key exchange updated from
+  "requires OpenSSL >= 3.0" to "requires OpenSSL >= 3.5".
+- `README.md`: "OpenSSL ≥ 3.0" requirement updated to "OpenSSL ≥ 3.5".
+
+### Added
+- `tests/test_constants.py`: new test `test_returns_false_when_version_34`
+  verifying that OpenSSL 3.4 (no native PQC group support) is correctly rejected
+  with an informative error message (246 tests total).
+
+---
+
 ## [0.6.0] — 2026-06-19
 
 ### Added
@@ -199,7 +234,8 @@ Version numbers follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html
 
 ---
 
-[Unreleased]: https://github.com/NC3-TestingPlatform/quantumvalidator/compare/v0.6.0...HEAD
+[Unreleased]: https://github.com/NC3-TestingPlatform/quantumvalidator/compare/v0.6.1...HEAD
+[0.6.1]: https://github.com/NC3-TestingPlatform/quantumvalidator/compare/v0.6.0...v0.6.1
 [0.6.0]: https://github.com/NC3-TestingPlatform/quantumvalidator/compare/v0.5.2...v0.6.0
 [0.5.2]: https://github.com/NC3-TestingPlatform/quantumvalidator/compare/v0.5.1...v0.5.2
 [0.5.1]: https://github.com/NC3-TestingPlatform/quantumvalidator/compare/v0.5.0...v0.5.1

README.md

@@ -12,7 +12,7 @@ $ quantumvalidator check cloudflare.com
 ```
 
 ![Python](https://img.shields.io/badge/python-%3E%3D3.11-blue)
-![Tests](https://img.shields.io/badge/tests-245%20passing-brightgreen)
+![Tests](https://img.shields.io/badge/tests-246%20passing-brightgreen)
 ![Coverage](https://img.shields.io/badge/coverage-100%25-brightgreen)
 ![License](https://img.shields.io/badge/license-GPLv3-lightgrey)
 
@@ -79,7 +79,7 @@ non-NIST-selected algorithm.
 ## Requirements
 
 - **Python** ≥ 3.11
-- **OpenSSL** ≥ 3.0 binary on PATH — required for PQC group negotiation
+- **OpenSSL** ≥ 3.5 binary on PATH — required for native PQC hybrid group negotiation
   - Debian/Ubuntu: `apt install openssl`
   - macOS: `brew install openssl`
 - `rich` ≥ 13.7 and `typer` ≥ 0.12 (installed automatically via pip)
@@ -297,7 +297,7 @@ pytest tests/test_tls_utils.py
 pytest tests/test_assessor.py::TestAssessHttps -v
 ```
 
-The test suite has **245 tests** and maintains **100% statement coverage**.
+The test suite has **246 tests** and maintains **100% statement coverage**.
 
 All network I/O (`openssl s_client` subprocess) is mocked at the `probe_tls` boundary —
 no test touches a real server or the internet.

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "quantumvalidator"
-version = "0.6.0"
+version = "0.6.1"
 description = "Quantum-safe cryptography validator — TLS, STARTTLS, and SSH post-quantum readiness assessment"
 readme = "README.md"
 requires-python = ">=3.11"

quantumvalidator/__init__.py

@@ -5,7 +5,7 @@
 try:
     __version__ = version("quantumvalidator")
 except PackageNotFoundError:  # pragma: no cover
-    __version__ = "0.6.0"
+    __version__ = "0.6.1"
 
 import logging as _logging
 

quantumvalidator/assessor.py

@@ -54,7 +54,7 @@ def assess(
 
     logger.info("Starting assessment for %s:%d", target, effective_port)
 
-    result = check_tls(target, effective_port, timeout=int(timeout))
+    result = check_tls(target, effective_port, timeout=timeout)
 
     if not result.ok:
         checks: list[CheckResult] = [

quantumvalidator/checker.py

@@ -10,7 +10,7 @@
 from quantumvalidator.tls_utils import TLSProbeResult, probe_tls
 
 
-def check_tls(host: str, port: int, timeout: int = 10) -> TLSProbeResult:
+def check_tls(host: str, port: int, timeout: float = 10.0) -> TLSProbeResult:
     """Probe *host*:*port* for PQC key exchange support.
 
     The underlying probe auto-detects STARTTLS mode (smtp/imap/pop3/ftp/lmtp/

quantumvalidator/constants.py

@@ -29,13 +29,16 @@ class GroupInfo:
     "X25519MLKEM768": GroupInfo(
         name="X25519MLKEM768",
         iana_codepoint="0x11ec",
-        standard="CNSA 2.0, BSI TR-02102-2",
+        # X25519 is 128-bit security — below CNSA 2.0's P-384 minimum.
+        # BSI TR-02102-2 explicitly approves X25519+ML-KEM-768 hybrid.
+        standard="BSI TR-02102-2",
         safe=True,
     ),
     "SecP256r1MLKEM768": GroupInfo(
         name="SecP256r1MLKEM768",
         iana_codepoint="0x11eb",
-        standard="CNSA 2.0",
+        # P-256 is 128-bit security — below CNSA 2.0's P-384 minimum.
+        standard="draft-ietf-tls-mlkem",
         safe=True,
     ),
     "SecP384r1MLKEM1024": GroupInfo(
@@ -78,7 +81,8 @@ class GroupInfo:
     "mlkem768x25519-sha256": GroupInfo(
         name="mlkem768x25519-sha256",
         iana_codepoint=None,
-        standard="NIST FIPS 203",
+        # BSI TR-02102-4 (2024) recommends X25519+ML-KEM-768 hybrid for SSH.
+        standard="NIST FIPS 203, BSI TR-02102-4",
         safe=True,
     ),
 }
@@ -87,11 +91,11 @@ class GroupInfo:
     name for name, g in SSH_PQC_GROUPS.items() if g.safe
 )
 
-DEFAULT_TIMEOUT: int = 10
+DEFAULT_TIMEOUT: float = 10.0
 DEFAULT_PORT_HTTPS: int = 443
 
 OPENSSL_BINARY: str = "openssl"
-OPENSSL_MIN_VERSION: tuple[int, int] = (3, 0)
+OPENSSL_MIN_VERSION: tuple[int, int] = (3, 5)
 
 
 @functools.lru_cache(maxsize=1)
@@ -124,7 +128,8 @@ def check_openssl() -> tuple[bool, str]:
                 return False, (
                     f"OpenSSL {major}.{minor} detected; "
                     f"requires >= {OPENSSL_MIN_VERSION[0]}.{OPENSSL_MIN_VERSION[1]} "
-                    "for PQC hybrid groups. "
+                    "for native PQC hybrid group support "
+                    "(X25519MLKEM768 / SecP256r1MLKEM768 / SecP384r1MLKEM1024). "
                     "Upgrade OpenSSL (e.g. apt install openssl)."
                 )
     except Exception as exc:  # pragma: no cover

quantumvalidator/tls_utils.py

@@ -146,7 +146,7 @@ def probe_raw(
 def probe_tls(
     host: str,
     port: int,
-    timeout: int = 10,
+    timeout: float = 10.0,
 ) -> TLSProbeResult:
     """Probe *host*:*port* and return the negotiated TLS group.
 

quantumvalidator/verdict.py

@@ -98,7 +98,7 @@ def build_checks(
             value=negotiated_group,
             reason=(
                 f"No PQC hybrid group negotiated; got {negotiated_group or 'none'}. "
-                "Enable X25519MLKEM768 on the server (requires OpenSSL >= 3.0)."
+                "Enable X25519MLKEM768 on the server (requires OpenSSL >= 3.5)."
             ),
             standard="CNSA 2.0, BSI TR-02102-2",
         ))

tests/test_constants.py

@@ -66,6 +66,21 @@ def test_returns_false_when_version_too_old(self, monkeypatch):
         assert ok is False
         assert "1.1" in msg
 
+    def test_returns_false_when_version_34(self, monkeypatch):
+        # OpenSSL 3.4 has no native PQC group support; minimum is 3.5.
+        check_openssl.cache_clear()
+        monkeypatch.setattr(
+            "quantumvalidator.constants.shutil.which",
+            lambda name: f"/usr/bin/{name}",
+        )
+        monkeypatch.setattr(
+            "quantumvalidator.constants._sp.run",
+            lambda *a, **kw: MockRun(stdout="OpenSSL 3.4.0 22 Oct 2024\n"),
+        )
+        ok, msg = check_openssl()
+        assert ok is False
+        assert "3.4" in msg
+
     def test_version_check_exception_skipped(self, monkeypatch):
         check_openssl.cache_clear()
         monkeypatch.setattr(