Section 2 of 4

TLS 1.2 vs TLS 1.3: Why the Version Actually Matters

TLS 1.3 wasn't just a performance improvement. The architectural change it made to key exchange is the reason ML-KEM can exist at all, and TLS 1.3 without ML-KEM still leaves you exposed. Both of those things are true at the same time.

At a Glance

TLS 1.2
TLS 1.3
Key Exchange
Secret encrypted to server's long-term certificate key and sent over the wire. Same cert key used for every session.
Key Exchange
Ephemeral key pairs, generated fresh per session. Secret computed independently on both sides, never transmitted.
Forward Secrecy
Not guaranteed. Steal the cert private key later โ†’ decrypt all past sessions.
Forward Secrecy
Always on. Past sessions can't be decrypted even if the cert key is later compromised.
Algorithm Flexibility
Key exchange baked into the cipher suite string. Adding a new algorithm requires a new cipher suite through a full standards process.
Algorithm Flexibility
Dedicated key_share extension, a pluggable slot. Swap in any algorithm both sides support without changing anything else.
ML-KEM Support
Not possible. No mechanism to carry ML-KEM key material.
ML-KEM Support
Native. ML-KEM key material goes directly into the key_share slot.
TLS 1.2 โ€” Key Exchange Browser Server Certificate (public key) Encrypt(secret, cert_pubkey) โ†’ Both derive session key from secret โš  Secret was on the wire โ€” capturable Harvest now โ†’ decrypt later if cert key ever broken TLS 1.3 โ€” Key Exchange Browser Server key_share (ephemeral pubkey) โ†’ โ† key_share (server ephemeral pubkey) Each side computes shared secret independently โœ“ Secret never transmitted Ephemeral keys discarded โ€” no reuse, no retroactive decryption

Three Things to Know

1. The prerequisite

ML-KEM requires TLS 1.3. It uses the key_share extension that only exists in TLS 1.3. If any hop in your traffic path enforces TLS 1.2 as a minimum, ML-KEM can't negotiate, silently. No error, no fallback warning.

2. TLS 1.3 alone is not enough

TLS 1.3 with X25519 (classical) is just as exposed to harvest now, decrypt later as TLS 1.2. The version protects you against classical attacks. ML-KEM is what closes the quantum gap.

3. The failure is invisible

When ML-KEM can't negotiate, sessions fall back to X25519 and everything works normally. There's no log entry, no alert. The only way to confirm PQ is actually negotiating is to run openssl s_client and check the output yourself.

Configuration Forward Secrecy Quantum-Safe Key Exchange HNDL Exposure
TLS 1.2 Not guaranteed No Exposed
TLS 1.3 (X25519 only) Yes, always No Exposed
TLS 1.3 + X25519MLKEM768 Yes, always Yes Protected

Why You Cannot Retrofit ML-KEM onto TLS 1.2

In TLS 1.2, the key exchange algorithm is fused into the cipher suite string. Take ECDHE-RSA-AES128-GCM-SHA256 bundles the key exchange, authentication, encryption, and MAC all together. Adding a new key exchange method means defining an entirely new cipher suite, pushing it through a standards process, and waiting for every server, browser, and library to adopt it. That was never going to happen for ML-KEM.

TLS 1.3 broke these apart. The key_share extension is a clean, dedicated slot. Both sides advertise what they support, agree on an algorithm, and fill the slot with the appropriate key material. The protocol doesn't care what the math underneath is. Swap X25519 for X25519MLKEM768 and everything else stays the same. That pluggability is what makes ML-KEM possible.

Short version: TLS 1.3 made the key exchange pluggable. TLS 1.2 hard-coded it into the cipher suite. ML-KEM needs the plug. TLS 1.2 doesn't have one.

The Same Version, Different Quantum Posture

Testing with openssl s_client and advertising X25519MLKEM768 against two different CDN paths for the same domain shows the difference clearly. One path through Cloudflare, one through F5 Distributed Cloud:

Through Cloudflare

Negotiated TLS1.3 group: X25519MLKEM768

Post-quantum key exchange confirmed. ML-KEM is on by default for TLS 1.3 zones.

Through F5 Distributed Cloud

Negotiated TLS1.3 group: x25519

TLS 1.3, but classical only. F5 Distributed Cloud doesn't yet support ML-KEM in its key_share handling.

Same domain. Same TLS version. Same cipher for data encryption. The only difference is one algorithm in one extension slot. That's the entire quantum gap.

Run it yourself: See the OpenSSL setup guide in the Network Architecture section. You need OpenSSL 3.5+. The version matters here too.

Cloudflare TLS Settings: Two Controls, One Goal

In the Cloudflare dashboard under SSL/TLS โ†’ Edge Certificates, there are two separate settings that both relate to TLS version. They look similar but control completely different things. Getting them confused is a common source of misconfiguration.

Minimum TLS Version
Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer.
TLS 1.2 โ–ผ
API โ–ถ Help โ–ถ
TLS 1.3
Enable the latest version of the TLS protocol for improved security and performance.
โœ“
API โ–ถ Help โ–ถ
Minimum TLS Version
TLS 1.3 Toggle
What it controls
The floor: the oldest version Cloudflare will accept from a visitor. Set to 1.2: TLS 1.0 and 1.1 connections are rejected. TLS 1.2 and 1.3 are allowed.
What it controls
Whether Cloudflare offers TLS 1.3 to browsers that support it. When on, modern browsers negotiate 1.3; older ones fall back to 1.2.
Does it disable TLS 1.3?
No. Setting the minimum to 1.2 does not remove TLS 1.3. It just permits 1.2 as the oldest allowed version.
What happens when off?
Forces TLS 1.2. Even modern browsers are denied TLS 1.3 negotiation. ML-KEM cannot work at all.
ML-KEM impact
If min is set to 1.3, only TLS 1.3 traffic is accepted. ML-KEM can always negotiate. If min is 1.2, legacy clients still connect but ML-KEM only works for TLS 1.3 sessions.
ML-KEM impact
This toggle must be on for ML-KEM to be possible. No TLS 1.3 โ†’ no key_share extension โ†’ no ML-KEM, regardless of any other setting.
In your current config (Min TLS = 1.2, TLS 1.3 toggle = ON):
TLS 1.2 is the floor and TLS 1.3 is available. Most modern browsers negotiate 1.3 and can use ML-KEM. Legacy systems fall back to 1.2. Those sessions are not quantum-safe. This is the right balance for most environments still running mixed clients.
If you want to enforce TLS 1.3 only: Set the minimum to TLS 1.3. Every connection will be TLS 1.3, so ML-KEM can always negotiate. The trade-off: any client or device that only supports TLS 1.2 will be refused entirely. Verify your client landscape before making this change.
How each version's key exchange actually works: The TLS 1.2 RSA Handshake page walks through the full 8-step RSA handshake, identifies exactly where the vulnerability lives in that flow, and shows how TLS 1.3's ephemeral key exchange closes it.
โ† Previous The Problem