TLS Lane splices the handshake on the wire — two independent TLS negotiations on one connection, upgrading legacy crypto to post-quantum in real time. One binary. No SDK. No origin changes.
FIPS 203 (ML-KEM) · CNSA 2.0 · M-23-02 · RFC 9794 hybrid
Whatever your client speaks, whatever your server demands — TLS Lane reconciles them on the wire. Find your case:
A PQC-only server rejects every browser today. TLS Lane splices the handshake to make it work.
$ curl https://pqc.tlslane.com curl: (35) error:0A000410: SSL routines::ssl/tls alert handshake failure Server requires pure ML-KEM-768. Browser only speaks hybrid.
$ tlslane splice --pure-pqc pqc.tlslane.com Splice handshake active Traffic to pqc.tlslane.com: client ← hybrid → TLS Lane TLS Lane ← pure PQC → server
$ curl -v https://pqc.tlslane.com * issuer: TLS Lane Root CA * SSL connection using TLS 1.3 / ML-KEM-768 / AES-256-GCM HTTP/2 200
Server configured to CNSA 2.0 strict-mode requirements — increasingly common in federal and defense acquisitions.
Each side of the connection negotiates independently. The server doesn't change. The client doesn't know.
Server TLS Lane Client Protocol TLS 1.2 → TLS 1.3 Key Exch RSA → ML-KEM-768 Cipher AES-CBC → AES-256-GCM Status Unchanged → Upgraded
Everything else that modifies TLS terminates the connection and re-proxies it. On Linux, TLS Lane rides the original connection in the kernel — no hop, no new socket, original source IP intact.
Reverse proxy / CDN / mesh sidecar client ──TCP①──▶ [ proxy: decrypt│re-encrypt ] ──TCP②──▶ server two connections · a hop · SNAT'd source IP TLS Lane — inline (eBPF) client ────── one connection, preserved ──────▶ server ▲ in the kernel rewrites the handshake in-band · original 5-tuple intact
In splice mode TLS Lane still decrypts/re-encrypts to transform the crypto — but in-band on the original connection, not via a proxy. Read more →
See every TLS handshake on the wire. SNI, cipher suite, key exchange, certificate chain. Safe, read-only.
$ tlslane
Splice the handshake for a domain or all traffic. TLS Lane intercepts transparently and negotiates each side independently.
$ tlslane splice example.com
Define rules for which domains get spliced, passed through, or blocked. Local policy.yaml or push from the management dashboard.
# policy.yaml in config directory
eBPF/TC inline on Linux for zero-copy capture — the original TCP connection is preserved. Userspace proxy mode on Linux, macOS, and Windows. Same management plane, same policy engine across all three.
Single static binary, ~5 MB. systemd unit and CA installed in one step. Auto-detects OS, architecture, and glibc version. Monitor mode works instantly; splice mode adds one CA trust prompt.
FIPS 203 ML-KEM-768 (NIST ratified), hybrid X25519MLKEM768 (RFC 9794), classical fallback for legacy peers. You choose the policy, TLS Lane enforces it.
Create a free account. Get your agent token and install command.
One command installs. Starts in monitor mode — see your crypto inventory instantly.
Enable splice to upgrade connections to PQC. Track progress on your dashboard.