Add namedGroups/supportedGroups to ConnectionSpec for post-quantum TLS key exchange

[netanmangal]

France's ANSSI will stop certifying security products without post-quantum cryptography starting in 2027 - the first hard regulatory deadline of its kind globally. Additional mandates: US NSA CNSA 2.0 (2027), NIST IR 8547 (deprecation by 2030, disallowed by 2035), EU critical infrastructure (2030).

Problem

ConnectionSpec configures two TLS parameters:

• Cipher suites (via cipherSuites())
• TLS versions (via tlsVersions())

It has no way to configure named groups (a.k.a. supported groups). Post-quantum key exchange in TLS 1.3 is negotiated via the supported_groups extension - X25519MLKEM768 is a named group, not a cipher suite.

This means OkHttp users cannot configure, require, or restrict PQC key exchange algorithms, even when the underlying TLS provider supports them.

Android Impact

Android's Conscrypt (OkHttp's default TLS provider on Android) does not yet support PQC key exchange (as of Android 17 Beta 4). Conscrypt 2.6.0-alpha2 adds X25519MLKEM768 for JVM-only (not Android). This means the most popular Android HTTP client (46K+ stars) has no path to PQC key exchange on billions of devices.

Proposed Change

Add optional namedGroups to ConnectionSpec.Builder:

val pqcSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
    .namedGroups(NamedGroup.X25519_MLKEM768, NamedGroup.X25519, NamedGroup.SECP256R1)
    .build()

And update MODERN_TLS / RESTRICTED_TLS presets to include PQC groups when available from the provider.

Context

• Chrome already defaults to X25519MLKEM768
• gRPC merged PQC as default (June 2026)
• Conscrypt 2.6.0 pre-release adds ML-KEM, ML-DSA, X25519MLKEM768

References

• NIST FIPS 203 (ML-KEM)
• Conscrypt PR #1452 (setNamedGroups)
• JEP 527 — Post-Quantum Key Exchange for TLS 1.3