Investigation summary:

Ztunnel supports 4 crypto providers (aws-lc, ring, boring, openssl), but it does not support configuring any TLS setting.

1. aws-lc - supports X25519MLKEM768.
2. ring - does not support X25519MLKEM768.
3. boring - will not support X25519MLKEM768, because this is the FIPS-140-2 version of boringssl.
4. openssl - does not support X25519MLKEM768, because rustls-openssl and rust-openssl do not support it for now, but maintainers are open to contribute this feature (https://github.com/sfackler/rust-openssl/issues/2393).

I was able to build ztunnel with X25519MLKEM768 for:
1. openssl with oqsprovider: https://github.com/istio/ztunnel/compare/master...jewertow:ztunnel:ml-kem;
2. aws-lc-rs: https://github.com/istio/ztunnel/compare/master...jewertow:ztunnel:compliance-policy-post-quantum.

Action items:
1. Submit PR with X25519MLKEM768 support for aws-lc.