diff --git a/Makefile.windows b/Makefile.windows
index 385d98e86..f2c4a7716 100644
--- a/Makefile.windows
+++ b/Makefile.windows
@@ -1,6 +1,8 @@
 #
-# UnrealIRCd Makefile - codemastr
+# UnrealIRCd Makefile for Windows
+# Originally written by codemastr
 #
+
 CC=cl
 LINK=link
 RC=rc
@@ -9,10 +11,19 @@ MT=mt
 ############################ USER CONFIGURATION ############################
 
 # You are encouraged NOT to set these values here, but instead make a batch file
-# which passes all these arguments to nmake, like:
-# nmake -f makefile.windows LIBRESSL_INC_DIR="c:\dev\libressl" etc etc...
-# Both ways will work, but if you use a batch file it's easier with
-# upgrading UnrealIRCd as you won't have to edit this makefile again.
+# file called "build.bat" which passes all these arguments to nmake, like:
+# nmake -f makefile.windows SSL_INC_DIR="c:\dev\unrealircd-6-libs\openssl" etc etc...
+# as explained in https://www.unrealircd.org/docs/Compiling_UnrealIRCd_on_Windows
+
+# And most likely you want the UnrealIRCd libraries pack, so you don't have
+# to compile all these libraries by yourself, see:
+# https://www.unrealircd.org/docs/Windows_external_libraries_for_UnrealIRCd
+
+### SSL/TLS ###
+#Use OpenSSL or LibreSSL. Define paths and libraries:
+#SSL_LIB_DIR="c:\dev\unrealircd-6-libs\openssl\lib"
+#SSL_INC_DIR="c:\dev\unrealircd-6-libs\openssl\include"
+#SSLLIB="libcrypto.lib libssl.lib"
 
 ### PCRE2 ###
 #PCRE2_LIB_DIR="C:\dev\pcre2\build\release"
@@ -44,47 +55,24 @@ MT=mt
 #GEOIPCLASSIC_INC_DIR="c:\dev\unrealircd-6-libs\GeoIP\libGeoIP" ^
 #GEOIPCLASSICLIB="GeoIP.lib"
 
-##### REMOTE INCLUDES ####
-#To enable remote include support you must have libcurl installed on your
-#system and it must have ares support enabled.
-#
-#
-#To enable remote includes uncomment the next line:
+### REMOTE INCLUDES ###
 #USE_REMOTEINC=1
-#
-#If your libcurl library and include files are not in your compiler's
-#default locations, specify the locations here:
-#LIBCURL_INC_DIR="c:\dev\curl\include"
-#LIBCURL_LIB_DIR="c:\dev\curl\lib"
-#
-#
-### END REMOTE INCLUDES ##
-
-####### SSL/TLS SUPPORT (MANDATORY) ######
-#Use LibreSSL or OpenSSL. Define paths and libraries:
-#LIBRESSL_INC_DIR="c:\dev\libressl\include"
-#LIBRESSL_LIB_DIR="c:\dev\libressl\lib"
-#SSLLIB=libcrypto-38.lib libssl-39.lib libtls-11.lib
-#The version numbers of the 3 libraries in the last line change
-#every libressl release. So be sure to update after any libressl upgrade.
-######### END SSL/TLS ########
+#LIBCURL_LIB_DIR="c:\dev\unrealircd-6-libs\curl\lib"
+#LIBCURL_INC_DIR="c:\dev\unrealircd-6-libs\curl\include"
 
 ###### _EXTRA_ DEBUGGING #####
 # We always build releases with debugging information, since otherwise
 # we cannot trace the source of a crash. Plus we do not mind the extra
 # performance hit caused by not enabling super-optimization, tracing
 # crashes properly is more important.
-# You can choose (at your own risk) to enable EVEN MORE debugging,
+# You can choose to (at your own risk) enable EVEN MORE debugging,
 # note that this causes /MDd to be used instead of /MD which can make
 # libraries incompatible, plus all the other side-effects such as
-# requiring a different dll we do not ship (and maybe you are not even
-# allowed to ship due to license agreements), etc...
-# In any case, this probably should not be used, unless debugging a
+# requiring a different runtime dll we do not ship (and maybe you are
+# not even allowed to ship due to license agreements), etc...
+# In any case, this probably SHOULD NOT BE USED, unless debugging a
 # problem locally, in which case it can be useful.
 #DEBUGEXTRA=1
-#
-#
-#### END RELEASE BUILD ###
 
 ############################# END CONFIGURATION ############################
 
@@ -135,11 +123,11 @@ LIBCURL_LIB=/LIBPATH:"$(LIBCURL_LIB_DIR)"
 !ENDIF
 !ENDIF
 
-!IFDEF LIBRESSL_INC_DIR
-LIBRESSL_INC=/I "$(LIBRESSL_INC_DIR)"
+!IFDEF SSL_INC_DIR
+SSL_INC=/I "$(SSL_INC_DIR)"
 !ENDIF
-!IFDEF LIBRESSL_LIB_DIR
-LIBRESSL_LIB=/LIBPATH:"$(LIBRESSL_LIB_DIR)"
+!IFDEF SSL_LIB_DIR
+SSL_LIB=/LIBPATH:"$(SSL_LIB_DIR)"
 !ENDIF
 
 !IFDEF DEBUGEXTRA
@@ -154,13 +142,13 @@ DBGLFLAG=/debug
 MODDBGCFLAG=/LDd /MD /Zi
 !ENDIF 
 
-STDOPTIONS=$(PCRE2_INC) $(ARGON2_INC) $(SODIUM_INC) $(JANSSON_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) \
+STDOPTIONS=$(PCRE2_INC) $(ARGON2_INC) $(SODIUM_INC) $(JANSSON_INC) $(CARES_INC) $(LIBCURL_INC) $(SSL_INC) \
  /J /I ./INCLUDE /nologo \
  $(CURLCFLAGS) /D FD_SETSIZE=16384 $(SSLCFLAGS) /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE \
  /D FAKELAG_CONFIGURABLE=1 \
  /W3 /wd4267 /wd4101 /wd4018 /wd4244 /wd4996 /WX /analyze:ruleset extras\VStudioAnalyze.ruleset
 STDLIBS=$(CARES_LIB) $(CARESLIB) $(PCRE2_LIB) $(PCRE2LIB) $(ARGON2_LIB) $(ARGON2LIB) \
- $(SODIUM_LIB) $(SODIUMLIB) $(JANSSON_LIB) $(JANSSONLIB) $(LIBRESSL_LIB) $(SSLLIB) $(LIBCURL_LIB) $(CURLLIB)
+ $(SODIUM_LIB) $(SODIUMLIB) $(JANSSON_LIB) $(JANSSONLIB) $(SSL_LIB) $(SSLLIB) $(LIBCURL_LIB) $(CURLLIB)
 CFLAGS=$(DBGCFLAG) $(STDOPTIONS) /FS /MP1 /c /Fosrc/
 CFLAGSST=$(DBGCFLAGST) $(STDOPTIONS) /FS /MP1 /c /Fosrc/
 LFLAGS=kernel32.lib user32.lib gdi32.lib shell32.lib ws2_32.lib advapi32.lib \
diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md
index 0eb234103..fc37adc59 100644
--- a/doc/RELEASE-NOTES.md
+++ b/doc/RELEASE-NOTES.md
@@ -78,11 +78,9 @@ and spamfilter:input-conversion now properly accepting `deconfused`.
     ["harvest now, decrypt later"](https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
   * To benefit from this, OpenSSL 3.5.0 or later (released April 2025)
     is required on the server, and similarly a client that supports this.
-    At the time of writing, almost all Linux distros don't have such an
+    At the time of writing, almost no Linux distros have such an
     OpenSSL version yet (which is not a problem, this new feature will simply
-    not be available). Notably Debian 13 (when released in August
-    2025) will have it. LibreSSL does not support it either yet, so our
-    Windows build does not have this feature.
+    not be available). Notably Debian 13 has it, and our Windows build.
   * Also, change the TLS information on-connect and in WHOIS etc. from
     something like `TLSv1.3-TLS_CHACHA20_POLY1305_SHA256` to
     `TLSv1.3/X25519/TLS_CHACHA20_POLY1305_SHA256`. In other words: using
@@ -97,6 +95,9 @@ and spamfilter:input-conversion now properly accepting `deconfused`.
   will work fine if you use `cloak_sha256`).
 
 ### Changes:
+* Windows: we now use OpenSSL instead of LibreSSL. This also means PQC
+  is available on Windows now (see Post-quantum cryptography above).
+
 * When a netsplit happens and
   [set::server-linking::autoconnect-strategy](https://www.unrealircd.org/docs/Set_block#set::server-linking)
   is `sequential` (which is the default) or `sequential-fallback`
@@ -154,6 +155,9 @@ and spamfilter:input-conversion now properly accepting `deconfused`.
   `PRIVMSG` and `SPAMINFO` for example.
 * New hook `HOOKTYPE_BANNED_CLIENT`
 * New hook `HOOKTYPE_CAN_USE_NICK`
+* On Windows the variables `LIBRESSL_INC_DIR` and `LIBRESSL_LIB_DIR`
+  are now `SSL_INC_DIR` and `SSL_LIB_DIR` because we no longer use
+  nor assume LibreSSL.
 
 UnrealIRCd 6.1.10
 ==================
diff --git a/extras/build-tests/windows/compilecmd/vs2019.bat b/extras/build-tests/windows/compilecmd/vs2019.bat
index c962020cf..cf26f59be 100644
--- a/extras/build-tests/windows/compilecmd/vs2019.bat
+++ b/extras/build-tests/windows/compilecmd/vs2019.bat
@@ -14,9 +14,9 @@ echo BUILDCOMMAND IS: %BUILDCOMMAND%
 echo BUILDARGS IS: %BUILDARGS%
 
 %BUILDCOMMAND% %BUILDARGS% -f makefile.windows ^
-LIBRESSL_INC_DIR="c:\projects\unrealircd-6-libs\libressl\include" ^
-LIBRESSL_LIB_DIR="c:\projects\unrealircd-6-libs\libressl\lib" ^
-SSLLIB="crypto.lib ssl.lib" ^
+SSL_INC_DIR="c:\projects\unrealircd-6-libs\openssl\include" ^
+SSL_LIB_DIR="c:\projects\unrealircd-6-libs\openssl\lib" ^
+SSLLIB="libcrypto.lib libssl.lib" ^
 USE_REMOTEINC=1 ^
 LIBCURL_INC_DIR="c:\projects\unrealircd-6-libs\curl\include" ^
 LIBCURL_LIB_DIR="c:\projects\unrealircd-6-libs\curl\builds\libcurl-vc-x64-release-dll-ssl-dll-cares-dll-ipv6-obj-lib" ^
diff --git a/src/windows/unrealinst.iss b/src/windows/unrealinst.iss
index 0a0a0bb4f..4c371300a 100755
--- a/src/windows/unrealinst.iss
+++ b/src/windows/unrealinst.iss
@@ -66,8 +66,8 @@ Source: "c:\dev\unrealircd-6-libs\argon2\vs2015\build\*.dll"; DestDir: "{app}\bi
 Source: "c:\dev\unrealircd-6-libs\libsodium\bin\x64\Release\v142\dynamic\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\jansson\bin\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\c-ares\msvc\cares\dll-release\cares.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
-Source: "c:\dev\unrealircd-6-libs\libressl\bin\openssl.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
-Source: "c:\dev\unrealircd-6-libs\libressl\bin\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
+Source: "c:\dev\unrealircd-6-libs\openssl\bin\openssl.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
+Source: "c:\dev\unrealircd-6-libs\openssl\bin\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\GeoIP\libGeoIP\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\setacl.exe"; DestDir: "{app}\tmp"; Flags: ignoreversion signonce
 #ifdef USE_CURL