Skip to content

Implement opt-out for PQ TLS #6648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
WillChilds-Klein wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Implement opt-out for PQ TLS #6648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8d4b7e1
Implement opt-out for PQ TLS
WillChilds-Klein Dec 29, 2025
d3d1739
Update release changelog
WillChilds-Klein Dec 29, 2025
a86a2e1
Only use opt-out policy if supported
WillChilds-Klein Jan 5, 2026
2c652cc
Update CRT to 0.43.1
WillChilds-Klein Feb 5, 2026
6871bd9
Add pq-tls-test confirming everything works
WillChilds-Klein Feb 6, 2026
fc68ad3
Revert "Add pq-tls-test confirming everything works"
WillChilds-Klein Feb 6, 2026
fc7f64a
Merge branch 'master' into pq-opt-out
WillChilds-Klein Feb 6, 2026
05c207e
Update javadoc
WillChilds-Klein Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"type": "bugfix",
"category": "AWS SDK for Java v2",
"contributor": "WillChilds-Klein",
"description": "Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`."
}
5 changes: 2 additions & 3 deletions ...lients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,14 +263,13 @@ AwsCrtHttpClient.Builder tcpKeepAliveConfiguration(Consumer<TcpKeepAliveConfigur

/**
* Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network
* encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum cipher suites are
* not supported on the platform, the SDK will use the default TLS cipher suites.
* encryption protocol when communicating with services that support Post Quantum TLS.
*
* <p>
* See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum TLS with AWS KMS</a>
*
* <p>
* It's disabled by default.
* It's enabled by default.
*
* @param postQuantumTlsEnabled whether to prefer Post Quantum TLS
* @return The builder of the method chaining.
Expand Down
21 changes: 6 additions & 15 deletions ...ient/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,11 @@
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.crt.io.SocketOptions;
import software.amazon.awssdk.crt.io.TlsCipherPreference;
import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient;
import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;
import software.amazon.awssdk.utils.Logger;
import software.amazon.awssdk.utils.NumericUtils;

@SdkInternalApi
public final class AwsCrtConfigurationUtils {
private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class);

private AwsCrtConfigurationUtils() {
}
Expand Down Expand Up @@ -55,19 +52,13 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep
}

public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) {
TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) {
return defaultTls;
// As of of v0.39.3, aws-crt-java prefers PQ by default, so only return the pre-PQ-default policy
// below if the caller explicitly disables PQ by passing in false.
if (Boolean.FALSE.equals(postQuantumTlsEnabled)
&& TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023.isSupported()) {
return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023;
Copy link
Contributor

@zoewangg zoewangg Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems this policy may get outdated in the future. Can we create a non-PQTLS default TLS policy that always uses the latest TLS versions?

Copy link
Author

@WillChilds-Klein WillChilds-Klein Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately we can't enforce a minimum TLS version higher than this due to some SDKs (IoT, some others) requiring TLS 1.0 support for the foreseeable future.

Copy link
Contributor

@zoewangg zoewangg Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's totally fine. I'm proposing creating a new TlsCipherPreference that always links to the recommended non-PQTLS preference, for now, it's TLS_CIPHER_PREF_TLSv1_0_2023, which may change in the future and when we change it, we just need to change CRT code and don't have to update the code in the SDK

Copy link
Author

@WillChilds-Klein WillChilds-Klein Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

understood, and i agree that's a useful abstraction. does this concern block the current PR? i'd be happy to take this up as a follow-on. it would require an upstream CRT change + release.

}

TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
if (!pqTls.isSupported()) {
log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system "
+ "default cipher suites instead");
return defaultTls;
}

return pqTls;
return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
}

}
21 changes: 5 additions & 16 deletions .../src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,41 +16,30 @@
package software.amazon.awssdk.http.crt.internal;

import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023;
import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;

import java.time.Duration;
import java.util.stream.Stream;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import software.amazon.awssdk.crt.CrtResource;
import software.amazon.awssdk.crt.io.SocketOptions;
import software.amazon.awssdk.crt.io.TlsCipherPreference;
import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;

class AwsCrtConfigurationUtilsTest {
@ParameterizedTest
@MethodSource("cipherPreferences")
void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls,
TlsCipherPreference tlsCipherPreference) {
Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported());
assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference);
}

@Test
void resolveCipherPreference_pqSupported_shouldHonor() {
Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported());
assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT);
void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled,
TlsCipherPreference expectedPreference) {
assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference);
}

private static Stream<Arguments> cipherPreferences() {
return Stream.of(
Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT),
Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT),
Arguments.of(false, TLS_CIPHER_PREF_TLSv1_0_2023),
Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT)
);
}
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@
<rxjava3.version>3.1.5</rxjava3.version>
<commons-codec.verion>1.17.1</commons-codec.verion>
<jmh.version>1.37</jmh.version>
<awscrt.version>0.40.3</awscrt.version>
<awscrt.version>0.43.1</awscrt.version>

<!--Test dependencies -->
<junit5.version>5.10.3</junit5.version>
Expand Down
Loading