fix: update supported TLS cipher preferences

ianbotsf · ianbotsf · commit d1bce1608c88 · 2025-04-30T21:56:07.000Z
diff --git a/.changes/3d6fffae-2ce4-478f-b410-fce0afe16588.json b/.changes/3d6fffae-2ce4-478f-b410-fce0afe16588.json
@@ -0,0 +1,5 @@
+{
+    "id": "3d6fffae-2ce4-478f-b410-fce0afe16588",
+    "type": "bugfix",
+    "description": "Update the set of supported `TlsCipherPreference` values to reflect the latest capabilities/support from CRT"
+}
diff --git a/aws-crt-kotlin/common/src/aws/sdk/kotlin/crt/io/TlsCipherPreference.kt b/aws-crt-kotlin/common/src/aws/sdk/kotlin/crt/io/TlsCipherPreference.kt
@@ -19,54 +19,53 @@ public enum class TlsCipherPreference(public val value: Int) {
     SYSTEM_DEFAULT(0),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_TLS_V1_0_2019_06(1),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_SIKE_TLS_V1_0_2019_11(2),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_TLS_V1_0_2020_02(3),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_SIKE_TLS_V1_0_2020_02(4),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_TLS_V1_0_2020_07(5),
 
     /**
-     * This TlsCipherPreference supports TLS 1.0 through TLS 1.3, and contains Kyber Round 3 as its highest priority
-     * PQ algorithm. PQ algorithms in this preference list will be used in hybrid mode, and will be combined with a
-     * classical ECDHE key exchange.
-     *
-     * NIST has announced that Kyber will be first post-quantum key-agreement algorithm that it will standardize.
-     * However, the NIST standardization process might introduce minor changes that may cause the final Kyber standard
-     * to differ from the Kyber Round 3 implementation available in this preference list.
-     *
-     * Since this TlsCipherPreference contains algorithms that have not yet been officially standardized by NIST, this
-     * preference list, and any of the PQ algorithms in it, may stop being supported at any time.
-     *
-     * For more info see:
-     *   - https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid
-     *   - https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design
-     *   - https://aws.amazon.com/blogs/security/how-to-tune-tls-for-hybrid-post-quantum-cryptography-with-kyber/
-     *   - https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     PQ_TLS_V1_0_2021_05(6),
+
+    /**
+     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been standardized by
+     * NIST. PQ algorithms in this preference list will be used in hybrid mode, and always combined with a classical
+     * ECDHE key exchange.
+     */
+    PQ_TLSV1_2_2024_10(7),
+
+    /**
+     * Recommended default policy with post-quantum algorithm support. This policy may change over time.
+     */
+    PQ_DEFAULT(8),
+
     ;
 
     /**
