Implement opt-out for PQ TLS

WillChilds-Klein · WillChilds-Klein · commit 123d3a94f64c · 2025-12-29T15:33:49.000-05:00
Java CRT 0.39.3 enables and prefers PQ by default, so
`TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The
`postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes
an opt-out mechanism; setting it to false explicitly disables PQ by
using policy `TLS_CIPHER_PREF_TLSv1_0_2023`.
diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java
@@ -20,14 +20,11 @@
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.crt.io.SocketOptions;
 import software.amazon.awssdk.crt.io.TlsCipherPreference;
-import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient;
 import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;
-import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.NumericUtils;
 
 @SdkInternalApi
 public final class AwsCrtConfigurationUtils {
-    private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class);
 
     private AwsCrtConfigurationUtils() {
     }
@@ -55,19 +52,12 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep
     }
 
     public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) {
-        TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
-        if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) {
-            return defaultTls;
+        // As of of v0.39.3, aws-crt-java prefers PQ by default, so only return the pre-PQ-default policy
+        // below if the caller explicitly disables PQ by passing in false.
+        if (Boolean.FALSE.equals(postQuantumTlsEnabled)) {
+            return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023;
         }
-
-        TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
-        if (!pqTls.isSupported()) {
-            log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system "
-                           + "default cipher suites instead");
-            return defaultTls;
-        }
-
-        return pqTls;
+        return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
     }
 
 }
diff --git a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java
@@ -16,41 +16,30 @@
 package software.amazon.awssdk.http.crt.internal;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
-import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
+import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023;
 import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
 
 import java.time.Duration;
 import java.util.stream.Stream;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.Assumptions;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
-import software.amazon.awssdk.crt.CrtResource;
 import software.amazon.awssdk.crt.io.SocketOptions;
 import software.amazon.awssdk.crt.io.TlsCipherPreference;
 import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;
 
 class AwsCrtConfigurationUtilsTest {
     @ParameterizedTest
     @MethodSource("cipherPreferences")
-    void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls,
-                                                                              TlsCipherPreference tlsCipherPreference) {
-        Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported());
-        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference);
-    }
-
-    @Test
-    void resolveCipherPreference_pqSupported_shouldHonor() {
-        Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported());
-        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT);
+    void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled,
+                                                        TlsCipherPreference expectedPreference) {
+        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference);
     }
 
     private static Stream<Arguments> cipherPreferences() {
         return Stream.of(
             Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT),
-            Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT),
+            Arguments.of(false, TLS_CIPHER_PREF_TLSv1_0_2023),
             Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT)
         );
     }
