From 123d3a94f64c98048e65bd075aa400f4ee7c344a Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Mon, 29 Dec 2025 15:14:14 -0500 Subject: [PATCH 1/3] Implement opt-out for PQ TLS Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`. --- .../internal/AwsCrtConfigurationUtils.java | 20 +++++------------- .../AwsCrtConfigurationUtilsTest.java | 21 +++++-------------- 2 files changed, 10 insertions(+), 31 deletions(-) diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java index e3c92d620f1b..e2a33246667d 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java @@ -20,14 +20,11 @@ import software.amazon.awssdk.annotations.SdkInternalApi; import software.amazon.awssdk.crt.io.SocketOptions; import software.amazon.awssdk.crt.io.TlsCipherPreference; -import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient; import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration; -import software.amazon.awssdk.utils.Logger; import software.amazon.awssdk.utils.NumericUtils; @SdkInternalApi public final class AwsCrtConfigurationUtils { - private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class); private AwsCrtConfigurationUtils() { } @@ -55,19 +52,12 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep } public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) { - TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; - if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) { - return defaultTls; + // As of of v0.39.3, aws-crt-java prefers PQ by default, so only return the pre-PQ-default policy + // below if the caller explicitly disables PQ by passing in false. + if (Boolean.FALSE.equals(postQuantumTlsEnabled)) { + return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023; } - - TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT; - if (!pqTls.isSupported()) { - log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system " - + "default cipher suites instead"); - return defaultTls; - } - - return pqTls; + return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; } } diff --git a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java index e83e29e0aea1..f1c67665e57b 100644 --- a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java +++ b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java @@ -16,18 +16,14 @@ package software.amazon.awssdk.http.crt.internal; import static org.assertj.core.api.AssertionsForClassTypes.assertThat; -import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT; +import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023; import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; import java.time.Duration; import java.util.stream.Stream; -import org.junit.jupiter.api.AfterAll; -import org.junit.jupiter.api.Assumptions; -import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; -import software.amazon.awssdk.crt.CrtResource; import software.amazon.awssdk.crt.io.SocketOptions; import software.amazon.awssdk.crt.io.TlsCipherPreference; import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration; @@ -35,22 +31,15 @@ class AwsCrtConfigurationUtilsTest { @ParameterizedTest @MethodSource("cipherPreferences") - void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls, - TlsCipherPreference tlsCipherPreference) { - Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported()); - assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference); - } - - @Test - void resolveCipherPreference_pqSupported_shouldHonor() { - Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported()); - assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT); + void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled, + TlsCipherPreference expectedPreference) { + assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference); } private static Stream cipherPreferences() { return Stream.of( Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT), - Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT), + Arguments.of(false, TLS_CIPHER_PREF_TLSv1_0_2023), Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT) ); } From 991909dc769b595d21388205896c07327c1fc2e4 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Mon, 29 Dec 2025 18:49:14 -0500 Subject: [PATCH 2/3] Update release changelog --- .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json diff --git a/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json b/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json new file mode 100644 index 000000000000..25a9e6d6a084 --- /dev/null +++ b/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json @@ -0,0 +1,6 @@ +{ + "type": "bugfix", + "category": "AWS SDK for Java v2", + "contributor": "WillChilds-Klein", + "description": "Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`." +} From ffa362d6cfb081dac46812e1e12a1182012e9c3c Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Mon, 5 Jan 2026 10:31:07 -0500 Subject: [PATCH 3/3] Only use opt-out policy if supported --- .../awssdk/http/crt/internal/AwsCrtConfigurationUtils.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java index e2a33246667d..1ceac0a3ee80 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java @@ -54,7 +54,8 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) { // As of of v0.39.3, aws-crt-java prefers PQ by default, so only return the pre-PQ-default policy // below if the caller explicitly disables PQ by passing in false. - if (Boolean.FALSE.equals(postQuantumTlsEnabled)) { + if (Boolean.FALSE.equals(postQuantumTlsEnabled) + && TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023.isSupported()) { return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023; } return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;