Skip to content

Implement opt-out for PQ TLS#6648

Draft
WillChilds-Klein wants to merge 8 commits intoaws:masterfrom
WillChilds-Klein:pq-opt-out
Draft

Implement opt-out for PQ TLS#6648
WillChilds-Klein wants to merge 8 commits intoaws:masterfrom
WillChilds-Klein:pq-opt-out

Conversation

@WillChilds-Klein
Copy link

@WillChilds-Klein WillChilds-Klein commented Dec 29, 2025
edited
Loading

Status

This PR is currently in draft status until aws-crt-java PR #975 has been merged/released and its dependency version has been bumped in this PR.

Notes

Java CRT 0.39.3 enables and prefers PQ by default, so TLS_CIPHER_SYSTEM_DEFAULT now uses PQ cipher suites. The postQuantumTlsEnabled builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy TLS_CIPHER_PREF_TLSv1_0_2023.

Testing

  • updated unit test
  • for "integration testing", i had Claude write a small test project that exercised three CRT client PQ configurations: default, enabled, disabled. i verified with wireshark that the expected keyshares were sent for each. i had to run this in a Linux container because the CRT doesn't yet support TLSv1.3 on MacOS, which is a prerequisite for PQ TLS.
$ ./run-docker.sh
...
========================================
   Post-Quantum TLS Configuration Test
========================================

----------------------------------------
Test: postQuantumTlsEnabled = DEFAULT (not set)
----------------------------------------
Creating AwsCrtHttpClient... ?
Creating KMS client... ?
Calling KMS ListKeys API... ?

Result: SUCCESS
  Keys returned: 4
  Expected cipher: TLS_CIPHER_SYSTEM_DEFAULT (PQ preferred by default since CRT 0.39.3)

----------------------------------------
Test: postQuantumTlsEnabled = ENABLED (true)
----------------------------------------
Creating AwsCrtHttpClient... ?
Creating KMS client... ?
Calling KMS ListKeys API... ?

Result: SUCCESS
  Keys returned: 4
  Expected cipher: TLS_CIPHER_SYSTEM_DEFAULT (PQ explicitly enabled)

----------------------------------------
Test: postQuantumTlsEnabled = DISABLED (false)
----------------------------------------
Creating AwsCrtHttpClient... ?
Creating KMS client... ?
Calling KMS ListKeys API... ?

Result: SUCCESS
  Keys returned: 4
  Expected cipher: TLS_CIPHER_PREF_TLSv1_0_2023 (PQ explicitly disabled/opted-out)


========================================
   ? ALL TESTS PASSED
========================================


===========================================
Test completed in Docker container

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@WillChilds-Klein
Implement opt-out for PQ TLS
8d4b7e1 
Java CRT 0.39.3 enables and prefers PQ by default, so
`TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The
`postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes
an opt-out mechanism; setting it to false explicitly disables PQ by
using policy `TLS_CIPHER_PREF_TLSv1_0_2023`.
@WillChilds-Klein
Update release changelog
d3d1739
@WillChilds-Klein
Only use opt-out policy if supported
a86a2e1
@WillChilds-Klein
Update CRT to 0.43.1
2c652cc
@WillChilds-Klein WillChilds-Klein marked this pull request as ready for review February 6, 2026 18:56
@WillChilds-Klein WillChilds-Klein requested a review from a team as a code owner February 6, 2026 18:56
zoewangg
zoewangg requested changes Feb 6, 2026
View reviewed changes
Copy link
Contributor

@zoewangg zoewangg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we update the javadoc for postQuantumTlsEnabled? https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java#L239

...-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java
// below if the caller explicitly disables PQ by passing in false.
if (Boolean.FALSE.equals(postQuantumTlsEnabled)
&& TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023.isSupported()) {
return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023;
Copy link
Contributor

@zoewangg zoewangg Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems this policy may get outdated in the future. Can we create a non-PQTLS default TLS policy that always uses the latest TLS versions?

Copy link
Author

@WillChilds-Klein WillChilds-Klein Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately we can't enforce a minimum TLS version higher than this due to some SDKs (IoT, some others) requiring TLS 1.0 support for the foreseeable future.

Copy link
Contributor

@zoewangg zoewangg Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's totally fine. I'm proposing creating a new TlsCipherPreference that always links to the recommended non-PQTLS preference, for now, it's TLS_CIPHER_PREF_TLSv1_0_2023, which may change in the future and when we change it, we just need to change CRT code and don't have to update the code in the SDK

Copy link
Author

@WillChilds-Klein WillChilds-Klein Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

understood, and i agree that's a useful abstraction. does this concern block the current PR? i'd be happy to take this up as a follow-on. it would require an upstream CRT change + release.

Copy link
Contributor

@zoewangg zoewangg Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the delay, it dropped off my radar for some reason. Yes, I'd prefer to get those upstream changes released first

Copy link
Author

@WillChilds-Klein WillChilds-Klein Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you got it. PRs for:

I'll return this PR to draft status until those have been merged and aws-crt-java dependency version has been bumped.

This was referenced Mar 17, 2026
Open
Draft
@WillChilds-Klein WillChilds-Klein marked this pull request as draft March 17, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoewangg zoewangg Awaiting requested review from zoewangg

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WillChilds-Klein @zoewangg