diff --git a/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json b/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json new file mode 100644 index 000000000000..25a9e6d6a084 --- /dev/null +++ b/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json @@ -0,0 +1,6 @@ +{ + "type": "bugfix", + "category": "AWS SDK for Java v2", + "contributor": "WillChilds-Klein", + "description": "Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`." +} diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java index 08b9a5fdc7e8..cedb95b2f6cc 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java @@ -223,15 +223,17 @@ AwsCrtAsyncHttpClient.Builder tcpKeepAliveConfiguration(Consumer - * See Using hybrid post-quantum TLS with AWS KMS + * See Using hybrid post-quantum + * TLS with AWS KMS * *

- * It's disabled by default. + * It's enabled by default. If set to {@code false}, the SDK will use the latest recommended non-post-quantum + * TLS cipher policy, which may change over time as the underlying CRT library is updated. * * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS * @return The builder of the method chaining. diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java index 4270b47862e5..06df4829a83e 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java @@ -262,15 +262,17 @@ AwsCrtHttpClient.Builder tcpKeepAliveConfiguration(Consumer - * See Using hybrid post-quantum TLS with AWS KMS + * See Using hybrid post-quantum + * TLS with AWS KMS * *

- * It's disabled by default. + * It's enabled by default. If set to {@code false}, the SDK will use the latest recommended non-post-quantum + * TLS cipher policy, which may change over time as the underlying CRT library is updated. * * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS * @return The builder of the method chaining. diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java index e3c92d620f1b..076e6a4ed052 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java @@ -20,14 +20,11 @@ import software.amazon.awssdk.annotations.SdkInternalApi; import software.amazon.awssdk.crt.io.SocketOptions; import software.amazon.awssdk.crt.io.TlsCipherPreference; -import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient; import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration; -import software.amazon.awssdk.utils.Logger; import software.amazon.awssdk.utils.NumericUtils; @SdkInternalApi public final class AwsCrtConfigurationUtils { - private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class); private AwsCrtConfigurationUtils() { } @@ -55,19 +52,13 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep } public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) { - TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; - if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) { - return defaultTls; + // As of v0.39.3, aws-crt-java prefers PQ by default, so only return the non-PQ-default policy + // below if the caller explicitly disables PQ by passing in false. + if (Boolean.FALSE.equals(postQuantumTlsEnabled) + && TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT.isSupported()) { + return TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT; } - - TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT; - if (!pqTls.isSupported()) { - log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system " - + "default cipher suites instead"); - return defaultTls; - } - - return pqTls; + return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; } } diff --git a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java index e83e29e0aea1..80ee5af22e7b 100644 --- a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java +++ b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java @@ -16,18 +16,14 @@ package software.amazon.awssdk.http.crt.internal; import static org.assertj.core.api.AssertionsForClassTypes.assertThat; -import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT; +import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT; import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; import java.time.Duration; import java.util.stream.Stream; -import org.junit.jupiter.api.AfterAll; -import org.junit.jupiter.api.Assumptions; -import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; -import software.amazon.awssdk.crt.CrtResource; import software.amazon.awssdk.crt.io.SocketOptions; import software.amazon.awssdk.crt.io.TlsCipherPreference; import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration; @@ -35,22 +31,19 @@ class AwsCrtConfigurationUtilsTest { @ParameterizedTest @MethodSource("cipherPreferences") - void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls, - TlsCipherPreference tlsCipherPreference) { - Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported()); - assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference); - } - - @Test - void resolveCipherPreference_pqSupported_shouldHonor() { - Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported()); - assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT); + void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled, + TlsCipherPreference expectedPreference) { + assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference); } private static Stream cipherPreferences() { + // On platforms where NON_PQ_DEFAULT is not supported (e.g. macOS), the code falls back to SYSTEM_DEFAULT. + TlsCipherPreference expectedForFalse = TLS_CIPHER_NON_PQ_DEFAULT.isSupported() + ? TLS_CIPHER_NON_PQ_DEFAULT + : TLS_CIPHER_SYSTEM_DEFAULT; return Stream.of( Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT), - Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT), + Arguments.of(false, expectedForFalse), Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT) ); } diff --git a/pom.xml b/pom.xml index f28154c5e31f..0215e0a57f9c 100644 --- a/pom.xml +++ b/pom.xml @@ -130,7 +130,7 @@ 3.1.5 1.17.1 1.37 - 0.43.5 + 0.44.0 5.10.3