Implement opt-out for PQ TLS

.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json

@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS SDK for Java v2",
+    "contributor": "WillChilds-Klein",
+    "description": "Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`."
+}

http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java

@@ -223,15 +223,17 @@ AwsCrtAsyncHttpClient.Builder tcpKeepAliveConfiguration(Consumer<TcpKeepAliveCon
                                               tcpKeepAliveConfigurationBuilder);
 
         /**
-         * Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network
-         * encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum cipher suites are
-         * not supported on the platform, the SDK will use the default TLS cipher suites.
+         * Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS)
+         * network encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum
+         * cipher suites are not supported on the platform, the SDK will use the default TLS cipher suites.
          *
          * <p>
-         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum TLS with AWS KMS</a>
+         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum
+         * TLS with AWS KMS</a>
          *
          * <p>
-         * It's disabled by default.
+         * It's enabled by default. If set to {@code false}, the SDK will use the latest recommended non-post-quantum
+         * TLS cipher policy, which may change over time as the underlying CRT library is updated.
          *
          * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS
          * @return The builder of the method chaining.

http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java

@@ -262,15 +262,17 @@ AwsCrtHttpClient.Builder tcpKeepAliveConfiguration(Consumer<TcpKeepAliveConfigur
                                                                     tcpKeepAliveConfigurationBuilder);
 
         /**
-         * Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network
-         * encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum cipher suites are
-         * not supported on the platform, the SDK will use the default TLS cipher suites.
+         * Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS)
+         * network encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum
+         * cipher suites are not supported on the platform, the SDK will use the default TLS cipher suites.
          *
          * <p>
-         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum TLS with AWS KMS</a>
+         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum
+         * TLS with AWS KMS</a>
          *
          * <p>
-         * It's disabled by default.
+         * It's enabled by default. If set to {@code false}, the SDK will use the latest recommended non-post-quantum
+         * TLS cipher policy, which may change over time as the underlying CRT library is updated.
          *
          * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS
          * @return The builder of the method chaining.

http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java

@@ -20,14 +20,11 @@
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.crt.io.SocketOptions;
 import software.amazon.awssdk.crt.io.TlsCipherPreference;
-import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient;
 import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;
-import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.NumericUtils;
 
 @SdkInternalApi
 public final class AwsCrtConfigurationUtils {
-    private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class);
 
     private AwsCrtConfigurationUtils() {
     }
@@ -55,19 +52,13 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep
     }
 
     public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) {
-        TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
-        if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) {
-            return defaultTls;
+        // As of v0.39.3, aws-crt-java prefers PQ by default, so only return the non-PQ-default policy
+        // below if the caller explicitly disables PQ by passing in false.
+        if (Boolean.FALSE.equals(postQuantumTlsEnabled)
+                && TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT.isSupported()) {
+            return TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT;
         }
-
-        TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
-        if (!pqTls.isSupported()) {
-            log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system "
-                           + "default cipher suites instead");
-            return defaultTls;
-        }
-
-        return pqTls;
+        return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
     }
 
 }

http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java

@@ -16,41 +16,34 @@
 package software.amazon.awssdk.http.crt.internal;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
-import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
+import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT;
 import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
 
 import java.time.Duration;
 import java.util.stream.Stream;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.Assumptions;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
-import software.amazon.awssdk.crt.CrtResource;
 import software.amazon.awssdk.crt.io.SocketOptions;
 import software.amazon.awssdk.crt.io.TlsCipherPreference;
 import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;
 
 class AwsCrtConfigurationUtilsTest {
     @ParameterizedTest
     @MethodSource("cipherPreferences")
-    void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls,
-                                                                              TlsCipherPreference tlsCipherPreference) {
-        Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported());
-        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference);
-    }
-
-    @Test
-    void resolveCipherPreference_pqSupported_shouldHonor() {
-        Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported());
-        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT);
+    void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled,
+                                                        TlsCipherPreference expectedPreference) {
+        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference);
     }
 
     private static Stream<Arguments> cipherPreferences() {
+        // On platforms where NON_PQ_DEFAULT is not supported (e.g. macOS), the code falls back to SYSTEM_DEFAULT.
+        TlsCipherPreference expectedForFalse = TLS_CIPHER_NON_PQ_DEFAULT.isSupported()
+            ? TLS_CIPHER_NON_PQ_DEFAULT
+            : TLS_CIPHER_SYSTEM_DEFAULT;
         return Stream.of(
             Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT),
-            Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT),
+            Arguments.of(false, expectedForFalse),
             Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT)
         );
     }

pom.xml

@@ -130,7 +130,7 @@
         <rxjava3.version>3.1.5</rxjava3.version>
         <commons-codec.verion>1.17.1</commons-codec.verion>
         <jmh.version>1.37</jmh.version>
-        <awscrt.version>0.43.5</awscrt.version>
+        <awscrt.version>0.44.0</awscrt.version>
 
         <!--Test dependencies -->
         <junit5.version>5.10.3</junit5.version>