Implement opt-out for PQ TLS (#6870)

* Implement opt-out for PQ TLS

Java CRT 0.39.3 enables and prefers PQ by default, so
`TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The
`postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes
an opt-out mechanism; setting it to false explicitly disables PQ by
using policy `TLS_CIPHER_PREF_TLSv1_0_2023`.

* Update release changelog

* Only use opt-out policy if supported

* Update CRT to 0.43.1

* Add pq-tls-test confirming everything works

* Revert "Add pq-tls-test confirming everything works"

This reverts commit 6871bd9.

* Update javadoc

* Use TLS_CIPHER_NON_PQ_DEFAULT cipher preference

* Update .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json

Co-authored-by: Zoe Wang <33073555+zoewangg@users.noreply.github.com>

* Update .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json

Co-authored-by: Zoe Wang <33073555+zoewangg@users.noreply.github.com>

* Add warn log statement if PQ disabled but non-PQ default not supported

* Fix checkstyle error

* Update changelog entry

---------

Co-authored-by: Will Childs-Klein <childw@amazon.com>
Co-authored-by: Will Childs-Klein <willck93@gmail.com>

Author: zoewangg

.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json

@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS CRT HTTP Client",
+    "contributor": "WillChilds-Klein",
+    "description": "Java CRT 0.39.3 enables and prefers Post Quantum TLS (PQ TLS) by default when supported by the platform and service. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ TLS."
+}

http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtAsyncHttpClient.java

@@ -239,10 +239,12 @@ AwsCrtAsyncHttpClient.Builder tcpKeepAliveConfiguration(Consumer<TcpKeepAliveCon
          * not supported on the platform, the SDK will use the default TLS cipher suites.
          *
          * <p>
-         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum TLS with AWS KMS</a>
+         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum
+         * TLS with AWS KMS</a>
          *
          * <p>
-         * It's disabled by default.
+         * It's enabled by default. If set to {@code false}, the SDK will use the latest recommended non-post-quantum
+         * TLS cipher policy, which may change over time as the underlying CRT library is updated.
          *
          * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS
          * @return The builder of the method chaining.

http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java

@@ -269,15 +269,17 @@ AwsCrtHttpClient.Builder tcpKeepAliveConfiguration(Consumer<TcpKeepAliveConfigur
                                                                     tcpKeepAliveConfigurationBuilder);
 
         /**
-         * Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network
-         * encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum cipher suites are
-         * not supported on the platform, the SDK will use the default TLS cipher suites.
+         * Configure whether to enable a hybrid post-quantum key exchange option for the Transport Layer Security (TLS)
+         * network encryption protocol when communicating with services that support Post Quantum TLS. If Post Quantum
+         * cipher suites are not supported on the platform, the SDK will use the default TLS cipher suites.
          *
          * <p>
-         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum TLS with AWS KMS</a>
+         * See <a href="https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html">Using hybrid post-quantum
+         * TLS with AWS KMS</a>
          *
          * <p>
-         * It's disabled by default.
+         * It's enabled by default. If set to {@code false}, the SDK will use the latest recommended non-post-quantum
+         * TLS cipher policy, which may change over time as the underlying CRT library is updated.
          *
          * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS
          * @return The builder of the method chaining.

http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java

@@ -20,14 +20,13 @@
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.crt.io.SocketOptions;
 import software.amazon.awssdk.crt.io.TlsCipherPreference;
-import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient;
 import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration;
 import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.NumericUtils;
 
 @SdkInternalApi
 public final class AwsCrtConfigurationUtils {
-    private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class);
+    private static final Logger log = Logger.loggerFor(AwsCrtConfigurationUtils.class);
 
     private AwsCrtConfigurationUtils() {
     }
@@ -55,19 +54,16 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep
     }
 
     public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) {
-        TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
-        if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) {
-            return defaultTls;
-        }
-
-        TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
-        if (!pqTls.isSupported()) {
-            log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system "
-                           + "default cipher suites instead");
-            return defaultTls;
+        // As of v0.39.3, aws-crt-java prefers PQ by default, so only return the non-PQ-default policy
+        // below if the caller explicitly disables PQ by passing in false.
+        if (Boolean.FALSE.equals(postQuantumTlsEnabled)) {
+            if (TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT.isSupported()) {
+                return TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT;
+            }
+            log.warn(() -> "Post-quantum TLS was explicitly disabled but TLS_CIPHER_NON_PQ_DEFAULT is not supported. "
+                           + "Falling back to TLS_CIPHER_SYSTEM_DEFAULT.");
         }
-
-        return pqTls;
+        return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
     }
 
 }

http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java

@@ -16,13 +16,11 @@
 package software.amazon.awssdk.http.crt.internal;
 
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
-import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT;
+import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_NON_PQ_DEFAULT;
 import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT;
 
 import java.time.Duration;
 import java.util.stream.Stream;
-import org.junit.jupiter.api.Assumptions;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -36,22 +34,19 @@
 class AwsCrtConfigurationUtilsTest {
     @ParameterizedTest
     @MethodSource("cipherPreferences")
-    void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls,
-                                                                              TlsCipherPreference tlsCipherPreference) {
-        Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported());
-        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference);
-    }
-
-    @Test
-    void resolveCipherPreference_pqSupported_shouldHonor() {
-        Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported());
-        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT);
+    void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled,
+                                                        TlsCipherPreference expectedPreference) {
+        assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference);
     }
 
     private static Stream<Arguments> cipherPreferences() {
+        // On platforms where NON_PQ_DEFAULT is not supported (e.g. macOS), the code falls back to SYSTEM_DEFAULT.
+        TlsCipherPreference expectedForFalse = TLS_CIPHER_NON_PQ_DEFAULT.isSupported()
+            ? TLS_CIPHER_NON_PQ_DEFAULT
+            : TLS_CIPHER_SYSTEM_DEFAULT;
         return Stream.of(
             Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT),
-            Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT),
+            Arguments.of(false, expectedForFalse),
             Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT)
         );
     }

pom.xml

@@ -130,7 +130,7 @@
         <rxjava3.version>3.1.5</rxjava3.version>
         <commons-codec.verion>1.17.1</commons-codec.verion>
         <jmh.version>1.37</jmh.version>
-        <awscrt.version>0.43.9</awscrt.version>
+        <awscrt.version>0.44.0</awscrt.version>
 
         <!--Test dependencies -->
         <junit5.version>5.10.3</junit5.version>