Skip to content

Expose cipher suite TLSv1_2_2025_07 #684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Expose cipher suite TLSv1_2_2025_07 #684

wants to merge 15 commits into from

Conversation

xiazhvera
Copy link
Contributor

@xiazhvera xiazhvera commented Sep 22, 2025
edited
Loading

Issue #, if available:

Description of changes:

  • Added cipher suite TLSv1_2_2025_07
  • update submodule aws-c-io -> v0.22.1

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@xiazhvera xiazhvera mentioned this pull request Sep 29, 2025
Open
bretambrose
bretambrose reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@bretambrose bretambrose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make more sense to have the tests check is supported and tls context creation rather than go through mqtt5?

sfod
sfod reviewed Oct 20, 2025
View reviewed changes
awscrt/io.py Outdated
Comment on lines 281 to 282
"""A TLS Cipher Preference ordering that supports TLS 1.2 through TLS 1.3, and does not include CBC cipher suites.
It is FIPS-complaint."""
Copy link
Contributor

@sfod sfod Oct 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Debatable: While the does not include CBC cipher suites part is true, and that's what we originally requested from s2n, there are more differences. See aws/s2n-tls#5375

When I added the policy to c-io, I used abstract tightened security, but now thinking more about it, maybe we should give details on what this preference provides, something like the following:

A TLS cipher preference requiring TLS 1.2+ with FIPS compliance and perfect forward secrecy. Supports AES-GCM and ECDHE cipher suites with ECDSA and RSA-PSS signature schemes. Uses NIST P-256 and P-384 curves only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bretambrose bretambrose bretambrose left review comments

@sfod sfod sfod approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xiazhvera @bretambrose @sfod