1 /** 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * SPDX-License-Identifier: Apache-2.0. 4 */ 5 package software.amazon.awssdk.crt.io; 6 7 /** 8 * A TlsCipherPreference represents a hardcoded ordered list of TLS Ciphers to use when negotiating a TLS Connection. 9 * 10 * At present, the ability to configure arbitrary orderings of TLS Ciphers is not allowed, and only a curated list of 11 * vetted TlsCipherPreference's are exposed. 12 */ 13 public enum TlsCipherPreference { 14 /** 15 * Use whatever the System Default Preference is. This is usually the best option, as it will be automatically 16 * updated as the underlying OS or platform changes, and will always be supported on all Platforms. 17 */ 18 TLS_CIPHER_SYSTEM_DEFAULT(0), 19 20 /** 21 * @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead. 22 */ 23 @Deprecated 24 TLS_CIPHER_KMS_PQ_TLSv1_0_2019_06(1), 25 26 /** 27 * @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead. 28 */ 29 @Deprecated 30 TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2019_11(2), 31 32 /** 33 * @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead. 34 */ 35 @Deprecated 36 TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02(3), 37 38 /** 39 * @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead. 40 */ 41 @Deprecated 42 TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02(4), 43 44 /** 45 * @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead. 46 */ 47 @Deprecated 48 TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07(5), 49 50 /** 51 * This TlsCipherPreference supports TLS 1.0 through TLS 1.3, and contains Kyber Round 3 as its highest priority 52 * PQ algorithm. PQ algorithms in this preference list will be used in hybrid mode, and will be combined with a 53 * classical ECDHE key exchange. 54 * 55 * NIST has announced that Kyber will be first post-quantum key-agreement algorithm that it will standardize. 56 * However, the NIST standardization process might introduce minor changes that may cause the final Kyber standard 57 * to differ from the Kyber Round 3 implementation available in this preference list. 58 * 59 * Since this TlsCipherPreference contains algorithms that have not yet been officially standardized by NIST, this 60 * preference list, and any of the PQ algorithms in it, may stop being supported at any time. 61 * 62 * For more info see: 63 * - https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid 64 * - https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design 65 * - https://aws.amazon.com/blogs/security/how-to-tune-tls-for-hybrid-post-quantum-cryptography-with-kyber/ 66 * - https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf 67 */ 68 TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05(6); 69 70 private int val; 71 TlsCipherPreference(int val)72 TlsCipherPreference(int val) { 73 this.val = val; 74 } 75 getValue()76 int getValue() { return val; } 77 78 /** 79 * Not all Cipher Preferences are supported on all Platforms due to differences in the underlying TLS Libraries. 80 * 81 * @return True if this TlsCipherPreference is currently supported on the current platform. 82 */ isSupported()83 public boolean isSupported() { 84 return TlsContextOptions.isCipherPreferenceSupported(this); 85 } 86 } 87