diff --git a/awscrt/io.py b/awscrt/io.py index 494b53711..faaa46844 100644 --- a/awscrt/io.py +++ b/awscrt/io.py @@ -277,6 +277,11 @@ class TlsCipherPref(IntEnum): PQ_DEFAULT = 8 # : """Recommended default policy with post-quantum algorithm support. This policy may change over time.""" + TLSv1_2_2025_07 = 9 + """A TLS Cipher Preference requiring TLS 1.2+ with FIPS compliance and perfect forward secrecy. This security policy + is based on the AWS-CRT-SDK-TLSv1.2-2023 s2n TLS policy with enhanced security restrictions. It supports AES-GCM and + ECDHE cipher suites with ECDSA and RSA-PSS signature schemes, and uses NIST P-256 and P-384 curves only.""" + def is_supported(self): """Return whether this Cipher Preference is available in the underlying platform's TLS implementation""" return _awscrt.is_tls_cipher_supported(self.value) diff --git a/test/test_io.py b/test/test_io.py index aa2274711..6e414d4ba 100644 --- a/test/test_io.py +++ b/test/test_io.py @@ -113,6 +113,21 @@ def test_override_default_trust_store_file(self): opt.override_default_trust_store_from_path(None, 'test/resources/ca.crt') ctx = ClientTlsContext(opt) + def test_set_cipher_preference_tlsv1_2_2025(self): + opt = TlsContextOptions() + opt.cipher_pref = TlsCipherPref.TLSv1_2_2025_07 + + try: + ctx = ClientTlsContext(opt) + except Exception as e: + if sys.platform.startswith("linux"): + # On Linux, this should not fail + self.fail(f"Unexpected error on Linux: {e}") + else: + # On non-Linux platforms, verify we get the expected error and skip + self.assertIn('AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED', str(e)) + self.skipTest(f"TLSv1_2_2025_07 not supported on {sys.platform}") + class TlsConnectionOptionsTest(NativeResourceTest): def test_init(self):