aws · xiazhvera · Sep 23, 2025 · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
diff --git a/awsiot/mqtt5_client_builder.py b/awsiot/mqtt5_client_builder.py
@@ -168,6 +168,8 @@
 
     **ca_bytes** (`bytes`): Override default trust store with CA certificates from these PEM formatted bytes.
 
+    **cipher_pref** (:class:`awscrt.io.TlsCipherPref`): Cipher preference to use for TLS connection. Default is `TlsCipherPref.DEFAULT`.
+
     **enable_metrics_collection** (`bool`): Whether to send the SDK version number in the CONNECT packet.
         Default is True.
 
@@ -243,6 +245,7 @@ def _builder(
         use_websockets=False,
         websocket_handshake_transform=None,
         use_custom_authorizer=False,
+        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
     username = _get(kwargs, 'username', '')
@@ -345,6 +348,9 @@ def _builder(
     elif ca_filepath or ca_dirpath:
         tls_ctx_options.override_default_trust_store_from_path(ca_dirpath, ca_filepath)
 
+    if cipher_pref is not None:
+        tls_ctx_options.cipher_pref = cipher_pref
+
     if client_options.port is None:
         # prefer 443, even for direct MQTT connections, since it's less likely to be blocked by firewalls
         if use_websockets or awscrt.io.is_alpn_available():
@@ -453,6 +459,7 @@ def mtls_with_pkcs11(*,
         cert_file_contents=cert_bytes)
     return _builder(tls_ctx_options, **kwargs)
 
+
 def mtls_with_pkcs12(*,
                      pkcs12_filepath: str,
                      pkcs12_password: str,
@@ -543,7 +550,10 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
         except Exception as e:
             transform_args.set_done(e)
 
-    return websockets_with_custom_handshake(_sign_websocket_handshake_request, websocket_proxy_options, **kwargs)
+    return websockets_with_custom_handshake(
+        _sign_websocket_handshake_request,
+        websocket_proxy_options,
+        **kwargs)
 
 
 def websockets_with_custom_handshake(

diff --git a/awsiot/mqtt_connection_builder.py b/awsiot/mqtt_connection_builder.py
@@ -111,6 +111,8 @@
 
     **ca_bytes** (`bytes`): Override default trust store with CA certificates from these PEM formatted bytes.
 
+    **cipher_pref** (:class:`awscrt.io.TlsCipherPref`): Cipher preference to use for TLS connection. Default is `TlsCipherPref.DEFAULT`.
+
     **enable_metrics_collection** (`bool`): Whether to send the SDK version number in the CONNECT packet.
         Default is True.
 
@@ -181,6 +183,7 @@ def _builder(
         use_websockets=False,
         websocket_handshake_transform=None,
         use_custom_authorizer=False,
+        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
     ca_bytes = _get(kwargs, 'ca_bytes')
@@ -202,6 +205,9 @@ def _builder(
     if port == 443 and awscrt.io.is_alpn_available() and use_custom_authorizer is False:
         tls_ctx_options.alpn_list = ['http/1.1'] if use_websockets else ['x-amzn-mqtt-ca']
 
+    if cipher_pref != awscrt.io.TlsCipherPref.DEFAULT:
+        tls_ctx_options.cipher_pref = cipher_pref
+
     socket_options = awscrt.io.SocketOptions()
     socket_options.connect_timeout_ms = _get(kwargs, 'tcp_connect_timeout_ms', 5000)
     # These have been inconsistent between keepalive/keep_alive. Resolve both for now to ease transition.
@@ -350,6 +356,7 @@ def mtls_with_pkcs11(*,
 
     return _builder(tls_ctx_options, **kwargs)
 
+
 def mtls_with_pkcs12(*,
                      pkcs12_filepath: str,
                      pkcs12_password: str,
@@ -552,6 +559,7 @@ def direct_with_custom_authorizer(
         use_websockets=False,
         **kwargs)
 
+
 def websockets_with_custom_authorizer(
         region=None,
         credentials_provider=None,
@@ -590,7 +598,7 @@ def websockets_with_custom_authorizer(
         auth_authorizer_signature (`str`):  The digital signature of the token value in the `auth_token_value`
             parameter. The signature must be based on the private key associated with the custom authorizer.  The
             signature must be base64 encoded.
-            Required if the custom authorizer has signing enabled.  
+            Required if the custom authorizer has signing enabled.
 
         auth_token_key_name (`str`): Key used to extract the custom authorizer token from MQTT username query-string
             properties.
@@ -616,15 +624,15 @@ def websockets_with_custom_authorizer(
 
 
 def _with_custom_authorizer(auth_username=None,
-        auth_authorizer_name=None,
-        auth_authorizer_signature=None,
-        auth_password=None,
-        auth_token_key_name=None,
-        auth_token_value=None,
-        use_websockets=False,
-        websockets_credentials_provider=None,
-        websockets_region=None,
-        **kwargs) -> awscrt.mqtt.Connection:
+                            auth_authorizer_name=None,
+                            auth_authorizer_signature=None,
+                            auth_password=None,
+                            auth_token_key_name=None,
+                            auth_token_value=None,
+                            use_websockets=False,
+                            websockets_credentials_provider=None,
+                            websockets_region=None,
+                            **kwargs) -> awscrt.mqtt.Connection:
     """
     Helper function that contains the setup needed for custom authorizers
     """
@@ -657,7 +665,7 @@ def _with_custom_authorizer(auth_username=None,
     kwargs["password"] = auth_password
 
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    if use_websockets == False:
+    if not use_websockets:
         kwargs["port"] = 443
         tls_ctx_options.alpn_list = ["mqtt"]
 

diff --git a/setup.py b/setup.py
@@ -40,7 +40,7 @@ def _load_version():
         "Operating System :: OS Independent",
     ],
     install_requires=[
-        'awscrt==0.28.1',
+        'awscrt==0.28.3',
     ],
     python_requires='>=3.8',
 )