Skip to content

feat(crt): add minTlsVersion option to CRT HTTP clients#7147

Open
zoewangg wants to merge 1 commit into
masterfrom
zoewang/crt-min-tls-version
Open

feat(crt): add minTlsVersion option to CRT HTTP clients#7147
zoewangg wants to merge 1 commit into
masterfrom
zoewang/crt-min-tls-version

Conversation

@zoewangg

Copy link
Copy Markdown
Contributor

Motivation and Context

Fixes #5619.

Customers using the AWS CRT HTTP client have no per-client way to require a minimum TLS protocol version.

Modifications

Adds a minTlsVersion(TlsVersion) builder option on both AwsCrtHttpClient.Builder and AwsCrtAsyncHttpClient.Builder.

  • New @SdkPublicApi enum software.amazon.awssdk.http.crt.TlsVersion with two values: TLS_1_3 and SYSTEM_DEFAULT.
  • New builder methods are additive; no existing public method or type signature changed.
  • postQuantumTlsEnabled(false) combined with minTlsVersion(TLS_1_3) fails at build() on platforms where TLS_CIPHER_NON_PQ_DEFAULT is supported. The failure surfaces as the CRT-native IllegalStateException from TlsContextOptions#getNativeHandle ("tlsCipherPreference and minTlsVersion are mutually exclusive"). The SDK does not wrap or replace this exception.
  • macOS caveat is documented on both the TlsVersion type Javadoc and the two minTlsVersion(...) builder-method Javadocs: Apple Secure Transport (the default macOS CRT TLS backend) does not support TLS 1.3. To use TlsVersion.TLS_1_3 on macOS the customer must set env var AWS_CRT_USE_NON_FIPS_TLS_13 to a non-empty value at process startup, which switches CRT to its s2n-tls backend (not FIPS-validated, no macOS Keychain integration). The SDK does not read or interpret this env var; the failure otherwise surfaces on the first request as a CRT-side error.

Testing

Added new tests

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

Note on the mvn install box: only the http-clients/aws-crt-client module was built locally (BUILD SUCCESS, 247 tests, 0 failures, 2 platform-skipped). A full-repo mvn install was not run.

License

  • I confirm that this pull request can be released under the Apache 2 license

Add minTlsVersion(TlsVersion) on AwsCrtHttpClient.Builder and
AwsCrtAsyncHttpClient.Builder so customers can enforce a minimum TLS
protocol version for outbound connections.

Fixes #5619
@zoewangg zoewangg requested a review from a team as a code owner July 14, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Allow AWS Crt Client to set minimum TLS version

1 participant