.changelog/1754597579.md
0 → 100644
+10
−0
+1
−1
Loading
Set rustls prefer-post-quantum feature flag (#4255)
## Motivation and Context This change sets rustls's `prefer-post-quantum` flag so that SDK calls send a post-quantum KeyShare in the client Hello during a TLS handshake. See t/P275548278 for more details. ## Description In 0.23.27, rustls enabled the `prefer-post-quantum` feature flag by default. However, [aws-smithy-http-client disables](https://github.com/smithy-lang/smithy-rs/blob/main/rust-runtime/aws-smithy-http-client/Cargo.toml#L89) all rustls default features, meaning no post-quantum KeyShare is sent. This change explicitly enables the `prefer-post-quantum` feature. Rustls [recently removed](https://github.com/rustls/rustls/commit/cb273a03363161069c1c4f23b8e498aa7f62183c ) this feature flag altogether, likely to be released in version 0.24. Once we depend on that change, we can delete all mention of the feature flag. ## Testing I tested this locally against aws-sdk-rust (containing analogous changes to this PR) with a small proof of concept project whose Cargo.toml looks like this: ``` [package] name = "rust-s3-connector" version = "0.1.0" edition = "2021" [dependencies] aws-types = { version = "1", path = "/Users/childw/workplace/github/WillChilds-Klein/aws-sdk-rust/sdk/aws-types" } aws-config = { version = "1", path = "/Users/childw/workplace/github/WillChilds-Klein/aws-sdk-rust/sdk/aws-config" } aws-sdk-s3 = { version = "1", path = "/Users/childw/workplace/github/WillChilds-Klein/aws-sdk-rust/sdk/s3" } aws-sdk-kms = { version = "1", path = "/Users/childw/workplace/github/WillChilds-Klein/aws-sdk-rust/sdk/kms" } aws-smithy-http-client = { version = "1", path = "/Users/childw/workplace/github/WillChilds-Klein/aws-sdk-rust/sdk/aws-smithy-http-client" } aws-smithy-runtime-api = { version = "1", path = "/Users/childw/workplace/github/WillChilds-Klein/aws-sdk-rust/sdk/aws-smithy-runtime-api" } tokio = { version = "1", features = ["full"] } clap = { version = "4.0", features = ["derive"]} anyhow = "1.0" ``` With this PoC, I confirmed that no PQ keyshare was sent before this change, and that a PQ keyshare was sent after the change. This resulted in a successful PQ TLS connection. ## Checklist <!--- If a checkbox below is not applicable, then please DELETE it rather than leaving it unchecked --> - [x] For changes to the smithy-rs codegen or runtime crates, I have created a changelog entry Markdown file in the `.changelog` directory, specifying "client," "server," or both in the `applies_to` key. ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by:Landon James <lnj@amazon.com> Co-authored-by: