Skip to content

Import Cloudfront PQ TLS Policies #5539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Import Cloudfront PQ TLS Policies #5539

wants to merge 3 commits into from

Conversation

alexw91
Copy link
Contributor

@alexw91 alexw91 commented Sep 30, 2025
edited
Loading

Release Summary:

Resolved issues:

P302735809

Description of changes:

Adds CloudFront PQ TLS Policies

Call-outs:

None

Testing:

Unit Tests

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@alexw91 alexw91 requested a review from jmayclin September 30, 2025 23:17
@goatgoose goatgoose self-requested a review October 1, 2025 00:08
goatgoose
goatgoose reviewed Oct 1, 2025
View reviewed changes
tests/policy_snapshot/snapshots/CloudFront-TLS-1-2-2018-Beta
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other policies without "no-pq" contain PQ. Does this one intentionally not have PQ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this policy is a legacy used for testing, hence not upgrading to PQ

tests/unit/s2n_security_policies_test.c
/* CloudFront viewer facing */
"CloudFront-SSL-v-3",
"CloudFront-TLS-1-0-2014",
"CloudFront-TLS-1-0-2014-PQ-Beta",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't there a bunch of other new policies that support TLS 1.3?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

most of the viewer side policies use TLS 1.3, you might be thinking about origin policies that have a separate policies that have TLS 1.3

@jmayclin
Copy link
Contributor

Are there any CloudFront policies that could be deleted? If the answer is no that's fine, but it this seems like a good point to check in on that 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@goatgoose goatgoose goatgoose left review comments

@jmayclin jmayclin Awaiting requested review from jmayclin

+2 more reviewers

@zz85 zz85 zz85 left review comments

@baldwinmatt baldwinmatt baldwinmatt approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

type/post-quantum

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@alexw91 @jmayclin @zz85 @goatgoose @baldwinmatt @dougch