View a markdown version of this page

Enabling hybrid post-quantum TLS - Amazon SDKs and Tools
SDKs with PQ TLS enabled by defaultOpt-in PQ TLS supportSDKs that rely on System OpenSSLAmazon SDKs and tools not planning to support PQ TLS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling hybrid post-quantum TLS

Amazon SDKs and tools have cryptographic capabilities and configuration that differ across language and runtime. There are three ways that an Amazon SDK or tool currently provides PQ TLS support:

SDKs with PQ TLS enabled by default

Note

As of 6-Nov-2025, Amazon SDK and its underlying CRT libraries for MacOS and Windows uses system libraries for TLS, so PQ TLS capabilities on those platforms is generally determined by system-level support.

Amazon SDK for Go

The Amazon SDK for Go uses Golang’s own TLS implementation provided by its standard library. Golang supports and prefers PQ TLS as of v1.24, so Amazon SDK for Go users can enable PQ TLS by simply upgrading Golang to v1.24.

Amazon SDK for JavaScript (browser)

The Amazon SDK for JavaScript (browser) uses the browser’s TLS stack, so the SDK will negotiate PQ TLS if the browser runtime supports and prefers it. Firefox launched support for PQ TLS in v132.0. Chrome announced support for PQ TLS in v131. Edge supports opt-in PQ TLS in v120 for desktop and 140 for Android.

Amazon SDK for Node.js

As of Node.js v22.20 (LTS) and v24.9.0, Node.js statically links and bundles OpenSSL 3.5. This means that PQ TLS is enabled and preferred by default for those and subsequent versions.

Amazon SDK for Kotlin

The Kotlin SDK supports and prefers PQ TLS on Linux as of v1.5.78. Because Amazon SDK for Kotlin’s CRT-based client relies on system libraries for TLS on MacOS and Windows, support for PQ TLS will depend on those underlying system libraries.

Amazon SDK for Rust

The Amazon SDK for Rust distributes distinct packages (known as “crates” in the Rust ecosystem) for each service client. These are all managed in a consolidated GitHub repository, but each service client follows its own version and release cadence. The consolidated SDK released PQ TLS preference on 8/29/25, so any individual service client version released after that date will support and prefer PQ TLS by default.

You can determine the minimum version supporting PQ TLS for a particular service client by navigating to the relevant crates.io version URL (for example, Amazon Web Services Promotional Credit's is here) and finding the first version published after 29-Aug-25. Any service client version published after 29-Aug-25 will have PQ TLS enabled and preferred by default.

Opt-in PQ TLS support

Amazon SDK for C++

By default, the C++ SDK uses platform-native clients like libcurl and WinHttp. Libcurl generally relies on system OpenSSL for TLS, so PQ TLS is only enabled by default if system OpenSSL is ≥ v3.5. You can override this default in C++ SDK v1.11.673 or later, and opt-in to the AwsCrtHttpClient which supports and enables PQ TLS by default.

Notes on Building for Opt-In PQ TLS You can fetch the SDK’s CRT dependencies with this script. Building the SDK from source is described here and here, but note that you may need a few additional CMake flags:

-DUSE_CRT_HTTP_CLIENT=ON \
-DUSE_TLS_V1_2=OFF \
-DUSE_TLS_V1_3=ON \
-DUSE_OPENSSL=OFF \

Amazon SDK for Java

As of v2, Amazon SDK for Java provides an Amazon Common Runtime (Amazon CRT) HTTP Client that can be configured to perform PQ TLS. As of v2.35.11, the AwsCrtHttpClient enables and prefers PQ TLS by default wherever it’s used.

SDKs that rely on System OpenSSL

Several Amazon SDKs and tools depend on the system's libcrypto/libssl library for TLS. The system library most often used is OpenSSL. OpenSSL enabled PQ TLS support in version 3.5, so the easiest way to configure these SDKs and tools for PQ TLS is to use it on an operating system distribution that has at least OpenSSL 3.5 installed.

You can also configure a Docker container to use OpenSSL 3.5 to enable PQ TLS on any system that supports Docker. See Post-quantum TLS in Python for an example of setting this up for Python.

Amazon CLI

As of v2.34.54, the Amazon CLI installer for Linux bundles OpenSSL 3.5.6, so PQ TLS is enabled and preferred by default for that and subsequent versions on Linux. Amazon CLI users on Linux can enable PQ TLS by upgrading to Amazon CLI v2.34.54 or later.

For MacOS, install the Amazon CLI via Homebrew and ensure that your Homebrew-vended OpenSSL is upgraded to version 3.5+. You can do this with “brew install openssl@3.6” and validate with “brew list | grep openssl”.

For step-by-step instructions to validate the installation, see github repository and accompanying blog post.

Amazon SDK for PHP

The Amazon SDK for PHP relies on system libssl/libcrypto. To use PQ TLS, use this SDK on an operating system distribution that has at least OpenSSL 3.5 installed.

Amazon SDK for Python (Boto3)

The Amazon SDK for Python (Boto3) relies on the OpenSSL library linked by your Python installation for TLS. The behavior differs by platform:

Windows and macOS (python.org installer)

The official python.org installers for Windows (.exe) and macOS (.pkg) bundle their own OpenSSL library. As of Python 3.14.6, the bundled OpenSSL 3.5.7 supports and prefers PQ TLS by default. No additional configuration is needed.

macOS (Homebrew)

Since Homebrew's python@3.14 links against Homebrew's openssl@3 shared library, as of Homebrew OpenSSL 3.5+, PQ TLS is supported and preferred by default. You can validate your OpenSSL version with:

python3.14 -c "import ssl; print(ssl.OPENSSL_VERSION)"

If your version is below 3.5, upgrade with brew upgrade openssl@3.

Linux

On Linux, Python dynamically links against the system's shared libssl. Having OpenSSL 3.5+ installed is necessary but not sufficient, as the system's cryptographic policy must also include post-quantum groups in its default TLS configuration.

For Amazon Linux 2023 (AL2023.12 or higher), enable PQ TLS with:

sudo update-crypto-policies --set DEFAULT:PQ

For more information, see Enable Post-Quantum Cryptography (PQC) on AL2023.

For other Linux distributions, consult your distribution's documentation on configuring default TLS groups.

You can verify that PQ TLS is working by checking for the X25519MLKEM768 key exchange in your TLS handshake.

Amazon SDK for Ruby

The Amazon SDK for Ruby relies on system libssl/libcrypto. To use PQ TLS, use this SDK on an operating system distribution that has at least OpenSSL 3.5 installed.

Amazon SDK for .NET

On Linux, Amazon SDK for .NET relies on system libssl/libcrypto. To use PQ TLS, use this SDK on an operating system distribution that has at least OpenSSL 3.5 installed. On Windows and MacOS, PQ TLS is available starting in .NET 10 and Windows 11. On MacOS, TLS 1.3 support (a prerequisite for PQ TLS) can be enabled by opting-in to Apple's Network.framework as described here. Assuming a minimum .NET version of 10, PQ TLS should then be enabled.

Amazon SDKs and tools not planning to support PQ TLS

There are currently no plans to support the following language SDKs and tools:

  • Amazon SDK for SAP

  • Amazon SDK for Swift

  • Amazon Tools for Windows PowerShell