move cipher suite to builder option

xiazhvera · xiazhvera · commit 96677e5f2962 · 2025-10-17T09:43:32.000-07:00
diff --git a/awsiot/mqtt5_client_builder.py b/awsiot/mqtt5_client_builder.py
@@ -243,6 +243,7 @@ def _builder(
         use_websockets=False,
         websocket_handshake_transform=None,
         use_custom_authorizer=False,
+        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
     username = _get(kwargs, 'username', '')
@@ -345,6 +346,9 @@ def _builder(
     elif ca_filepath or ca_dirpath:
         tls_ctx_options.override_default_trust_store_from_path(ca_dirpath, ca_filepath)
 
+    if cipher_pref is not None:
+        tls_ctx_options.cipher_pref = cipher_pref
+
     if client_options.port is None:
         # prefer 443, even for direct MQTT connections, since it's less likely to be blocked by firewalls
         if use_websockets or awscrt.io.is_alpn_available():
@@ -362,7 +366,7 @@ def _builder(
     return client
 
 
-def mtls_from_path(cert_filepath, pri_key_filepath, cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
+def mtls_from_path(cert_filepath, pri_key_filepath,
                    **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT5 Client to AWS IoT.
@@ -378,14 +382,12 @@ def mtls_from_path(cert_filepath, pri_key_filepath, cipher_pref=awscrt.io.TlsCip
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_from_path(cert_filepath, pri_key_filepath)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
 def mtls_from_bytes(
         cert_bytes,
         pri_key_bytes,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT5 Client to AWS IoT.
@@ -401,7 +403,6 @@ def mtls_from_bytes(
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls(cert_bytes, pri_key_bytes)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
@@ -413,7 +414,6 @@ def mtls_with_pkcs11(*,
                      private_key_label: str = None,
                      cert_filepath: str = None,
                      cert_bytes=None,
-                     cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                      **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT connection to AWS IoT,
@@ -459,14 +459,12 @@ def mtls_with_pkcs11(*,
         private_key_label=private_key_label,
         cert_file_path=cert_filepath,
         cert_file_contents=cert_bytes)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
 def mtls_with_pkcs12(*,
                      pkcs12_filepath: str,
                      pkcs12_password: str,
-                     cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                      **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
@@ -487,13 +485,11 @@ def mtls_with_pkcs12(*,
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_pkcs12(
         pkcs12_filepath=pkcs12_filepath,
         pkcs12_password=pkcs12_password)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
 def mtls_with_windows_cert_store_path(*,
                                       cert_store_path: str,
-                                      cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                                       **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an mTLS MQTT5 Client to AWS IoT,
@@ -512,15 +508,13 @@ def mtls_with_windows_cert_store_path(*,
     _check_required_kwargs(**kwargs)
 
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_windows_cert_store_path(cert_store_path)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
 def websockets_with_default_aws_signing(
         region,
         credentials_provider,
         websocket_proxy_options=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client over websockets to AWS IoT.
@@ -560,15 +554,13 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
 
     return websockets_with_custom_handshake(
         _sign_websocket_handshake_request,
-        websocket_proxy_options = websocket_proxy_options,
-        cipher_pref = cipher_pref,
+        websocket_proxy_options,
         **kwargs)
 
 
 def websockets_with_custom_handshake(
         websocket_handshake_transform,
         websocket_proxy_options=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client over websockets,
@@ -596,7 +588,6 @@ def websockets_with_custom_handshake(
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options=tls_ctx_options,
                     use_websockets=True,
                     websocket_handshake_transform=websocket_handshake_transform,
@@ -628,7 +619,6 @@ def direct_with_custom_authorizer(
         auth_password=None,
         auth_token_key_name=None,
         auth_token_value=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client using a custom
@@ -695,7 +685,6 @@ def direct_with_custom_authorizer(
 
     tls_ctx_options = awscrt.io.TlsContextOptions()
     tls_ctx_options.alpn_list = ["mqtt"]
-    tls_ctx_options.cipher_pref = cipher_pref
 
     return _builder(tls_ctx_options=tls_ctx_options,
                     use_websockets=False,
@@ -711,7 +700,6 @@ def websockets_with_custom_authorizer(
         websocket_proxy_options=None,
         auth_token_key_name=None,
         auth_token_value=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, configured for an MQTT5 Client using a custom
@@ -781,7 +769,6 @@ def websockets_with_custom_authorizer(
     kwargs["password"] = auth_password
 
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    tls_ctx_options.cipher_pref = cipher_pref
 
     def _sign_websocket_handshake_request(transform_args, **kwargs):
         # transform_args need to know when transform is done
@@ -798,7 +785,7 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
                     **kwargs)
 
 
-def new_default_builder(cipher_pref=awscrt.io.TlsCipherPref.DEFAULT, **kwargs) -> awscrt.mqtt5.Client:
+def new_default_builder(**kwargs) -> awscrt.mqtt5.Client:
     """
     This builder creates an :class:`awscrt.mqtt5.Client`, without any configuration besides the default TLS context options.
 
@@ -807,7 +794,6 @@ def new_default_builder(cipher_pref=awscrt.io.TlsCipherPref.DEFAULT, **kwargs) -
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options=tls_ctx_options,
                     use_websockets=False,
                     **kwargs)
diff --git a/awsiot/mqtt_connection_builder.py b/awsiot/mqtt_connection_builder.py
@@ -181,6 +181,7 @@ def _builder(
         use_websockets=False,
         websocket_handshake_transform=None,
         use_custom_authorizer=False,
+        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
     ca_bytes = _get(kwargs, 'ca_bytes')
@@ -202,6 +203,9 @@ def _builder(
     if port == 443 and awscrt.io.is_alpn_available() and use_custom_authorizer is False:
         tls_ctx_options.alpn_list = ['http/1.1'] if use_websockets else ['x-amzn-mqtt-ca']
 
+    if cipher_pref != awscrt.io.TlsCipherPref.DEFAULT:
+        tls_ctx_options.cipher_pref = cipher_pref
+
     socket_options = awscrt.io.SocketOptions()
     socket_options.connect_timeout_ms = _get(kwargs, 'tcp_connect_timeout_ms', 5000)
     # These have been inconsistent between keepalive/keep_alive. Resolve both for now to ease transition.
@@ -261,7 +265,6 @@ def _builder(
 def mtls_from_path(
         cert_filepath,
         pri_key_filepath,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT.
@@ -277,14 +280,12 @@ def mtls_from_path(
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_from_path(cert_filepath, pri_key_filepath)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
 def mtls_from_bytes(
         cert_bytes,
         pri_key_bytes,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT.
@@ -300,7 +301,6 @@ def mtls_from_bytes(
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls(cert_bytes, pri_key_bytes)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
@@ -312,7 +312,6 @@ def mtls_with_pkcs11(*,
                      private_key_label: str = None,
                      cert_filepath: str = None,
                      cert_bytes=None,
-                     cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                      **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
@@ -358,15 +357,13 @@ def mtls_with_pkcs11(*,
         private_key_label=private_key_label,
         cert_file_path=cert_filepath,
         cert_file_contents=cert_bytes)
-    tls_ctx_options.cipher_pref = cipher_pref
 
     return _builder(tls_ctx_options, **kwargs)
 
 
 def mtls_with_pkcs12(*,
                      pkcs12_filepath: str,
                      pkcs12_password: str,
-                     cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                      **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
@@ -387,13 +384,11 @@ def mtls_with_pkcs12(*,
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_pkcs12(
         pkcs12_filepath=pkcs12_filepath,
         pkcs12_password=pkcs12_password)
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options, **kwargs)
 
 
 def mtls_with_windows_cert_store_path(*,
                                       cert_store_path: str,
-                                      cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                                       **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an mTLS MQTT connection to AWS IoT,
@@ -412,7 +407,6 @@ def mtls_with_windows_cert_store_path(*,
     _check_required_kwargs(**kwargs)
 
     tls_ctx_options = awscrt.io.TlsContextOptions.create_client_with_mtls_windows_cert_store_path(cert_store_path)
-    tls_ctx_options.cipher_pref = cipher_pref
 
     return _builder(tls_ctx_options, **kwargs)
 
@@ -421,7 +415,6 @@ def websockets_with_default_aws_signing(
         region,
         credentials_provider,
         websocket_proxy_options=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection over websockets to AWS IoT.
@@ -461,15 +454,13 @@ def _sign_websocket_handshake_request(transform_args, **kwargs):
 
     return websockets_with_custom_handshake(
         _sign_websocket_handshake_request,
-        websocket_proxy_options = websocket_proxy_options,
-        cipher_pref = cipher_pref,
+        websocket_proxy_options=websocket_proxy_options,
         **kwargs)
 
 
 def websockets_with_custom_handshake(
         websocket_handshake_transform,
         websocket_proxy_options=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection over websockets,
@@ -497,7 +488,6 @@ def websockets_with_custom_handshake(
     """
     _check_required_kwargs(**kwargs)
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    tls_ctx_options.cipher_pref = cipher_pref
     return _builder(tls_ctx_options=tls_ctx_options,
                     use_websockets=True,
                     websocket_handshake_transform=websocket_handshake_transform,
@@ -529,7 +519,6 @@ def direct_with_custom_authorizer(
         auth_password=None,
         auth_token_key_name=None,
         auth_token_value=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection using a custom
@@ -575,7 +564,6 @@ def direct_with_custom_authorizer(
         auth_token_key_name=auth_token_key_name,
         auth_token_value=auth_token_value,
         use_websockets=False,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs)
 
 
@@ -588,7 +576,6 @@ def websockets_with_custom_authorizer(
         auth_password=None,
         auth_token_key_name=None,
         auth_token_value=None,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs) -> awscrt.mqtt.Connection:
     """
     This builder creates an :class:`awscrt.mqtt.Connection`, configured for an MQTT connection using a custom
@@ -640,7 +627,6 @@ def websockets_with_custom_authorizer(
         use_websockets=True,
         websockets_region=region,
         websockets_credentials_provider=credentials_provider,
-        cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs)
 
 
@@ -653,7 +639,6 @@ def _with_custom_authorizer(auth_username=None,
                             use_websockets=False,
                             websockets_credentials_provider=None,
                             websockets_region=None,
-                            cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
                             **kwargs) -> awscrt.mqtt.Connection:
     """
     Helper function that contains the setup needed for custom authorizers
@@ -687,7 +672,6 @@ def _with_custom_authorizer(auth_username=None,
     kwargs["password"] = auth_password
 
     tls_ctx_options = awscrt.io.TlsContextOptions()
-    tls_ctx_options.cipher_pref = cipher_pref
     if not use_websockets:
         kwargs["port"] = 443
         tls_ctx_options.alpn_list = ["mqtt"]
