Expose cipher suite TLSv1_2_2025_07

awscrt/io.py

@@ -277,6 +277,11 @@ class TlsCipherPref(IntEnum):
     PQ_DEFAULT = 8  # :
     """Recommended default policy with post-quantum algorithm support. This policy may change over time."""
 
+    TLSv1_2_2025_07 = 9
+    """A TLS Cipher Preference requiring TLS 1.2+ with FIPS compliance and perfect forward secrecy. This security policy
+    is based on the AWS-CRT-SDK-TLSv1.2-2023 s2n TLS policy with enhanced security restrictions. It supports AES-GCM and
+    ECDHE cipher suites with ECDSA and RSA-PSS signature schemes, and uses NIST P-256 and P-384 curves only."""
+
     def is_supported(self):
         """Return whether this Cipher Preference is available in the underlying platform's TLS implementation"""
         return _awscrt.is_tls_cipher_supported(self.value)

test/test_io.py

@@ -113,6 +113,21 @@ def test_override_default_trust_store_file(self):
         opt.override_default_trust_store_from_path(None, 'test/resources/ca.crt')
         ctx = ClientTlsContext(opt)
 
+    def test_set_cipher_preference_tlsv1_2_2025(self):
+        opt = TlsContextOptions()
+        opt.cipher_pref = TlsCipherPref.TLSv1_2_2025_07
+
+        try:
+            ctx = ClientTlsContext(opt)
+        except Exception as e:
+            if sys.platform.startswith("linux"):
+                # On Linux, this should not fail
+                self.fail(f"Unexpected error on Linux: {e}")
+            else:
+                # On non-Linux platforms, verify we get the expected error and skip
+                self.assertIn('AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED', str(e))
+                self.skipTest(f"TLSv1_2_2025_07 not supported on {sys.platform}")
+
 
 class TlsConnectionOptionsTest(NativeResourceTest):
     def test_init(self):