validate TlsCipherPref

xiazhvera · xiazhvera · commit 79284940cd3e · 2025-11-21T14:02:26.000-08:00
diff --git a/awsiot/mqtt5_client_builder.py b/awsiot/mqtt5_client_builder.py
@@ -248,6 +248,8 @@ def _builder(
         cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
+    assert isinstance(cipher_pref, awscrt.io.TlsCipherPref)
+
     username = _get(kwargs, 'username', '')
     if _get(kwargs, 'enable_metrics_collection', True):
         username += _get_metrics_str(username)
@@ -348,8 +350,7 @@ def _builder(
     elif ca_filepath or ca_dirpath:
         tls_ctx_options.override_default_trust_store_from_path(ca_dirpath, ca_filepath)
 
-    if cipher_pref is not None:
-        tls_ctx_options.cipher_pref = cipher_pref
+    tls_ctx_options.cipher_pref = cipher_pref
 
     if client_options.port is None:
         # prefer 443, even for direct MQTT connections, since it's less likely to be blocked by firewalls
diff --git a/awsiot/mqtt_connection_builder.py b/awsiot/mqtt_connection_builder.py
@@ -186,6 +186,8 @@ def _builder(
         cipher_pref=awscrt.io.TlsCipherPref.DEFAULT,
         **kwargs):
 
+    assert isinstance(cipher_pref, awscrt.io.TlsCipherPref)
+
     ca_bytes = _get(kwargs, 'ca_bytes')
     ca_filepath = _get(kwargs, 'ca_filepath')
     ca_dirpath = _get(kwargs, 'ca_dirpath')
@@ -205,8 +207,7 @@ def _builder(
     if port == 443 and awscrt.io.is_alpn_available() and use_custom_authorizer is False:
         tls_ctx_options.alpn_list = ['http/1.1'] if use_websockets else ['x-amzn-mqtt-ca']
 
-    if cipher_pref != awscrt.io.TlsCipherPref.DEFAULT:
-        tls_ctx_options.cipher_pref = cipher_pref
+    tls_ctx_options.cipher_pref = cipher_pref
 
     socket_options = awscrt.io.SocketOptions()
     socket_options.connect_timeout_ms = _get(kwargs, 'tcp_connect_timeout_ms', 5000)
