From 972ca3567be52ee0ec9a9fc34215a327bb8de8f2 Mon Sep 17 00:00:00 2001
From: Patrick Palmer <palmep@amazon.com>
Date: Thu, 7 May 2026 10:49:44 +0100
Subject: [PATCH] feat: enable ML-KEM post-quantum TLS key exchange for AL2023
 nginx

---
 cdk/src/assets/user-data-scripts/AL2023/nginx-conf.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cdk/src/assets/user-data-scripts/AL2023/nginx-conf.sh b/cdk/src/assets/user-data-scripts/AL2023/nginx-conf.sh
index d804695..770d130 100644
--- a/cdk/src/assets/user-data-scripts/AL2023/nginx-conf.sh
+++ b/cdk/src/assets/user-data-scripts/AL2023/nginx-conf.sh
@@ -12,7 +12,8 @@ sudo sed -i '/pid \/run\/nginx\.pid;/a\ssl_engine pkcs11;' /etc/nginx/nginx.conf
 sudo sed -i '/# Settings for a TLS enabled server./{n;:a;/^#/s///;n;ba}' /etc/nginx/nginx.conf
 sudo sed -i '/server_name/c\        server_name  DOMAIN_NAME_PLACEHOLDER;' /etc/nginx/nginx.conf
 sudo sed -i '/ssl_certificate/d; /ssl_certificate_key/d; /ssl_ciphers/d' /etc/nginx/nginx.conf
-sudo sed -i '/ssl_session_timeout/a\        ssl_protocols TLSv1.2;' /etc/nginx/nginx.conf
+sudo sed -i '/ssl_session_timeout/a\        ssl_protocols TLSv1.2 TLSv1.3;' /etc/nginx/nginx.conf
+sudo sed -i '/ssl_protocols/a\        ssl_conf_command Groups X25519MLKEM768:x25519:secp256r1;' /etc/nginx/nginx.conf
 sudo sed -i '/# Load configuration files for the default server block./a\        include "/etc/pki/nginx/nginx-acm.conf";' /etc/nginx/nginx.conf
 
 # Edit the OpenSSL configuration in /etc/pki/tls/openssl.cnf through /etc/pki/tls/openssl.d/openssl-acm.cnf