aws
diff --git a/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/Apache5HttpClient.java
Lines changed: 52 additions & 13 deletions b/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/Apache5HttpClient.java
Lines changed: 52 additions & 13 deletions
diff --git a/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/ClientConnectionManagerFactory.java
Lines changed: 1 addition & 1 deletion b/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/ClientConnectionManagerFactory.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/ClientConnectionRequestFactory.java
Lines changed: 1 addition & 1 deletion b/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/ClientConnectionRequestFactory.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/SdkTlsSocketFactory.java
Lines changed: 17 additions & 12 deletions b/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/SdkTlsSocketFactory.java
Lines changed: 17 additions & 12 deletions
diff --git a/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/SslSocketFactoryToTlsStrategyAdapter.java
Lines changed: 46 additions & 0 deletions b/‎http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/conn/SslSocketFactoryToTlsStrategyAdapter.java
Lines changed: 46 additions & 0 deletions
@@ -56,6 +56,7 @@
 import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.hc.core5.http.ClassicHttpResponse;
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpEntity;
@@ -88,6 +89,7 @@
 import software.amazon.awssdk.http.apache5.internal.SdkProxyRoutePlanner;
 import software.amazon.awssdk.http.apache5.internal.conn.ClientConnectionManagerFactory;
 import software.amazon.awssdk.http.apache5.internal.conn.IdleConnectionReaper;
+import software.amazon.awssdk.http.apache5.internal.conn.SslSocketFactoryToTlsStrategyAdapter;
 import software.amazon.awssdk.http.apache5.internal.conn.SdkConnectionKeepAliveStrategy;
 import software.amazon.awssdk.http.apache5.internal.conn.SdkTlsSocketFactory;
 import software.amazon.awssdk.http.apache5.internal.impl.Apache5HttpRequestFactory;
@@ -457,8 +459,12 @@ public interface Builder extends SdkHttpClient.Builder<Apache5HttpClient.Builder
          * When set to a non-null value, the use of a custom factory implies the configuration options TRUST_ALL_CERTIFICATES,
          * TLS_TRUST_MANAGERS_PROVIDER, and TLS_KEY_MANAGERS_PROVIDER are ignored.
          */
+        @Deprecated
         Builder socketFactory(SSLConnectionSocketFactory socketFactory);
 
+
+        Builder tlsStrategy(TlsSocketStrategy tlsStrategy);
+
         /**
          * Configuration that defines an HTTP route planner that computes the route an HTTP request should take.
          * May not be used in conjunction with {@link #proxyConfiguration(ProxyConfiguration)}.
@@ -515,7 +521,8 @@ private static final class DefaultBuilder implements Builder {
         private HttpRoutePlanner httpRoutePlanner;
         private CredentialsProvider credentialsProvider;
         private DnsResolver dnsResolver;
-        private SSLConnectionSocketFactory socketFactory;
+        private SSLConnectionSocketFactory legacySocketFactory;
+        private TlsSocketStrategy tlsStrategy;
 
         private DefaultBuilder() {
         }
@@ -638,12 +645,23 @@ public void setDnsResolver(DnsResolver dnsResolver) {
 
         @Override
         public Builder socketFactory(SSLConnectionSocketFactory socketFactory) {
-            this.socketFactory = socketFactory;
+            log.warn(() -> "SSLConnectionSocketFactory is deprecated. Consider migrating to tlsStrategy().");
+            this.legacySocketFactory = socketFactory;
+            this.tlsStrategy = null; // Clear any previously set strategy
             return this;
         }
 
-        public void setSocketFactory(SSLConnectionSocketFactory socketFactory) {
-            socketFactory(socketFactory);
+        @Override
+        public Builder tlsStrategy(TlsSocketStrategy tlsStrategy) {
+            this.tlsStrategy = tlsStrategy;
+            this.legacySocketFactory = null; // Clear any legacy factory
+            return this;
+        }
+
+
+
+        public void setLegacySocketFactory(SSLConnectionSocketFactory legacySocketFactory) {
+            socketFactory(legacySocketFactory);
         }
 
         @Override
@@ -714,20 +732,36 @@ public SdkHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
                 SdkHttpConfigurationOption.GLOBAL_HTTP_DEFAULTS);
             return new Apache5HttpClient(this, resolvedOptions);
         }
+
+        // Internal method to get the effective TLS strategy
+
+        TlsSocketStrategy getEffectiveTlsStrategy() {
+            if (tlsStrategy != null) {
+                return tlsStrategy;
+            }
+            if (legacySocketFactory != null) {
+                return new SslSocketFactoryToTlsStrategyAdapter(legacySocketFactory);
+            }
+            return null;
+        }
+
+
     }
 
     private static class ApacheConnectionManagerFactory {
 
         public PoolingHttpClientConnectionManager create(Apache5HttpClient.DefaultBuilder configuration,
-                                                  AttributeMap standardOptions) {
-            // TODO : Deprecated method needs to be removed with new replacements
-            SSLConnectionSocketFactory sslsf = getPreferredSocketFactory(configuration, standardOptions);
+                                                 AttributeMap standardOptions) {
+
+            TlsSocketStrategy tlsStrategy = getPreferredTlsStrategy(configuration, standardOptions);
 
             PoolingHttpClientConnectionManagerBuilder builder =
                 PoolingHttpClientConnectionManagerBuilder.create()
-                                                         .setSSLSocketFactory(sslsf)
+                                                         .setTlsSocketStrategy(tlsStrategy)
                                                          .setSchemePortResolver(DefaultSchemePortResolver.INSTANCE)
                                                          .setDnsResolver(configuration.dnsResolver);
+
+
             Duration connectionTtl = standardOptions.get(SdkHttpConfigurationOption.CONNECTION_TIME_TO_LIVE);
             if (!connectionTtl.isZero()) {
                 // Skip TTL=0 to maintain backward compatibility (infinite in 4.x vs immediate expiration in 5.x)
@@ -739,11 +773,15 @@ public PoolingHttpClientConnectionManager create(Apache5HttpClient.DefaultBuilde
             return builder.build();
         }
 
-        private SSLConnectionSocketFactory getPreferredSocketFactory(Apache5HttpClient.DefaultBuilder configuration,
-                                                                  AttributeMap standardOptions) {
-            return Optional.ofNullable(configuration.socketFactory)
-                           .orElseGet(() -> new SdkTlsSocketFactory(getSslContext(standardOptions),
-                                                                    getHostNameVerifier(standardOptions)));
+        private TlsSocketStrategy getPreferredTlsStrategy(Apache5HttpClient.DefaultBuilder configuration,
+                                                          AttributeMap standardOptions) {
+            // Use the effective strategy which handles both legacy and new approaches
+            TlsSocketStrategy configuredStrategy = configuration.getEffectiveTlsStrategy();
+            if (configuredStrategy != null) {
+                return configuredStrategy;
+            }
+            return new SdkTlsSocketFactory(getSslContext(standardOptions),
+                                           getHostNameVerifier(standardOptions));
         }
 
 
@@ -815,6 +853,7 @@ private SocketConfig buildSocketConfig(AttributeMap standardOptions) {
                                .build();
         }
 
+
     }
 
     private static class LocalAddressRoutePlanner extends DefaultRoutePlanner {
 
@@ -49,7 +49,7 @@ public static HttpClientConnectionManager wrap(HttpClientConnectionManager orig)
     /**
      * Further wraps {@link LeaseRequest} to capture performance metrics.
      */
-    private static class InstrumentedHttpClientConnectionManager extends DelegatingHttpClientConnectionManager {
+    private static final class InstrumentedHttpClientConnectionManager extends DelegatingHttpClientConnectionManager {
 
         private InstrumentedHttpClientConnectionManager(HttpClientConnectionManager delegate) {
             super(delegate);
 
@@ -55,7 +55,7 @@ static LeaseRequest wrap(LeaseRequest orig) {
     /**
      * Measures the latency of {@link LeaseRequest#get(Timeout)}.
      */
-    private static class InstrumentedConnectionRequest extends DelegatingConnectionRequest {
+    private static final class InstrumentedConnectionRequest extends DelegatingConnectionRequest {
 
         private InstrumentedConnectionRequest(LeaseRequest delegate) {
             super(delegate);
 
@@ -22,44 +22,49 @@
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.util.TimeValue;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.http.apache5.internal.net.SdkSocket;
+import software.amazon.awssdk.http.apache5.internal.net.SdkSslSocket;
 import software.amazon.awssdk.utils.Logger;
 
 @SdkInternalApi
-public class SdkTlsSocketFactory extends SSLConnectionSocketFactory {
+public class SdkTlsSocketFactory extends DefaultClientTlsStrategy {
 
     private static final Logger log = Logger.loggerFor(SdkTlsSocketFactory.class);
 
     public SdkTlsSocketFactory(SSLContext sslContext, HostnameVerifier hostnameVerifier) {
         super(sslContext, hostnameVerifier);
         if (sslContext == null) {
             throw new IllegalArgumentException(
-                "sslContext must not be null. " + "Use SSLContext.getDefault() if you are unsure.");
+                "sslContext must not be null. Use SSLContext.getDefault() if you are unsure.");
         }
     }
 
     @Override
-    protected final void prepareSocket(SSLSocket socket) {
+    protected void initializeSocket(SSLSocket socket) {
+        super.initializeSocket(socket);
         log.debug(() -> String.format("socket.getSupportedProtocols(): %s, socket.getEnabledProtocols(): %s",
                                       Arrays.toString(socket.getSupportedProtocols()),
                                       Arrays.toString(socket.getEnabledProtocols())));
     }
 
     @Override
-        public Socket connectSocket(TimeValue connectTimeout,
-            Socket socket,
-            HttpHost host,
-            InetSocketAddress remoteAddress,
-            InetSocketAddress localAddress,
-            HttpContext context) throws IOException {
-        log.trace(() -> String.format("Connecting to %s:%s", remoteAddress.getAddress(), remoteAddress.getPort()));
+    public SSLSocket upgrade(Socket socket,
+                             String target,
+                             int port,
+                             Object attachment,
+                             HttpContext context) throws IOException {
+        log.trace(() -> String.format("Upgrading socket to TLS for %s:%s", target, port));
 
-        Socket connectSocket = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context);
-        return new SdkSocket(connectSocket);
+        SSLSocket upgradedSocket = super.upgrade(socket, target, port, attachment, context);
+
+        // Wrap the upgraded SSLSocket in SdkSSLSocket for logging
+        return new SdkSslSocket(upgradedSocket);
     }
+
 }
@@ -0,0 +1,46 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.apache5.internal.conn;
+
+import java.io.IOException;
+import java.net.Socket;
+import javax.net.ssl.SSLSocket;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
+import org.apache.hc.core5.http.protocol.HttpContext;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+
+/**
+ * Adapter to wrap legacy SSLConnectionSocketFactory as TlsSocketStrategy
+ */
+@SdkInternalApi
+public class SslSocketFactoryToTlsStrategyAdapter implements TlsSocketStrategy {
+
+    private final SSLConnectionSocketFactory legacySocketFactory;
+
+    public SslSocketFactoryToTlsStrategyAdapter(SSLConnectionSocketFactory legacySocketFactory) {
+        this.legacySocketFactory = legacySocketFactory;
+    }
+
+    @Override
+    public SSLSocket upgrade(Socket socket,
+                             String target,
+                             int port,
+                             Object attachment,
+                             HttpContext context) throws IOException {
+        return (SSLSocket) legacySocketFactory.createLayeredSocket(socket, target, port, context);
+    }
+}