aws · joviegas · Aug 1, 2025 · Jul 18, 2025 · Jul 19, 2025 · Jul 19, 2025
@@ -54,9 +54,10 @@
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
 import org.apache.hc.client5.http.protocol.HttpClientContext;
 import org.apache.hc.client5.http.routing.HttpRoutePlanner;
+import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
 import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.hc.core5.http.ClassicHttpResponse;
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpEntity;
@@ -453,12 +454,15 @@ public interface Builder extends SdkHttpClient.Builder<Apache5HttpClient.Builder
         Builder dnsResolver(DnsResolver dnsResolver);
 
         /**
-         * Configuration that defines a custom Socket factory. If set to a null value, a default factory is used.
-         * <p>
-         * When set to a non-null value, the use of a custom factory implies the configuration options TRUST_ALL_CERTIFICATES,
-         * TLS_TRUST_MANAGERS_PROVIDER, and TLS_KEY_MANAGERS_PROVIDER are ignored.
+         * Configure a custom TLS strategy for SSL/TLS connections.
+         * This is the preferred method over the  {@link ConnectionSocketFactory)}.
+         *
+         * @param tlsSocketStrategy The TLS strategy to use for upgrading connections to TLS.
+         *                    If null, default TLS configuration will be used.
+         * @return This builder for method chaining
+
          */
-        Builder socketFactory(SSLConnectionSocketFactory socketFactory);
+        Builder tlsSocketStrategy(TlsSocketStrategy tlsSocketStrategy);
 
         /**
          * Configuration that defines an HTTP route planner that computes the route an HTTP request should take.
@@ -516,7 +520,7 @@ private static final class DefaultBuilder implements Builder {
         private HttpRoutePlanner httpRoutePlanner;
         private CredentialsProvider credentialsProvider;
         private DnsResolver dnsResolver;
-        private SSLConnectionSocketFactory socketFactory;
+        private TlsSocketStrategy tlsStrategy;
 
         private DefaultBuilder() {
         }
@@ -638,15 +642,11 @@ public void setDnsResolver(DnsResolver dnsResolver) {
         }
 
         @Override
-        public Builder socketFactory(SSLConnectionSocketFactory socketFactory) {
-            this.socketFactory = socketFactory;
+        public Builder tlsSocketStrategy(TlsSocketStrategy tlsSocketStrategy) {
+            this.tlsStrategy = tlsSocketStrategy;
             return this;
         }
 
-        public void setSocketFactory(SSLConnectionSocketFactory socketFactory) {
-            socketFactory(socketFactory);
-        }
-
         @Override
         public Builder httpRoutePlanner(HttpRoutePlanner httpRoutePlanner) {
             this.httpRoutePlanner = httpRoutePlanner;
@@ -720,13 +720,13 @@ public SdkHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
     private static class ApacheConnectionManagerFactory {
 
         public PoolingHttpClientConnectionManager create(Apache5HttpClient.DefaultBuilder configuration,
-                                                  AttributeMap standardOptions) {
-            // TODO : Deprecated method needs to be removed with new replacements
-            SSLConnectionSocketFactory sslsf = getPreferredSocketFactory(configuration, standardOptions);
+                                                 AttributeMap standardOptions) {
+
+            TlsSocketStrategy tlsStrategy = getPreferredTlsStrategy(configuration, standardOptions);
 
             PoolingHttpClientConnectionManagerBuilder builder =
                 PoolingHttpClientConnectionManagerBuilder.create()
-                                                         .setSSLSocketFactory(sslsf)
+                                                         .setTlsSocketStrategy(tlsStrategy)
                                                          .setSchemePortResolver(DefaultSchemePortResolver.INSTANCE)
                                                          .setDnsResolver(configuration.dnsResolver);
             builder.setMaxConnPerRoute(standardOptions.get(SdkHttpConfigurationOption.MAX_CONNECTIONS));
@@ -751,11 +751,13 @@ private static ConnectionConfig getConnectionConfig(AttributeMap standardOptions
             return connectionConfigBuilder.build();
         }
 
-        private SSLConnectionSocketFactory getPreferredSocketFactory(Apache5HttpClient.DefaultBuilder configuration,
-                                                                  AttributeMap standardOptions) {
-            return Optional.ofNullable(configuration.socketFactory)
-                           .orElseGet(() -> new SdkTlsSocketFactory(getSslContext(standardOptions),
-                                                                    getHostNameVerifier(standardOptions)));
+        private TlsSocketStrategy getPreferredTlsStrategy(Apache5HttpClient.DefaultBuilder configuration,
+                                                          AttributeMap standardOptions) {
+            if (configuration.tlsStrategy != null) {
+                return configuration.tlsStrategy;
+            }
+            return new SdkTlsSocketFactory(getSslContext(standardOptions),
+                                           getHostNameVerifier(standardOptions));
         }
 
 

@@ -49,7 +49,7 @@ public static HttpClientConnectionManager wrap(HttpClientConnectionManager orig)
     /**
      * Further wraps {@link LeaseRequest} to capture performance metrics.
      */
-    private static class InstrumentedHttpClientConnectionManager extends DelegatingHttpClientConnectionManager {
+    private static final class InstrumentedHttpClientConnectionManager extends DelegatingHttpClientConnectionManager {
 
         private InstrumentedHttpClientConnectionManager(HttpClientConnectionManager delegate) {
             super(delegate);

@@ -55,7 +55,7 @@ static LeaseRequest wrap(LeaseRequest orig) {
     /**
      * Measures the latency of {@link LeaseRequest#get(Timeout)}.
      */
-    private static class InstrumentedConnectionRequest extends DelegatingConnectionRequest {
+    private static final class InstrumentedConnectionRequest extends DelegatingConnectionRequest {
 
         private InstrumentedConnectionRequest(LeaseRequest delegate) {
             super(delegate);

@@ -16,50 +16,50 @@
 package software.amazon.awssdk.http.apache5.internal.conn;
 
 import java.io.IOException;
-import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.util.Arrays;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.core5.http.protocol.HttpContext;
-import org.apache.hc.core5.util.TimeValue;
 import software.amazon.awssdk.annotations.SdkInternalApi;
-import software.amazon.awssdk.http.apache5.internal.net.SdkSocket;
+import software.amazon.awssdk.http.apache5.internal.net.SdkSslSocket;
 import software.amazon.awssdk.utils.Logger;
 
 @SdkInternalApi
-public class SdkTlsSocketFactory extends SSLConnectionSocketFactory {
+public class SdkTlsSocketFactory extends DefaultClientTlsStrategy {
 
     private static final Logger log = Logger.loggerFor(SdkTlsSocketFactory.class);
 
     public SdkTlsSocketFactory(SSLContext sslContext, HostnameVerifier hostnameVerifier) {
         super(sslContext, hostnameVerifier);
         if (sslContext == null) {
             throw new IllegalArgumentException(
-                "sslContext must not be null. " + "Use SSLContext.getDefault() if you are unsure.");
+                "sslContext must not be null. Use SSLContext.getDefault() if you are unsure.");
         }
     }
 
     @Override
-    protected final void prepareSocket(SSLSocket socket) {
+    protected void initializeSocket(SSLSocket socket) {
+        super.initializeSocket(socket);
         log.debug(() -> String.format("socket.getSupportedProtocols(): %s, socket.getEnabledProtocols(): %s",
                                       Arrays.toString(socket.getSupportedProtocols()),
                                       Arrays.toString(socket.getEnabledProtocols())));
     }
 
     @Override
-        public Socket connectSocket(TimeValue connectTimeout,
-            Socket socket,
-            HttpHost host,
-            InetSocketAddress remoteAddress,
-            InetSocketAddress localAddress,
-            HttpContext context) throws IOException {
-        log.trace(() -> String.format("Connecting to %s:%s", remoteAddress.getAddress(), remoteAddress.getPort()));
+    public SSLSocket upgrade(Socket socket,
+                             String target,
+                             int port,
+                             Object attachment,
+                             HttpContext context) throws IOException {
+        log.trace(() -> String.format("Upgrading socket to TLS for %s:%s", target, port));
 
-        Socket connectSocket = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context);
-        return new SdkSocket(connectSocket);
+        SSLSocket upgradedSocket = super.upgrade(socket, target, port, attachment, context);
+
+        // Wrap the upgraded SSLSocket in SdkSSLSocket for logging
+        return new SdkSslSocket(upgradedSocket);
     }
+
 }