aws · joviegas · Aug 5, 2025 · Apr 30, 2025 · May 6, 2025 · May 22, 2025
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Apache HTTP Client 5",
+    "contributor": "",
+    "description": "Replace deprecated APIs from Apache HttpClient 5.5.x with corresponding recommended APIs"
+}
@@ -39,11 +39,13 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
+import org.apache.hc.client5.http.ClientProtocolException;
 import org.apache.hc.client5.http.ConnectionKeepAliveStrategy;
 import org.apache.hc.client5.http.DnsResolver;
 import org.apache.hc.client5.http.auth.AuthSchemeFactory;
 import org.apache.hc.client5.http.auth.CredentialsProvider;
 import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
+import org.apache.hc.client5.http.config.ConnectionConfig;
 import org.apache.hc.client5.http.impl.DefaultSchemePortResolver;
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
@@ -53,9 +55,11 @@
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
 import org.apache.hc.client5.http.protocol.HttpClientContext;
 import org.apache.hc.client5.http.routing.HttpRoutePlanner;
+import org.apache.hc.client5.http.routing.RoutingSupport;
 import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
+import org.apache.hc.core5.http.ClassicHttpRequest;
 import org.apache.hc.core5.http.ClassicHttpResponse;
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpEntity;
@@ -70,6 +74,7 @@
 import org.apache.hc.core5.pool.PoolStats;
 import org.apache.hc.core5.ssl.SSLInitializationException;
 import org.apache.hc.core5.util.TimeValue;
+import org.apache.hc.core5.util.Timeout;
 import software.amazon.awssdk.annotations.SdkPreviewApi;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.annotations.SdkTestInternalApi;
@@ -285,14 +290,25 @@ private HttpExecuteResponse execute(HttpUriRequestBase apacheRequest, MetricColl
         HttpClientContext localRequestContext = Apache5Utils.newClientContext(requestConfig.proxyConfiguration());
         THREAD_LOCAL_REQUEST_METRIC_COLLECTOR.set(metricCollector);
         try {
-            HttpResponse httpResponse = httpClient.execute(apacheRequest, localRequestContext);
-            // Create a connection-aware input stream that closes the response when closed
+            HttpHost target = determineTarget(apacheRequest);
+            ClassicHttpResponse httpResponse = httpClient.executeOpen(target, apacheRequest, localRequestContext);
             return createResponse(httpResponse, apacheRequest);
         } finally {
             THREAD_LOCAL_REQUEST_METRIC_COLLECTOR.remove();
         }
     }
 
+    /**
+     * Determines the target host from the request using Apache HttpClient's official routing support utility.
+     */
+    private static HttpHost determineTarget(ClassicHttpRequest request) throws IOException {
+        try {
+            return RoutingSupport.determineHost(request);
+        } catch (HttpException ex) {
+            throw new ClientProtocolException(ex);
+        }
+    }
+
     private HttpUriRequestBase toApacheRequest(HttpExecuteRequest request) {
         return apacheHttpRequestFactory.create(request, requestConfig);
     }
@@ -355,7 +371,6 @@ private Apache5HttpRequestConfig createRequestConfig(DefaultBuilder builder,
                                                          AttributeMap resolvedOptions) {
         return Apache5HttpRequestConfig.builder()
                                        .socketTimeout(resolvedOptions.get(SdkHttpConfigurationOption.READ_TIMEOUT))
-                                       .connectionTimeout(resolvedOptions.get(SdkHttpConfigurationOption.CONNECTION_TIMEOUT))
                                        .connectionAcquireTimeout(
                                           resolvedOptions.get(SdkHttpConfigurationOption.CONNECTION_ACQUIRE_TIMEOUT))
                                        .proxyConfiguration(builder.proxyConfiguration)
@@ -464,12 +479,15 @@ public interface Builder extends SdkHttpClient.Builder<Apache5HttpClient.Builder
         Builder dnsResolver(DnsResolver dnsResolver);
 
         /**
-         * Configuration that defines a custom Socket factory. If set to a null value, a default factory is used.
-         * <p>
-         * When set to a non-null value, the use of a custom factory implies the configuration options TRUST_ALL_CERTIFICATES,
-         * TLS_TRUST_MANAGERS_PROVIDER, and TLS_KEY_MANAGERS_PROVIDER are ignored.
+         * Configure a custom TLS strategy for SSL/TLS connections.
+         * This is the preferred method over the ConnectionSocketFactory.
+         *
+         * @param tlsSocketStrategy The TLS strategy to use for upgrading connections to TLS.
+         *                    If null, default TLS configuration will be used.
+         * @return This builder for method chaining
+
          */
-        Builder socketFactory(SSLConnectionSocketFactory socketFactory);
+        Builder tlsSocketStrategy(TlsSocketStrategy tlsSocketStrategy);
 
         /**
          * Configuration that defines an HTTP route planner that computes the route an HTTP request should take.
@@ -527,7 +545,7 @@ private static final class DefaultBuilder implements Builder {
         private HttpRoutePlanner httpRoutePlanner;
         private CredentialsProvider credentialsProvider;
         private DnsResolver dnsResolver;
-        private SSLConnectionSocketFactory socketFactory;
+        private TlsSocketStrategy tlsStrategy;
 
         private DefaultBuilder() {
         }
@@ -649,15 +667,11 @@ public void setDnsResolver(DnsResolver dnsResolver) {
         }
 
         @Override
-        public Builder socketFactory(SSLConnectionSocketFactory socketFactory) {
-            this.socketFactory = socketFactory;
+        public Builder tlsSocketStrategy(TlsSocketStrategy tlsSocketStrategy) {
+            this.tlsStrategy = tlsSocketStrategy;
             return this;
         }
 
-        public void setSocketFactory(SSLConnectionSocketFactory socketFactory) {
-            socketFactory(socketFactory);
-        }
-
         @Override
         public Builder httpRoutePlanner(HttpRoutePlanner httpRoutePlanner) {
             this.httpRoutePlanner = httpRoutePlanner;
@@ -731,31 +745,44 @@ public SdkHttpClient buildWithDefaults(AttributeMap serviceDefaults) {
     private static class ApacheConnectionManagerFactory {
 
         public PoolingHttpClientConnectionManager create(Apache5HttpClient.DefaultBuilder configuration,
-                                                  AttributeMap standardOptions) {
-            // TODO : Deprecated method needs to be removed with new replacements
-            SSLConnectionSocketFactory sslsf = getPreferredSocketFactory(configuration, standardOptions);
+                                                 AttributeMap standardOptions) {
+
+            TlsSocketStrategy tlsStrategy = getPreferredTlsStrategy(configuration, standardOptions);
 
             PoolingHttpClientConnectionManagerBuilder builder =
                 PoolingHttpClientConnectionManagerBuilder.create()
-                                                         .setSSLSocketFactory(sslsf)
+                                                         .setTlsSocketStrategy(tlsStrategy)
                                                          .setSchemePortResolver(DefaultSchemePortResolver.INSTANCE)
                                                          .setDnsResolver(configuration.dnsResolver);
-            Duration connectionTtl = standardOptions.get(SdkHttpConfigurationOption.CONNECTION_TIME_TO_LIVE);
-            if (!connectionTtl.isZero()) {
-                // Skip TTL=0 to maintain backward compatibility (infinite in 4.x vs immediate expiration in 5.x)
-                builder.setConnectionTimeToLive(TimeValue.of(connectionTtl.toMillis(), TimeUnit.MILLISECONDS));
-            }
             builder.setMaxConnPerRoute(standardOptions.get(SdkHttpConfigurationOption.MAX_CONNECTIONS));
             builder.setMaxConnTotal(standardOptions.get(SdkHttpConfigurationOption.MAX_CONNECTIONS));
             builder.setDefaultSocketConfig(buildSocketConfig(standardOptions));
+            builder.setDefaultConnectionConfig(getConnectionConfig(standardOptions));
             return builder.build();
         }
 
-        private SSLConnectionSocketFactory getPreferredSocketFactory(Apache5HttpClient.DefaultBuilder configuration,
-                                                                  AttributeMap standardOptions) {
-            return Optional.ofNullable(configuration.socketFactory)
-                           .orElseGet(() -> new SdkTlsSocketFactory(getSslContext(standardOptions),
-                                                                    getHostNameVerifier(standardOptions)));
+        private static ConnectionConfig getConnectionConfig(AttributeMap standardOptions) {
+            ConnectionConfig.Builder connectionConfigBuilder =
+                ConnectionConfig.custom()
+                                .setConnectTimeout(Timeout.ofMilliseconds(
+                                    standardOptions.get(SdkHttpConfigurationOption.CONNECTION_TIMEOUT).toMillis()))
+                                .setSocketTimeout(Timeout.ofMilliseconds(
+                                    standardOptions.get(SdkHttpConfigurationOption.READ_TIMEOUT).toMillis()));
+            Duration connectionTtl = standardOptions.get(SdkHttpConfigurationOption.CONNECTION_TIME_TO_LIVE);
+            if (!connectionTtl.isZero()) {
+                // Skip TTL=0 to maintain backward compatibility (infinite in 4.x vs immediate expiration in 5.x)
+                connectionConfigBuilder.setTimeToLive(TimeValue.ofMilliseconds(connectionTtl.toMillis()));
+            }
+            return connectionConfigBuilder.build();
+        }
+
+        private TlsSocketStrategy getPreferredTlsStrategy(Apache5HttpClient.DefaultBuilder configuration,
+                                                          AttributeMap standardOptions) {
+            if (configuration.tlsStrategy != null) {
+                return configuration.tlsStrategy;
+            }
+            return new SdkTlsSocketFactory(getSslContext(standardOptions),
+                                           getHostNameVerifier(standardOptions));
         }
 
 

@@ -27,14 +27,12 @@
 public final class Apache5HttpRequestConfig {
 
     private final Duration socketTimeout;
-    private final Duration connectionTimeout;
     private final Duration connectionAcquireTimeout;
     private final boolean expectContinueEnabled;
     private final ProxyConfiguration proxyConfiguration;
 
     private Apache5HttpRequestConfig(Builder builder) {
         this.socketTimeout = builder.socketTimeout;
-        this.connectionTimeout = builder.connectionTimeout;
         this.connectionAcquireTimeout = builder.connectionAcquireTimeout;
         this.expectContinueEnabled = builder.expectContinueEnabled;
         this.proxyConfiguration = builder.proxyConfiguration;
@@ -44,10 +42,6 @@ public Duration socketTimeout() {
         return socketTimeout;
     }
 
-    public Duration connectionTimeout() {
-        return connectionTimeout;
-    }
-
     public Duration connectionAcquireTimeout() {
         return connectionAcquireTimeout;
     }
@@ -73,7 +67,6 @@ public static Builder builder() {
     public static final class Builder {
 
         private Duration socketTimeout;
-        private Duration connectionTimeout;
         private Duration connectionAcquireTimeout;
         private boolean expectContinueEnabled;
         private ProxyConfiguration proxyConfiguration;
@@ -86,11 +79,6 @@ public Builder socketTimeout(Duration socketTimeout) {
             return this;
         }
 
-        public Builder connectionTimeout(Duration connectionTimeout) {
-            this.connectionTimeout = connectionTimeout;
-            return this;
-        }
-
         public Builder connectionAcquireTimeout(Duration connectionAcquireTimeout) {
             this.connectionAcquireTimeout = connectionAcquireTimeout;
             return this;

@@ -49,7 +49,7 @@ public static HttpClientConnectionManager wrap(HttpClientConnectionManager orig)
     /**
      * Further wraps {@link LeaseRequest} to capture performance metrics.
      */
-    private static class InstrumentedHttpClientConnectionManager extends DelegatingHttpClientConnectionManager {
+    private static final class InstrumentedHttpClientConnectionManager extends DelegatingHttpClientConnectionManager {
 
         private InstrumentedHttpClientConnectionManager(HttpClientConnectionManager delegate) {
             super(delegate);

@@ -55,7 +55,7 @@ static LeaseRequest wrap(LeaseRequest orig) {
     /**
      * Measures the latency of {@link LeaseRequest#get(Timeout)}.
      */
-    private static class InstrumentedConnectionRequest extends DelegatingConnectionRequest {
+    private static final class InstrumentedConnectionRequest extends DelegatingConnectionRequest {
 
         private InstrumentedConnectionRequest(LeaseRequest delegate) {
             super(delegate);

@@ -16,50 +16,50 @@
 package software.amazon.awssdk.http.apache5.internal.conn;
 
 import java.io.IOException;
-import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.util.Arrays;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.core5.http.protocol.HttpContext;
-import org.apache.hc.core5.util.TimeValue;
 import software.amazon.awssdk.annotations.SdkInternalApi;
-import software.amazon.awssdk.http.apache5.internal.net.SdkSocket;
+import software.amazon.awssdk.http.apache5.internal.net.SdkSslSocket;
 import software.amazon.awssdk.utils.Logger;
 
 @SdkInternalApi
-public class SdkTlsSocketFactory extends SSLConnectionSocketFactory {
+public class SdkTlsSocketFactory extends DefaultClientTlsStrategy {
 
     private static final Logger log = Logger.loggerFor(SdkTlsSocketFactory.class);
 
     public SdkTlsSocketFactory(SSLContext sslContext, HostnameVerifier hostnameVerifier) {
         super(sslContext, hostnameVerifier);
         if (sslContext == null) {
             throw new IllegalArgumentException(
-                "sslContext must not be null. " + "Use SSLContext.getDefault() if you are unsure.");
+                "sslContext must not be null. Use SSLContext.getDefault() if you are unsure.");
         }
     }
 
     @Override
-    protected final void prepareSocket(SSLSocket socket) {
+    protected void initializeSocket(SSLSocket socket) {
+        super.initializeSocket(socket);
         log.debug(() -> String.format("socket.getSupportedProtocols(): %s, socket.getEnabledProtocols(): %s",
                                       Arrays.toString(socket.getSupportedProtocols()),
                                       Arrays.toString(socket.getEnabledProtocols())));
     }
 
     @Override
-        public Socket connectSocket(TimeValue connectTimeout,
-            Socket socket,
-            HttpHost host,
-            InetSocketAddress remoteAddress,
-            InetSocketAddress localAddress,
-            HttpContext context) throws IOException {
-        log.trace(() -> String.format("Connecting to %s:%s", remoteAddress.getAddress(), remoteAddress.getPort()));
+    public SSLSocket upgrade(Socket socket,
+                             String target,
+                             int port,
+                             Object attachment,
+                             HttpContext context) throws IOException {
+        log.trace(() -> String.format("Upgrading socket to TLS for %s:%s", target, port));
 
-        Socket connectSocket = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context);
-        return new SdkSocket(connectSocket);
+        SSLSocket upgradedSocket = super.upgrade(socket, target, port, attachment, context);
+
+        // Wrap the upgraded SSLSocket in SdkSSLSocket for logging
+        return new SdkSslSocket(upgradedSocket);
     }
+
 }
@@ -52,7 +52,7 @@ public class Apache5HttpRequestFactory {
     private static final List<String> IGNORE_HEADERS = Arrays.asList(HttpHeaders.CONTENT_LENGTH, HttpHeaders.HOST,
                                                                      HttpHeaders.TRANSFER_ENCODING);
 
-    public HttpUriRequestBase create(final HttpExecuteRequest request, final Apache5HttpRequestConfig requestConfig) {
+    public HttpUriRequestBase create(HttpExecuteRequest request, Apache5HttpRequestConfig requestConfig) {
         HttpUriRequestBase base = createApacheRequest(request, sanitizeUri(request.httpRequest()));
         addHeadersToRequest(base, request.httpRequest());
         addRequestConfig(base, request.httpRequest(), requestConfig);
@@ -90,12 +90,10 @@ private URI sanitizeUri(SdkHttpRequest request) {
     private void addRequestConfig(HttpUriRequestBase base,
                                   SdkHttpRequest request,
                                   Apache5HttpRequestConfig requestConfig) {
-        int connectTimeout = saturatedCast(requestConfig.connectionTimeout().toMillis());
         int connectAcquireTimeout = saturatedCast(requestConfig.connectionAcquireTimeout().toMillis());
         RequestConfig.Builder requestConfigBuilder = RequestConfig
             .custom()
             .setConnectionRequestTimeout(connectAcquireTimeout, TimeUnit.MILLISECONDS)
-            .setConnectTimeout(connectTimeout, TimeUnit.MILLISECONDS)
             .setResponseTimeout(saturatedCast(requestConfig.socketTimeout().toMillis()), TimeUnit.MILLISECONDS);
 
         /*

@@ -65,6 +65,11 @@ public ClassicHttpResponse execute(HttpHost target, ClassicHttpRequest request)
         return delegate.execute(target, request);
     }
 
+    @Override
+    public ClassicHttpResponse executeOpen(HttpHost target, ClassicHttpRequest request, HttpContext context) throws IOException {
+        return delegate.executeOpen(target, request, context);
+    }
+
     @Override
     public HttpResponse execute(HttpHost target, ClassicHttpRequest request, HttpContext context) throws IOException {
         return delegate.execute(target, request, context);