Fix h2 connections to use config values (#3214)

Author: mullermp

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,9 @@
 Unreleased Changes
 ------------------
 
+* Issue - Enable ALPN over TLS for H2 Connection by default.
+* Issue - Fix HTTP-2 connections to properly use config values configured on the client.
+
 3.220.2 (2025-03-20)
 ------------------
 

gems/aws-sdk-core/lib/seahorse/client/async_base.rb

@@ -3,18 +3,17 @@
 module Seahorse
   module Client
     class AsyncBase < Seahorse::Client::Base
-
       # default H2 plugins
       # @api private
       @plugins = PluginList.new([
         Plugins::Endpoint,
         Plugins::H2,
         Plugins::ResponseTarget
       ])
+
       def initialize(plugins, options)
-        super
-        @connection = H2::Connection.new(options)
-        @options = options
+        super(plugins, options)
+        @connection = H2::Connection.new(@config)
       end
 
       # @return [H2::Connection]
@@ -36,7 +35,7 @@ def close_connection
       # @return [Seahorse::Client::H2::Connection]
       def new_connection
         if @connection.closed?
-          @connection = H2::Connection.new(@options)
+          @connection = H2::Connection.new(@config)
         else
           @connection
         end

gems/aws-sdk-core/lib/seahorse/client/h2/connection.rb

@@ -10,13 +10,8 @@ module Seahorse
   module Client
     # @api private
     module H2
-
       # H2 Connection build on top of `http/2` gem
-      # (requires Ruby >= 2.1)
-      # with TLS layer plus ALPN, requires:
-      # Ruby >= 2.3 and OpenSSL >= 1.0.2
       class Connection
-
         OPTIONS = {
           max_concurrent_streams: 100,
           connection_timeout: 60,
@@ -27,7 +22,7 @@ class Connection
           ssl_ca_bundle: nil,
           ssl_ca_directory: nil,
           ssl_ca_store: nil,
-          enable_alpn: false
+          enable_alpn: true
         }
 
         # chunk read size at socket
@@ -41,25 +36,23 @@ def initialize(options = {})
             instance_variable_set("@#{opt_name}", value)
           end
           @h2_client = HTTP2::Client.new(
-            settings_max_concurrent_streams: max_concurrent_streams
+            settings_max_concurrent_streams: @max_concurrent_streams
           )
-          @logger = if @http_wire_trace
-            options[:logger] || Logger.new($stdout)
-          end
+          @logger ||= Logger.new($stdout) if @http_wire_trace
           @chunk_size = options[:read_chunk_size] || CHUNKSIZE
+
           @errors = []
           @status = :ready
+
           @mutex = Mutex.new # connection can be shared across requests
           @socket = nil
           @socket_thread = nil
         end
 
         OPTIONS.keys.each do |attr_name|
-          attr_reader(attr_name)
+          attr_reader attr_name
         end
 
-        alias ssl_verify_peer? ssl_verify_peer
-
         attr_reader :errors
 
         attr_accessor :input_signal_thread
@@ -112,7 +105,7 @@ def start(stream)
                   @h2_client << data
                 rescue IO::WaitReadable
                   begin
-                    unless IO.select([@socket], nil, nil, connection_read_timeout)
+                    unless IO.select([@socket], nil, nil, @connection_read_timeout)
                       self.debug_output('socket connection read time out')
                       self.close!
                     else
@@ -154,11 +147,11 @@ def closed?
         end
 
         def debug_output(msg, type = nil)
-          prefix = case type
+          prefix =
+            case type
             when :send then '-> '
             when :receive then '<- '
-            else
-              ''
+            else ''
             end
           return unless @logger
           _debug_entry(prefix + msg)
@@ -206,7 +199,7 @@ def _nonblocking_connect(tcp, addr)
           begin
             tcp.connect_nonblock(addr)
           rescue IO::WaitWritable
-            unless IO.select(nil, [tcp], nil, connection_timeout)
+            unless IO.select(nil, [tcp], nil, @connection_timeout)
               tcp.close
               raise
             end
@@ -220,31 +213,28 @@ def _nonblocking_connect(tcp, addr)
 
         def _tls_context
           ssl_ctx = OpenSSL::SSL::SSLContext.new(:TLSv1_2)
-          if ssl_verify_peer?
+          if @ssl_verify_peer
             ssl_ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
-            ssl_ctx.ca_file = ssl_ca_bundle ? ssl_ca_bundle : _default_ca_bundle
-            ssl_ctx.ca_path = ssl_ca_directory ? ssl_ca_directory : _default_ca_directory
-            ssl_ctx.cert_store = ssl_ca_store if ssl_ca_store
+            ssl_ctx.ca_file = @ssl_ca_bundle || _default_ca_bundle
+            ssl_ctx.ca_path = @ssl_ca_directory || _defalt_ca_directory
+            ssl_ctx.cert_store = @ssl_ca_store if @ssl_ca_store
           else
             ssl_ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
           end
-          if enable_alpn
+          if @enable_alpn
             debug_output('enabling ALPN for TLS ...')
             ssl_ctx.alpn_protocols = ['h2']
           end
           ssl_ctx
         end
 
         def _default_ca_bundle
-          File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE) ?
-            OpenSSL::X509::DEFAULT_CERT_FILE : nil
+          OpenSSL::X509::DEFAULT_CERT_FILE if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
         end
 
-        def _default_ca_directory
-          Dir.exist?(OpenSSL::X509::DEFAULT_CERT_DIR) ?
-            OpenSSL::X509::DEFAULT_CERT_DIR : nil
+        def _defalt_ca_directory
+          OpenSSL::X509::DEFAULT_CERT_DIR if Dir.exist?(OpenSSL::X509::DEFAULT_CERT_DIR)
         end
-
       end
     end
   end

gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb

@@ -5278,7 +5278,7 @@ def get_configuration_policy(params = {}, options = {})
     #   resp.to_h outputs the following:
     #   {
     #     association_status: "FAILED", 
-    #     association_status_message: "Configuration Policy a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 couldn\u2019t be applied to account 111122223333 in us-east-1 Region. Retry your request.", 
+    #     association_status_message: "Configuration Policy a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 couldn’t be applied to account 111122223333 in us-east-1 Region. Retry your request.", 
     #     association_type: "INHERITED", 
     #     configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
     #     target_id: "111122223333",