Fix Elasticsearch REST client's SSL configuration

See gh-46061

Author: wilkinsona

module/spring-boot-elasticsearch/src/main/java/org/springframework/boot/elasticsearch/autoconfigure/ElasticsearchRestClientConfigurations.java

@@ -34,9 +34,11 @@
 import org.apache.hc.client5.http.impl.async.HttpAsyncClientBuilder;
 import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
 import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.core5.http.nio.ssl.BasicClientTlsStrategy;
 import org.apache.hc.core5.reactor.IOReactorConfig;
+import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
 import org.apache.hc.core5.util.Timeout;
 import org.jspecify.annotations.Nullable;
 
@@ -189,12 +191,11 @@ public void customize(PoolingAsyncClientConnectionManagerBuilder connectionManag
 			SslBundle sslBundle = this.connectionDetails.getSslBundle();
 			if (sslBundle != null) {
 				SSLContext sslContext = sslBundle.createSslContext();
-				connectionManagerBuilder
-					.setTlsStrategy(new BasicClientTlsStrategy(sslContext, (endpoint, sslEngine) -> {
-						SslOptions sslOptions = sslBundle.getOptions();
-						sslEngine.setEnabledProtocols(sslOptions.getEnabledProtocols());
-						sslEngine.setEnabledCipherSuites(sslOptions.getCiphers());
-					}, null));
+				SslOptions sslOptions = sslBundle.getOptions();
+				DefaultClientTlsStrategy tlsStrategy = new DefaultClientTlsStrategy(sslContext,
+						sslOptions.getEnabledProtocols(), sslOptions.getCiphers(), SSLBufferMode.STATIC,
+						NoopHostnameVerifier.INSTANCE);
+				connectionManagerBuilder.setTlsStrategy(tlsStrategy);
 			}
 		}
 

module/spring-boot-elasticsearch/src/test/java/org/springframework/boot/elasticsearch/autoconfigure/ElasticsearchRestClientAutoConfigurationTests.java

@@ -20,8 +20,6 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.net.ssl.SSLEngine;
-
 import co.elastic.clients.transport.rest5_client.low_level.Node;
 import co.elastic.clients.transport.rest5_client.low_level.Rest5Client;
 import co.elastic.clients.transport.rest5_client.low_level.Rest5ClientBuilder;
@@ -37,7 +35,6 @@
 import org.apache.hc.core5.function.Resolver;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.config.Registry;
-import org.apache.hc.core5.reactor.ssl.SSLSessionInitializer;
 import org.apache.hc.core5.util.Timeout;
 import org.assertj.core.api.InstanceOfAssertFactories;
 import org.junit.jupiter.api.Test;
@@ -310,13 +307,9 @@ void configureWithSslBundle() {
 			assertThat(restClient).extracting("client.manager.connectionOperator.tlsStrategyLookup")
 				.asInstanceOf(InstanceOfAssertFactories.type(Registry.class))
 				.extracting((registry) -> registry.lookup("https"))
-				.extracting("initializer")
-				.asInstanceOf(InstanceOfAssertFactories.type(SSLSessionInitializer.class))
-				.satisfies((sslInitializer) -> {
-					SSLEngine engine = mock(SSLEngine.class);
-					sslInitializer.initialize(null, engine);
-					then(engine).should().setEnabledCipherSuites(new String[] { "DESede" });
-					then(engine).should().setEnabledProtocols(new String[] { "TLSv1.3" });
+				.satisfies((tlsStrategy) -> {
+					assertThat(tlsStrategy).extracting("supportedProtocols").isEqualTo(new String[] { "TLSv1.3" });
+					assertThat(tlsStrategy).extracting("supportedCipherSuites").isEqualTo(new String[] { "DESede" });
 				});
 		});
 	}