[Apache HTTP Client] Stop auto-enabling TLS protocol versions (#2934)

* [Apache HTTP Client] Stop auto-enabling TLS protocol versions

Since 2014, in the Java SDK v1, the SDK's Apache HTTP Client has 
auto-enabled certain TLS protocol versions if they are supported by the 
local system. The versions auto-enabled are: `TLSv1.2`, `TLSv1.1`, 
`TLSv1`, and `TLS`. The original motivation was to always try to use the
latest and most secure version. This made sense at the time, especially
when both Java 6 and Java 7 defaulted to only `TLSv1.0`. It wasn't 
until Java 8 that the default became `TLSv1.2`. So there was some 
apparent value in the SDK nudging clients towards the latest version 
that they may otherwise be slow to adopt.

Fast-forward 7+ years and most JVM vendors now enable newer TLS versions
(`TLSv1.3`) by default and many of the above versions are now 
considered older and less secure, yet the SDK continues to auto-enable 
them. Furthermore, the Java SDK v2 requires Java 8 or higher, which has
an implicit guarantee of defaulting to `TLSv1.2` or higher, meaning 
these SDK-enabled versions are never newer than default version.

While the TLS negotiation will resolve to the highest mutually supported
version, some users may still wish to explicitly disable older versions
as an extra precaution. The recommended and conventional way to do 
this is via the `jdk.tls.client.protocols` system property, but the 
SDK's implementation will continue to append its own list of enabled 
versions to the user's declared list. The only way for users to ensure
they disable those versions is via the `jdk.tls.disabledAlgorithms` 
system property.

https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/security-java-tls.html

https://java.com/en/configure_crypto.html

Since the SDK's list of preferred TLS versions is no longer up to date, 
and any new preferences would be similarly subject to becoming stale in 
the future, the SDK should stop trying to offer opinions on the 
preferred TLS version to use and instead allow the JVM defaults and 
user-declared properties to fully control this behavior.

Author: Bennett-Lynch

.changes/next-release/bugfix-ApacheHTTPClient-631fb0d.json

@@ -0,0 +1,6 @@
+{
+    "category": "Apache HTTP Client", 
+    "contributor": "", 
+    "type": "bugfix", 
+    "description": "Stop auto-enabling TLS protocol versions"
+}

http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/conn/SdkTlsSocketFactory.java

@@ -18,9 +18,7 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.Socket;
-import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.List;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
@@ -32,9 +30,6 @@
 import software.amazon.awssdk.http.apache.internal.net.SdkSslSocket;
 import software.amazon.awssdk.utils.Logger;
 
-/**
- * Used to enforce the preferred TLS protocol during SSL handshake.
- */
 @SdkInternalApi
 public class SdkTlsSocketFactory extends SSLConnectionSocketFactory {
 
@@ -50,54 +45,11 @@ public SdkTlsSocketFactory(final SSLContext sslContext, final HostnameVerifier h
         this.sslContext = sslContext;
     }
 
-    /**
-     * {@inheritDoc} Used to enforce the preferred TLS protocol during SSL handshake.
-     */
     @Override
     protected final void prepareSocket(final SSLSocket socket) {
-        String[] supported = socket.getSupportedProtocols();
-        String[] enabled = socket.getEnabledProtocols();
         log.debug(() -> String.format("socket.getSupportedProtocols(): %s, socket.getEnabledProtocols(): %s",
-                                      Arrays.toString(supported),
-                                      Arrays.toString(enabled)));
-        List<String> target = new ArrayList<>();
-        if (supported != null) {
-            // Append the preferred protocols in descending order of preference
-            // but only do so if the protocols are supported
-            TlsProtocol[] values = TlsProtocol.values();
-            for (TlsProtocol value : values) {
-                String pname = value.getProtocolName();
-                if (existsIn(pname, supported)) {
-                    target.add(pname);
-                }
-            }
-        }
-        if (enabled != null) {
-            // Append the rest of the already enabled protocols to the end
-            // if not already included in the list
-            for (String pname : enabled) {
-                if (!target.contains(pname)) {
-                    target.add(pname);
-                }
-            }
-        }
-        if (target.size() > 0) {
-            String[] enabling = target.toArray(new String[0]);
-            socket.setEnabledProtocols(enabling);
-            log.debug(() -> "TLS protocol enabled for SSL handshake: " + Arrays.toString(enabling));
-        }
-    }
-
-    /**
-     * Returns true if the given element exists in the given array; false otherwise.
-     */
-    private boolean existsIn(String element, String[] a) {
-        for (String s : a) {
-            if (element.equals(s)) {
-                return true;
-            }
-        }
-        return false;
+                                      Arrays.toString(socket.getSupportedProtocols()),
+                                      Arrays.toString(socket.getEnabledProtocols())));
     }
 
     @Override

http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/conn/TlsProtocol.java

@@ -15,119 +15,77 @@
 
 package software.amazon.awssdk.http.apache.internal.conn;
 
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 
-public class SdkTlsSocketFactoryTest {
-    /**
-     * Test when the edge case when the both supported and enabled protocols are null.
-     */
-    @Test
-    public void preparedSocket_NullProtocols() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return null;
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return null;
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                fail();
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+class SdkTlsSocketFactoryTest {
+
+    SdkTlsSocketFactory factory;
+    SSLSocket socket;
+
+    @BeforeEach
+    public void before() throws Exception {
+        factory = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
+        socket = Mockito.mock(SSLSocket.class);
     }
 
     @Test
-    public void typical() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return shuffle(new String[] {"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"});
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return shuffle(new String[] {"SSLv3", "TLSv1"});
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                assertTrue(Arrays.equals(protocols, new String[] {"TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"}));
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+    void nullProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(null);
+        when(socket.getEnabledProtocols()).thenReturn(null);
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 
     @Test
-    public void noTLS() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return shuffle(new String[] {"SSLv2Hello", "SSLv3"});
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return new String[] {"SSLv3"};
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                // For backward compatibility
-                assertTrue(Arrays.equals(protocols, new String[] {"SSLv3"}));
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+    void amazonCorretto_8_0_292_defaultEnabledProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello"
+        });
+        when(socket.getEnabledProtocols()).thenReturn(new String[] {
+            "TLSv1.2", "TLSv1.1", "TLSv1"
+        });
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 
     @Test
-    public void notIdeal() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return shuffle(new String[] {"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1"});
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return shuffle(new String[] {"SSLv3", "TLSv1"});
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                assertTrue(Arrays.equals(protocols, new String[] {"TLSv1.1", "TLSv1", "SSLv3"}));
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+    void amazonCorretto_11_0_08_defaultEnabledProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello"
+        });
+        when(socket.getEnabledProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"
+        });
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 
-    private String[] shuffle(String[] in) {
-        List<String> list = new ArrayList<String>(Arrays.asList(in));
-        Collections.shuffle(list);
-        return list.toArray(new String[0]);
+    @Test
+    void amazonCorretto_17_0_1_defaultEnabledProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello"
+        });
+        when(socket.getEnabledProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2"
+        });
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 }