[Apache HTTP Client] Stop auto-enabling TLS protocol versions

.changes/next-release/bugfix-ApacheHTTPClient-631fb0d.json

@@ -0,0 +1,6 @@
+{
+    "category": "Apache HTTP Client", 
+    "contributor": "", 
+    "type": "bugfix", 
+    "description": "Stop auto-enabling TLS protocol versions"
+}

http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/conn/SdkTlsSocketFactory.java

@@ -18,9 +18,7 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.Socket;
-import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.List;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
@@ -32,9 +30,6 @@
 import software.amazon.awssdk.http.apache.internal.net.SdkSslSocket;
 import software.amazon.awssdk.utils.Logger;
 
-/**
- * Used to enforce the preferred TLS protocol during SSL handshake.
- */
 @SdkInternalApi
 public class SdkTlsSocketFactory extends SSLConnectionSocketFactory {
 
@@ -50,54 +45,11 @@ public SdkTlsSocketFactory(final SSLContext sslContext, final HostnameVerifier h
         this.sslContext = sslContext;
     }
 
-    /**
-     * {@inheritDoc} Used to enforce the preferred TLS protocol during SSL handshake.
-     */
     @Override
     protected final void prepareSocket(final SSLSocket socket) {
-        String[] supported = socket.getSupportedProtocols();
-        String[] enabled = socket.getEnabledProtocols();
         log.debug(() -> String.format("socket.getSupportedProtocols(): %s, socket.getEnabledProtocols(): %s",
-                                      Arrays.toString(supported),
-                                      Arrays.toString(enabled)));
-        List<String> target = new ArrayList<>();
-        if (supported != null) {
-            // Append the preferred protocols in descending order of preference
-            // but only do so if the protocols are supported
-            TlsProtocol[] values = TlsProtocol.values();
-            for (TlsProtocol value : values) {
-                String pname = value.getProtocolName();
-                if (existsIn(pname, supported)) {
-                    target.add(pname);
-                }
-            }
-        }
-        if (enabled != null) {
-            // Append the rest of the already enabled protocols to the end
-            // if not already included in the list
-            for (String pname : enabled) {
-                if (!target.contains(pname)) {
-                    target.add(pname);
-                }
-            }
-        }
-        if (target.size() > 0) {
-            String[] enabling = target.toArray(new String[0]);
-            socket.setEnabledProtocols(enabling);
-            log.debug(() -> "TLS protocol enabled for SSL handshake: " + Arrays.toString(enabling));
-        }
-    }
-
-    /**
-     * Returns true if the given element exists in the given array; false otherwise.
-     */
-    private boolean existsIn(String element, String[] a) {
-        for (String s : a) {
-            if (element.equals(s)) {
-                return true;
-            }
-        }
-        return false;
+                                      Arrays.toString(socket.getSupportedProtocols()),
+                                      Arrays.toString(socket.getEnabledProtocols())));
     }
 
     @Override

http-clients/apache-client/src/test/java/software/amazon/awssdk/http/apache/internal/conn/SdkTlsSocketFactoryTest.java

@@ -15,119 +15,77 @@
 
 package software.amazon.awssdk.http.apache.internal.conn;
 
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 
-public class SdkTlsSocketFactoryTest {
-    /**
-     * Test when the edge case when the both supported and enabled protocols are null.
-     */
-    @Test
-    public void preparedSocket_NullProtocols() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return null;
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return null;
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                fail();
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+class SdkTlsSocketFactoryTest {
+
+    SdkTlsSocketFactory factory;
+    SSLSocket socket;
+
+    @BeforeEach
+    public void before() throws Exception {
+        factory = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
+        socket = Mockito.mock(SSLSocket.class);
     }
 
     @Test
-    public void typical() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return shuffle(new String[] {"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"});
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return shuffle(new String[] {"SSLv3", "TLSv1"});
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                assertTrue(Arrays.equals(protocols, new String[] {"TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"}));
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+    void nullProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(null);
+        when(socket.getEnabledProtocols()).thenReturn(null);
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 
     @Test
-    public void noTLS() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return shuffle(new String[] {"SSLv2Hello", "SSLv3"});
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return new String[] {"SSLv3"};
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                // For backward compatibility
-                assertTrue(Arrays.equals(protocols, new String[] {"SSLv3"}));
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+    void amazonCorretto_8_0_292_defaultEnabledProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello"
+        });
+        when(socket.getEnabledProtocols()).thenReturn(new String[] {
+            "TLSv1.2", "TLSv1.1", "TLSv1"
+        });
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 
     @Test
-    public void notIdeal() throws NoSuchAlgorithmException, IOException {
-        SdkTlsSocketFactory f = new SdkTlsSocketFactory(SSLContext.getDefault(), null);
-        try (SSLSocket socket = new TestSSLSocket() {
-            @Override
-            public String[] getSupportedProtocols() {
-                return shuffle(new String[] {"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1"});
-            }
-
-            @Override
-            public String[] getEnabledProtocols() {
-                return shuffle(new String[] {"SSLv3", "TLSv1"});
-            }
-
-            @Override
-            public void setEnabledProtocols(String[] protocols) {
-                assertTrue(Arrays.equals(protocols, new String[] {"TLSv1.1", "TLSv1", "SSLv3"}));
-            }
-        }) {
-            f.prepareSocket(socket);
-        }
+    void amazonCorretto_11_0_08_defaultEnabledProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello"
+        });
+        when(socket.getEnabledProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"
+        });
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 
-    private String[] shuffle(String[] in) {
-        List<String> list = new ArrayList<String>(Arrays.asList(in));
-        Collections.shuffle(list);
-        return list.toArray(new String[0]);
+    @Test
+    void amazonCorretto_17_0_1_defaultEnabledProtocols() {
+        when(socket.getSupportedProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello"
+        });
+        when(socket.getEnabledProtocols()).thenReturn(new String[] {
+            "TLSv1.3", "TLSv1.2"
+        });
+
+        factory.prepareSocket(socket);
+
+        verify(socket, never()).setEnabledProtocols(any());
     }
 }