Upgrade to HttpClient5 5.4

Closes gh-42675

Author: mhalbritter

spring-boot-project/spring-boot-dependencies/build.gradle

@@ -575,7 +575,7 @@ bom {
 			]
 		}
 	}
-	library("HttpClient5", "5.3.1") {
+	library("HttpClient5", "5.4") {
 		group("org.apache.httpcomponents.client5") {
 			modules = [
 				"httpclient5",

spring-boot-project/spring-boot-test/src/main/java/org/springframework/boot/test/web/client/TestRestTemplate.java

@@ -38,8 +38,8 @@
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 import org.apache.hc.client5.http.protocol.HttpClientContext;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.http.ssl.TLS;
@@ -992,7 +992,7 @@ public enum HttpClientOption {
 		ENABLE_REDIRECTS,
 
 		/**
-		 * Use a {@link SSLConnectionSocketFactory} that trusts self-signed certificates.
+		 * Use a {@link TlsSocketStrategy} that trusts self-signed certificates.
 		 */
 		SSL
 
@@ -1038,7 +1038,7 @@ private PoolingHttpClientConnectionManager createConnectionManager(Duration read
 				throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException {
 			PoolingHttpClientConnectionManagerBuilder builder = PoolingHttpClientConnectionManagerBuilder.create();
 			if (ssl) {
-				builder.setSSLSocketFactory(createSocketFactory());
+				builder.setTlsSocketStrategy(createTlsSocketStrategy());
 			}
 			if (readTimeout != null) {
 				SocketConfig socketConfig = SocketConfig.custom()
@@ -1049,14 +1049,12 @@ private PoolingHttpClientConnectionManager createConnectionManager(Duration read
 			return builder.build();
 		}
 
-		private SSLConnectionSocketFactory createSocketFactory()
-				throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException {
+		private TlsSocketStrategy createTlsSocketStrategy()
+				throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
 			SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustSelfSignedStrategy())
 				.build();
-			return SSLConnectionSocketFactoryBuilder.create()
-				.setSslContext(sslContext)
-				.setTlsVersions(TLS.V_1_3, TLS.V_1_2)
-				.build();
+			return new DefaultClientTlsStrategy(sslContext, new String[] { TLS.V_1_3.getId(), TLS.V_1_2.getId() }, null,
+					null, null);
 		}
 
 		@Override

spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/transport/LocalHttpClientTransport.java

@@ -18,9 +18,8 @@
 
 import java.io.IOException;
 import java.net.InetAddress;
-import java.net.InetSocketAddress;
+import java.net.Proxy;
 import java.net.Socket;
-import java.net.UnknownHostException;
 
 import com.sun.jna.Platform;
 import org.apache.hc.client5.http.DnsResolver;
@@ -30,12 +29,11 @@
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
 import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager;
+import org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator;
+import org.apache.hc.client5.http.io.DetachedSocketFactory;
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
 import org.apache.hc.client5.http.routing.HttpRoutePlanner;
-import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
 import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.core5.http.config.Registry;
-import org.apache.hc.core5.http.config.RegistryBuilder;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.util.TimeValue;
 
@@ -48,6 +46,7 @@
  *
  * @author Phillip Webb
  * @author Scott Frederick
+ * @author Moritz Halbritter
  */
 final class LocalHttpClientTransport extends HttpClientTransport {
 
@@ -62,9 +61,9 @@ private LocalHttpClientTransport(HttpClient client, HttpHost host) {
 	}
 
 	static LocalHttpClientTransport create(ResolvedDockerHost dockerHost) {
-		HttpClientBuilder builder = HttpClients.custom();
-		builder.setConnectionManager(new LocalConnectionManager(dockerHost.getAddress()));
-		builder.setRoutePlanner(new LocalRoutePlanner());
+		HttpClientBuilder builder = HttpClients.custom()
+			.setConnectionManager(new LocalConnectionManager(dockerHost))
+			.setRoutePlanner(new LocalRoutePlanner());
 		HttpHost host = new HttpHost(DOCKER_SCHEME, dockerHost.getAddress());
 		return new LocalHttpClientTransport(builder.build(), host);
 	}
@@ -78,65 +77,53 @@ private static class LocalConnectionManager extends BasicHttpClientConnectionMan
 			.setValidateAfterInactivity(TimeValue.NEG_ONE_MILLISECOND)
 			.build();
 
-		LocalConnectionManager(String host) {
-			super(getRegistry(host), null, null, new LocalDnsResolver());
+		LocalConnectionManager(ResolvedDockerHost dockerHost) {
+			super(new DefaultHttpClientConnectionOperator(new LocalDetachedSocketFactory(dockerHost), null,
+					new LocalDnsResolver(), (name) -> null), null);
 			setConnectionConfig(CONNECTION_CONFIG);
 		}
 
-		private static Registry<ConnectionSocketFactory> getRegistry(String host) {
-			RegistryBuilder<ConnectionSocketFactory> builder = RegistryBuilder.create();
-			builder.register(DOCKER_SCHEME, new LocalConnectionSocketFactory(host));
-			return builder.build();
-		}
-
 	}
 
 	/**
-	 * {@link DnsResolver} that ensures only the loopback address is used.
+	 * {@link DetachedSocketFactory} for local Docker.
 	 */
-	private static final class LocalDnsResolver implements DnsResolver {
+	static class LocalDetachedSocketFactory implements DetachedSocketFactory {
 
-		private static final InetAddress LOOPBACK = InetAddress.getLoopbackAddress();
+		private static final String NPIPE_PREFIX = "npipe://";
 
-		@Override
-		public InetAddress[] resolve(String host) throws UnknownHostException {
-			return new InetAddress[] { LOOPBACK };
+		private final ResolvedDockerHost dockerHost;
+
+		LocalDetachedSocketFactory(ResolvedDockerHost dockerHost) {
+			this.dockerHost = dockerHost;
 		}
 
 		@Override
-		public String resolveCanonicalHostname(String host) throws UnknownHostException {
-			return LOOPBACK.getCanonicalHostName();
+		public Socket create(Proxy proxy) throws IOException {
+			String address = this.dockerHost.getAddress();
+			if (address.startsWith(NPIPE_PREFIX)) {
+				return NamedPipeSocket.get(address.substring(NPIPE_PREFIX.length()));
+			}
+			return (!Platform.isWindows()) ? UnixDomainSocket.get(address) : NamedPipeSocket.get(address);
 		}
 
 	}
 
 	/**
-	 * {@link ConnectionSocketFactory} that connects to the local Docker domain socket or
-	 * named pipe.
+	 * {@link DnsResolver} that ensures only the loopback address is used.
 	 */
-	private static class LocalConnectionSocketFactory implements ConnectionSocketFactory {
-
-		private static final String NPIPE_PREFIX = "npipe://";
-
-		private final String host;
+	private static final class LocalDnsResolver implements DnsResolver {
 
-		LocalConnectionSocketFactory(String host) {
-			this.host = host;
-		}
+		private static final InetAddress LOOPBACK = InetAddress.getLoopbackAddress();
 
 		@Override
-		public Socket createSocket(HttpContext context) throws IOException {
-			if (this.host.startsWith(NPIPE_PREFIX)) {
-				return NamedPipeSocket.get(this.host.substring(NPIPE_PREFIX.length()));
-			}
-			return (!Platform.isWindows()) ? UnixDomainSocket.get(this.host) : NamedPipeSocket.get(this.host);
+		public InetAddress[] resolve(String host) {
+			return new InetAddress[] { LOOPBACK };
 		}
 
 		@Override
-		public Socket connectSocket(TimeValue connectTimeout, Socket socket, HttpHost host,
-				InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpContext context)
-				throws IOException {
-			return socket;
+		public String resolveCanonicalHostname(String host) {
+			return LOOPBACK.getCanonicalHostName();
 		}
 
 	}

spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/transport/RemoteHttpClientTransport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,8 +25,8 @@
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
-import org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.apache.hc.core5.util.Timeout;
@@ -74,7 +74,7 @@ private static RemoteHttpClientTransport create(DockerHost host, SslContextFacto
 			.create()
 			.setDefaultSocketConfig(socketConfig);
 		if (host.isSecure()) {
-			connectionManagerBuilder.setSSLSocketFactory(getSecureConnectionSocketFactory(host, sslContextFactory));
+			connectionManagerBuilder.setTlsSocketStrategy(getTlsSocketStrategy(host, sslContextFactory));
 		}
 		HttpClientBuilder builder = HttpClients.custom();
 		builder.setConnectionManager(connectionManagerBuilder.build());
@@ -83,13 +83,12 @@ private static RemoteHttpClientTransport create(DockerHost host, SslContextFacto
 		return new RemoteHttpClientTransport(builder.build(), httpHost);
 	}
 
-	private static LayeredConnectionSocketFactory getSecureConnectionSocketFactory(DockerHost host,
-			SslContextFactory sslContextFactory) {
+	private static TlsSocketStrategy getTlsSocketStrategy(DockerHost host, SslContextFactory sslContextFactory) {
 		String directory = host.getCertificatePath();
 		Assert.hasText(directory,
 				() -> "Docker host TLS verification requires trust material location to be specified with certificate path");
 		SSLContext sslContext = sslContextFactory.forDirectory(directory);
-		return new SSLConnectionSocketFactory(sslContext);
+		return new DefaultClientTlsStrategy(sslContext);
 	}
 
 }

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/client/ClientHttpRequestFactories.java

@@ -36,8 +36,8 @@
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.eclipse.jetty.client.transport.HttpClientTransportDynamic;
 import org.eclipse.jetty.io.ClientConnector;
@@ -209,9 +209,8 @@ private static HttpClient createHttpClient(Duration readTimeout, SslBundle sslBu
 			}
 			if (sslBundle != null) {
 				SslOptions options = sslBundle.getOptions();
-				SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslBundle.createSslContext(),
-						options.getEnabledProtocols(), options.getCiphers(), new DefaultHostnameVerifier());
-				connectionManagerBuilder.setSSLSocketFactory(socketFactory);
+				connectionManagerBuilder.setTlsSocketStrategy(new DefaultClientTlsStrategy(sslBundle.createSslContext(),
+						options.getEnabledProtocols(), options.getCiphers(), null, new DefaultHostnameVerifier()));
 			}
 			PoolingHttpClientConnectionManager connectionManager = connectionManagerBuilder.useSystemProperties()
 				.build();

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactoryTests.java

@@ -33,6 +33,7 @@
 import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 
@@ -64,7 +65,8 @@
 import org.apache.hc.client5.http.HttpHostConnectException;
 import org.apache.hc.client5.http.classic.HttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.NoHttpResponseException;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
@@ -670,12 +672,12 @@ void shouldUpdateSslWhenReloadingSslBundles() throws Exception {
 		this.webServer = factory.getWebServer();
 		this.webServer.start();
 		RememberingHostnameVerifier verifier = new RememberingHostnameVerifier();
-		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
-				new SSLContextBuilder().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build(), verifier);
-		HttpComponentsClientHttpRequestFactory requestFactory = createHttpComponentsRequestFactory(socketFactory);
+		SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build();
+		TlsSocketStrategy tlsSocketStrategy = new DefaultClientTlsStrategy(sslContext, verifier);
+		HttpComponentsClientHttpRequestFactory requestFactory = createHttpComponentsRequestFactory(tlsSocketStrategy);
 		assertThat(getResponse(getLocalUrl("https", "/test.txt"), requestFactory)).isEqualTo("test");
 		assertThat(verifier.getLastPrincipal()).isEqualTo("CN=1");
-		requestFactory = createHttpComponentsRequestFactory(socketFactory);
+		requestFactory = createHttpComponentsRequestFactory(tlsSocketStrategy);
 		bundles.updateBundle("test", createPemSslBundle("classpath:org/springframework/boot/web/embedded/tomcat/2.crt",
 				"classpath:org/springframework/boot/web/embedded/tomcat/2.key"));
 		assertThat(getResponse(getLocalUrl("https", "/test.txt"), requestFactory)).isEqualTo("test");
@@ -690,9 +692,8 @@ void sslWithHttp11Nio2Protocol() throws Exception {
 		factory.setSsl(getSsl(null, "password", "src/test/resources/test.jks"));
 		this.webServer = factory.getWebServer();
 		this.webServer.start();
-		SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
-				new SSLContextBuilder().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build());
-		HttpComponentsClientHttpRequestFactory requestFactory = createHttpComponentsRequestFactory(socketFactory);
+		HttpComponentsClientHttpRequestFactory requestFactory = createHttpComponentsRequestFactory(
+				createTrustSelfSignedTlsSocketStrategy());
 		assertThat(getResponse(getLocalUrl("https", "/test.txt"), requestFactory)).isEqualTo("test");
 	}