Replace deprecated SSLConnectionSocketFactory with recommended API

[joviegas]

Motivation and Context

Apache HttpClient 5.x deprecated ConnectionSocketFactory in favor of the new TlsSocketStrategy interface. This change updates the AWS SDK's Apache5 HTTP client to support the modern TLS configuration approach while maintaining backward compatibility with existing code.

Historical Context: Earlier versions of this implementation incorrectly used SSLConnectionSocketFactory instead of the more general ConnectionSocketFactory interface. The correct API should have been ConnectionSocketFactory, which was consistent with the SDK's Apache4 client implementation. However, Apache HttpClient 5.x has since deprecated ConnectionSocketFactory entirely as part of a broader architectural redesign to better separate concerns between socket creation and TLS upgrade operations.

The new TlsSocketStrategy interface provides a cleaner abstraction specifically for TLS upgrade operations, moving away from the socket factory pattern that mixed plain socket creation with TLS layering concerns.

Modifications

Added

• New tlsSocketStrategy() method in Apache5HttpClient.Builder to support the modern TLS configuration approach
• ConnectionSocketFactoryToTlsStrategyAdapter class that adapts legacy ConnectionSocketFactory instances to work with the new TlsSocketStrategy interface
• SdkSslSocket wrapper for enhanced SSL socket logging and monitoring
• Internal getEffectiveTlsStrategy() method to handle both legacy and modern configurations

Modified

• SdkTlsSocketFactory now extends DefaultClientTlsStrategy instead of SSLConnectionSocketFactory
• Connection manager creation updated to use setTlsSocketStrategy() instead of deprecated setSSLSocketFactory()
• Socket factory method signature corrected from SSLConnectionSocketFactory to ConnectionSocketFactory and marked as deprecated
• Updated socket initialization to use initializeSocket() instead of prepareSocket()

Backward Compatibility

• ConnectionSocketFactory support retained: The deprecated socketFactory() method has not been removed to maintain backward compatibility for existing use cases, including scenarios where customers configure plain HTTP connections using PlainConnectionSocketFactory for services that support both HTTP and HTTPS endpoints
• When both methods are used, tlsSocketStrategy() takes precedence over socketFactory()
• The adapter handles both plain and layered connection socket factories appropriately, ensuring existing HTTP-only configurations continue to work seamlessly

Migration Path

Users should migrate from:

// Deprecated approach
Apache5HttpClient.builder()
    .socketFactory(new SSLConnectionSocketFactory(sslContext, hostnameVerifier))
    .build();

To:

// Modern approach
Apache5HttpClient.builder()
    .tlsSocketStrategy(new SdkTlsSocketFactory(sslContext, hostnameVerifier))
    .build();

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

License

• I confirm that this pull request can be released under the Apache 2 license

[sonarqubecloud]

Quality Gate failed

Failed conditions
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[dagnir]

Can we explain that this is here to ease migration from 4.5.x?

[joviegas]

done

[dagnir]

minor: can we fix the test names so they match our normal conventions? i.e. methodToTest_when_expectedBehavior

[joviegas]

done

[dagnir]

can we just disallow setting both?

[joviegas]

done