aws
V2 SDK S3TransferManager with SSL Factory
Describe the issue
I'm migrating some V1 AWS SDK code to the V2 SDK. In V1, it was possible to define a custom SSL socket factory to use with the TransferManager (abbreviated):
ClientConfiguration cliConfig = new ClientConfiguration();
cliConfig.getApacheHttpClientConfig().setSslSocketFactory(new SdkTLSSocketFactory(...));
AmazonS3ClientBuilder clientBuilder = AmazonS3ClientBuilder.standard().withClientConfiguration(cliConfig)...;
TransferManagerBuilder.standard().withS3Client(clientBuilder.build())...
etc.
I don't see a way to do this with the V2 SDK. The new S3ClientConfiguration allows some other configurables but not the HTTP client, or the SSL factory. Similarly the S3TransferManager does not appear to expose these. This document - https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/http-configuration-netty.html - talks about "configuring the Netty-based HTTP client" but I don't see a way to get that client into the S3TransferManager.
Help is appreciated. Thank you.
Steps to Reproduce
See snippet above
Current behavior
It is possible with V1 to assign a custom SSL socket factory to the V1 transfer manager.
AWS Java SDK version used
V1 to V2
JDK version used
1.8
Operating System and version
linux
Hi @aceeric thank you for reaching out. It's not supported for now. We have plans to allow users to provide an S3AsyncClient which can be configured with custom SSL socket factory. Marking this as feature request.
Hi @zoewangg
Currently, there is no way to pass a custom TlsFactory to Netty, unlike Apache HTTP client where we can configure the SSLContext.
Are there any updates on supporting this feature?
We are using AWS SDK v1 and relying on TransferManager for file transfers. However, the latest S3TransferManager (in AWS SDK v2) supports only async clients, and there's no straightforward way to configure a custom TLS version or other SSL options — aside from setting custom TrustManagers.
Is there an alternative or recommended approach for configuring these options with Netty or any async client?
And also @debora-ito I could see the current request being referenced in the discussion https://github.com/aws/aws-sdk-java-v2/discussions/4204
Any update on when will this be available we are currently migrating from v1 to v2 and we are blocked on this to use S3TransferManager as it does not accept sync client (unlike v1) and no TLSConfig is available for v2
Apache:
String tlsVersion = "TLSv1.2"; // (we are initiating TLS with a value that is configurable
SSLContext sslContext = SSLContext.getInstance(tlsVersion);
sslContext.init(null,null,null); // (we are passing our own trustmanagers and key managers)
SdkTlsSocketFactory sdkTlsSocketFactory = new SdkTlsSocketFactory(sslContext,null);
SdkHttpClient apacheHttpClient = ApacheHttpClient.builder()
.socketFactory(sdkTlsSocketFactory).build();
Netty
TrustManager[] tms = null; // passing custom trust managers here
TlsTrustManagersProvider trustManagersProvider = ()->tms;
SdkAsyncHttpClient httpaClient = NettyNioAsyncHttpClient.builder().tlsTrustManagersProvider(trustManagersProvider).build();
Any help would be greatly appreciated
Hi @sandeep-2601 support for custom socket factory on NettyNioAsyncHttpClient is still in our backlog.
I understand this can be a blocker for S3TransferManager 2.x migration, marking this as a parity gap.
Thanks for the response, @debora-ito! Just wondering if you have any idea when this might be available? Also, are there any alternative approaches you'd recommend in case it's not available yet?
Appreciate your help!
@sandeep-2601 The TLS version can be set via JDK system property (more details in our Dev Guide) -
java app.jar -Djdk.tls.client.protocols=TLSv1.2
What other SSL options are you looking for, exactly?
Hi @debora-ito I am looking for options to set TLS Version at connection level with respect to aws and not at jdk level as we are maintaining multiple other connections (not AWS) using TLS in JDK level as common version.