Skip to content

Using SSL Bundle for server configuration ignores other server options #39310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
shollander opened this issue Jan 25, 2024 · 3 comments
Closed
Labels
status: superseded An issue that has been superseded by another type: documentation A documentation update

Comments

@shollander
Copy link

I am attempting to use an SSL Bundle to configure the certificate used by the embedded web server.

If I do something like this in my application.yaml file:

spring:
  ssl:
    bundle:
      jks:
        mybundle:
          keystore:
            location: /path/to/keystore
            password: secret
server:
  ssl:
    enabled: true
    enabled-protocols:
      - TLSv1.3
    bundle: mybundle    

It works to configure the server certificate, but the other options (such as server.ssl.enabled-protocols) are ignored.
With this configuration, even though I configure it to only use TLSv1.3, it still responds to TLSv1.2 and TLSv1.3.

If I configure the certificate directly on server.ssl like this:

spring:
  ssl:
    bundle:
      jks:
        mybundle:
          keystore:
            location=/path/to/keystore
            password=secret
server:
  ssl:
    enabled: true
    enabled-protocols:
      - TLSv1.3
    key-store: /path/to/keystore
    key-store-password: secret

then the enabled-protocols setting works and only TLSv1.3 is enabled.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 25, 2024
@wilkinsona
Copy link
Member

Rather than mixing bundle-based configuration and directly configuring the server's SSL settings, you should only use one or the other. For example:

spring:
  ssl:
    bundle:
      jks:
        mybundle:
          keystore:
            location: /path/to/keystore
            password: secret
          options:
            enabled-protocols:
              - TLSv1.3
server:
  ssl:
    enabled: true
    bundle: mybundle 

We should look at improving the documentation here or perhaps improving the runtime behavior. It could fail-fast when mixing configuration or perhaps the server-specific configuration could somehow override the bundle configuration. Both may have implications for backwards compatibility though.

@wilkinsona wilkinsona added the for: team-attention An issue we'd like other members of the team to review label Jan 26, 2024
@philwebb philwebb added type: documentation A documentation update and removed for: team-attention An issue we'd like other members of the team to review status: waiting-for-triage An issue we've not yet triaged labels Feb 15, 2024
@philwebb philwebb added this to the 3.1.x milestone Feb 15, 2024
@philwebb
Copy link
Member

We're going to add a NOTE: to the documentation

wanger26 added a commit to wanger26/spring-boot that referenced this issue Feb 18, 2024
- Clarify that mixing of bundle-based configuration and directly configuring the server's SSL settings is not supported and that you should only use one or the other.

spring-projects#39310

Signed-off-by: Jakob Wanger <[email protected]>
wanger26 added a commit to wanger26/spring-boot that referenced this issue Feb 18, 2024
- Clarify that mixing of bundle-based configuration and directly configuring the server's SSL settings is not supported and that you should only use one or the other.

spring-projects#39310

Signed-off-by: Jakob Wanger <[email protected]>
@scottfrederick
Copy link
Contributor

Closing in favor of #39616

@scottfrederick scottfrederick closed this as not planned Won't fix, can't repro, duplicate, stale Feb 20, 2024
@scottfrederick scottfrederick added the status: superseded An issue that has been superseded by another label Feb 20, 2024
@scottfrederick scottfrederick removed this from the 3.1.x milestone Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: superseded An issue that has been superseded by another type: documentation A documentation update
Projects
None yet
Development

No branches or pull requests

5 participants