-
Notifications
You must be signed in to change notification settings - Fork 41.2k
Using SSL Bundle for server configuration ignores other server options #39310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Rather than mixing bundle-based configuration and directly configuring the server's SSL settings, you should only use one or the other. For example: spring:
ssl:
bundle:
jks:
mybundle:
keystore:
location: /path/to/keystore
password: secret
options:
enabled-protocols:
- TLSv1.3
server:
ssl:
enabled: true
bundle: mybundle We should look at improving the documentation here or perhaps improving the runtime behavior. It could fail-fast when mixing configuration or perhaps the server-specific configuration could somehow override the bundle configuration. Both may have implications for backwards compatibility though. |
We're going to add a |
- Clarify that mixing of bundle-based configuration and directly configuring the server's SSL settings is not supported and that you should only use one or the other. spring-projects#39310 Signed-off-by: Jakob Wanger <[email protected]>
- Clarify that mixing of bundle-based configuration and directly configuring the server's SSL settings is not supported and that you should only use one or the other. spring-projects#39310 Signed-off-by: Jakob Wanger <[email protected]>
Closing in favor of #39616 |
I am attempting to use an SSL Bundle to configure the certificate used by the embedded web server.
If I do something like this in my
application.yaml
file:It works to configure the server certificate, but the other options (such as
server.ssl.enabled-protocols
) are ignored.With this configuration, even though I configure it to only use TLSv1.3, it still responds to TLSv1.2 and TLSv1.3.
If I configure the certificate directly on
server.ssl
like this:then the
enabled-protocols
setting works and only TLSv1.3 is enabled.The text was updated successfully, but these errors were encountered: