spring-boot

Spring Boot

Tree: cfee3f10f4

Andy Wilkinson c9facf1b97 Upgrade to Tomcat 11.0.18 Tomcat 9.0.115, 10.1.52, and 11.0.18 include a breaking change [1] to how ciphers are configured when using HTTPS. Previously, a single setting was used but this has now been split in two; the existing ciphers setting for TLSv1.2 ciphers and a new ciperSuites setting for TLSv1.3. As part of this split, the behavior of the ciphers setting has been changed such that any TLSv1.3 ciphers are ignored and a warning is logged. This change in Tomcat is problematic without also making some changes in Boot. If we had done nothing, a user that had configured only TLSv1.3 cipers would have them all ignored, leaving their SSL connection unexpectedly using all of the default ciphers which may be less secure. This commit adapts to the breaking change in Tomcat by taking the user's list of ciphers and splitting into into TLSv1.2 and TLSv1.3 ciphers before passing them into Tomcat's two settings (ciphers and cipherSuites respectively). This is done defensively for backwards compatibility. If the methods to identify and configure the TLSv1.3 ciphers are not present, we assume that we're running with an earlier version of Tomcat and fall back to passing them all into the ciphers setting as we did previously. Closes gh-49143 [1] `9abf6bddb2`	1 month ago
..
src	Upgrade to Tomcat 11.0.18	1 month ago
build.gradle	Add `@AutoConfigureWebServer` test annotation	2 months ago

Andy Wilkinson c9facf1b97 Upgrade to Tomcat 11.0.18

Tomcat 9.0.115, 10.1.52, and 11.0.18 include a breaking change [1] to
how ciphers are configured when using HTTPS. Previously, a single
setting was used but this has now been split in two; the existing
ciphers setting for TLSv1.2 ciphers and a new ciperSuites setting for
TLSv1.3. As part of this split, the behavior of the ciphers setting
has been changed such that any TLSv1.3 ciphers are ignored and a
warning is logged.

This change in Tomcat is problematic without also making some changes
in Boot. If we had done nothing, a user that had configured only
TLSv1.3 cipers would have them all ignored, leaving their SSL
connection unexpectedly using all of the default ciphers which may be
less secure.

This commit adapts to the breaking change in Tomcat by taking the
user's list of ciphers and splitting into into TLSv1.2 and TLSv1.3
ciphers before passing them into Tomcat's two settings (ciphers and
cipherSuites respectively). This is done defensively for backwards
compatibility. If the methods to identify and configure the TLSv1.3
ciphers are not present, we assume that we're running with an earlier
version of Tomcat and fall back to passing them all into the ciphers
setting as we did previously.

Closes gh-49143

[1] 9abf6bddb2

1 month ago

src Upgrade to Tomcat 11.0.18 1 month ago

build.gradle Add `@AutoConfigureWebServer` test annotation 2 months ago