Enforce TLSv1.2 by default both for HTTPS server and bolt server.

For users who would like to have other protocols or cipher suites, they need to migrate their old configuration to use new `dbms.ssl.policy`
For users whose jdk does not have TLSv1.2 enabled by default such as ibm-jdk8, if they would like to use TLSv1.2, they should run the server with jvm option `com.ibm.jsse2.overrideDefaultTLS=true`

community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureSocketConnection.java

@@ -41,7 +41,7 @@ private Socket createSecureSocket()
     {
         try
         {
-            SSLContext context = SSLContext.getInstance( "SSL" );
+            SSLContext context = SSLContext.getInstance( "TLS" );
             context.init( new KeyManager[0], new TrustManager[]{new NaiveTrustManager( serverCertificatesSeen::add )}, new SecureRandom() );
 
             return context.getSocketFactory().createSocket();

community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureWebSocketConnection.java

@@ -23,24 +23,12 @@
 import org.eclipse.jetty.websocket.client.WebSocketClient;
 
 import java.net.URI;
-import java.util.function.Supplier;
 
 public class SecureWebSocketConnection extends WebSocketConnection
 {
     public SecureWebSocketConnection()
     {
-        super( createTestClientSupplier(), address -> URI.create( "wss://" + address.getHost() + ":" + address.getPort() ) );
-    }
-
-    private static Supplier<WebSocketClient> createTestClientSupplier()
-    {
-        return () ->
-        {
-            SslContextFactory sslContextFactory = new SslContextFactory( /* trustall= */ true );
-            /* remove all default filters added by jetty on protocol and cipher suites */
-            sslContextFactory.setExcludeCipherSuites();
-            sslContextFactory.setExcludeProtocols();
-            return new WebSocketClient( sslContextFactory );
-        };
+        super( () -> new WebSocketClient( new SslContextFactory( /* trustall= */ true ) ),
+                address -> URI.create( "wss://" + address.getHost() + ":" + address.getPort() ) );
     }
 }

community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/LegacySslPolicyConfig.java

@@ -20,15 +20,20 @@
 package org.neo4j.kernel.configuration.ssl;
 
 import java.io.File;
+import java.util.List;
 
 import org.neo4j.configuration.Description;
 import org.neo4j.configuration.Internal;
 import org.neo4j.configuration.LoadableConfig;
 import org.neo4j.graphdb.config.Setting;
 
 import static org.neo4j.kernel.configuration.Settings.PATH;
+import static org.neo4j.kernel.configuration.Settings.STRING_LIST;
 import static org.neo4j.kernel.configuration.Settings.derivedSetting;
 import static org.neo4j.kernel.configuration.Settings.pathSetting;
+import static org.neo4j.kernel.configuration.Settings.setting;
+import static org.neo4j.kernel.configuration.ssl.SslPolicyConfig.CIPHER_SUITES_DEFAULTS;
+import static org.neo4j.kernel.configuration.ssl.SslPolicyConfig.TLS_VERSION_DEFAULTS;
 
 /**
  * To be removed in favour of {@link SslPolicyConfig}. The settings below are still
@@ -54,4 +59,15 @@ public class LegacySslPolicyConfig implements LoadableConfig
     public static final Setting<File> tls_key_file =
             derivedSetting( "unsupported.dbms.security.tls_key_file", certificates_directory,
                     certificates -> new File( certificates, "neo4j.key" ), PATH );
+
+    @Internal
+    @Description( "Default encryption protocol used for legacy SSl policy." )
+    static final Setting<List<String>> default_security_protocol =
+            setting( "unsupported.dbms.security.protocol", STRING_LIST, TLS_VERSION_DEFAULTS );
+
+    @Internal
+    @Description( "Default encryption protocol used for legacy SSl policy." )
+    static final Setting<List<String>> default_security_cipher_suites =
+            setting( "unsupported.dbms.security.cipher_suites", STRING_LIST, CIPHER_SUITES_DEFAULTS );
+
 }

community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyConfig.java

@@ -44,7 +44,8 @@
 @Group( "dbms.ssl.policy" )
 public class SslPolicyConfig
 {
-    private static final String TLS_VERSION_DEFAULTS = join( ",", new String[]{"TLSv1.2"} );
+    public static final String TLS_VERSION_DEFAULTS = join( ",", new String[]{"TLSv1.2"} );
+    public static final String CIPHER_SUITES_DEFAULTS = NO_DEFAULT;
 
     @Description( "The mandatory base directory for cryptographic objects of this policy." +
                   " It is also possible to override each individual configuration with absolute paths." )
@@ -99,7 +100,7 @@ public SslPolicyConfig( String policyName )
         this.private_key_password = group.scope( setting( "private_key_password", STRING, NO_DEFAULT ) );
         this.client_auth = group.scope( setting( "client_auth", options( ClientAuth.class, true ), ClientAuth.REQUIRE.name() ) );
         this.tls_versions = group.scope( setting( "tls_versions", STRING_LIST, TLS_VERSION_DEFAULTS ) );
-        this.ciphers = group.scope( setting( "ciphers", STRING_LIST, NO_DEFAULT ) );
+        this.ciphers = group.scope( setting( "ciphers", STRING_LIST, CIPHER_SUITES_DEFAULTS ) );
     }
 
     // TODO: can we make this handle relative paths?

community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyLoader.java

@@ -57,6 +57,8 @@
 import static java.lang.String.format;
 import static org.neo4j.graphdb.factory.GraphDatabaseSettings.default_advertised_address;
 import static org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig.LEGACY_POLICY_NAME;
+import static org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig.default_security_cipher_suites;
+import static org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig.default_security_protocol;
 
 /**
  * Each component which utilises SSL policies is recommended to provide a component
@@ -157,7 +159,10 @@ private SslPolicy loadOrCreateLegacyPolicy()
         PrivateKey privateKey = loadPrivateKey( privateKeyFile, null );
         X509Certificate[] keyCertChain = loadCertificateChain( certficateFile );
 
-        return new SslPolicy( privateKey, keyCertChain, null, null,
+        List<String> ciphers = config.get( default_security_cipher_suites );
+        List<String> tlsVersions = config.get( default_security_protocol );
+
+        return new SslPolicy( privateKey, keyCertChain, tlsVersions, ciphers,
                 ClientAuth.NONE, InsecureTrustManagerFactory.INSTANCE, sslProvider );
     }
 

community/server/src/main/java/org/neo4j/server/security/ssl/SslSocketConnectorFactory.java

@@ -73,17 +73,14 @@ private SslConnectionFactory createSslConnectionFactory( SslPolicy sslPolicy )
         if ( ciphers != null )
         {
             sslContextFactory.setIncludeCipherSuites( ciphers.toArray( new String[ciphers.size()] ) );
+            sslContextFactory.setExcludeCipherSuites();
         }
-        // regardless whether cipher suites are provided by user or not,
-        // we always remove the cipher filter added in jetty 9.4 to keep the back-compatibility of jetty 9.2
-        sslContextFactory.setExcludeCipherSuites();
 
         List<String> protocols = sslPolicy.getTlsVersions();
         if ( protocols != null )
         {
-            // If a user specified what protocols they want to use, then apply whatever they added by removing extra jetty filter
             sslContextFactory.setIncludeProtocols( protocols.toArray( new String[protocols.size()] ) );
-            sslContextFactory.setExcludeProtocols(); // remove jetty filter
+            sslContextFactory.setExcludeProtocols();
         }
 
         switch ( sslPolicy.getClientAuth() )