Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles

[matthew-js-porter]

When configuring server SSL, would it make sense to fallback to the configured server.ssl.ciphers and server.ssl.enabled-protocols properties when the SSL Options for a bundle is not specified?

Given this example:

server:
  ssl:
    ciphers:
      - TLS_CHACHA20_POLY1305_SHA256
    enabled-protocols:
      - TLSv1.3
    bundle: local
    server-name-bundles:
      - server-name: localhost
        bundle: localhost
      - server-name: 127.0.0.1
        bundle: local
      - server-name: other
      - bundle: other

spring:
  ssl:
    bundle:
      jks:
        localhost:
          keystore:
            location: "classpath:test-keystore.jks"
            password: secret
            type: JKS
        local:
          keystore:
            location: "classpath:test-keystore.jks"
            password: secret
            type: JKS
        other:
          keystore:
            location: "classpath:test-keystore.jks"
            password: secret
            type: JKS
          options:
            ciphers:
              - TLS_AES_256_GCM_SHA384
            enabled-protocols:
              - TLSv1.3

I would expect the server to use TLS_CHACHA20_POLY1305_SHA256 and TLSv1.3 for localhost and 127.0.0.1 and TLS_AES_256_GCM_SHA384 for other.

[philwebb]

I can see why falling back would make sense, but I'm concerned it would then make it hard for a bundle to indicate that it wants to use the server defaults and not apply any customization. This would also be a breaking change, so not something we can consider until 3.5 at the earliest. It would also mean that the bundle could behave differently depending on where it was used.

I'm wondering if we should add something to spring.ssl.bundle if we want a way to apply default options to all bundles. Something like:

spring:
  ssl:
    bundle:
      default-options:
        ciphers:
        - TLS_CHACHA20_POLY1305_SHA256
        enabled-protocols:
        - TLSv1.3
      jks:
        localhost:
          keystore:
            location: "classpath:test-keystore.jks"
            password: secret
            type: JKS
        local:
          keystore:
            location: "classpath:test-keystore.jks"
            password: secret
            type: JKS
        other:
          keystore:
            location: "classpath:test-keystore.jks"
            password: secret
            type: JKS
          options:
            ciphers:
              - TLS_AES_256_GCM_SHA384
            enabled-protocols:
              - TLSv1.3

[philwebb]

We discussed this today and we're not keen to add the default-options concept at this time. We feel like the SSL bundle configuration is already pretty complex, and that copy-paste for the options will probably result in clearer intent for most users. There is also always the option of using YAML anchors to reduce repeat configuration.

We do thing the existing server configuration is a little confusing, we'll repurpose this issue into a documentation problem and add a note to https://docs.spring.io/spring-boot/how-to/webserver.html#howto.webserver.configure-ssl

[matthew-js-porter]

@philwebb That makes sense. Using YAML anchors does feel like a good approach to handle this. Thank you!