Add ability to configure client TLS enabled protocol versions and cip…

…her suites via Spring properties. Closes gh-581.
spring-cloud · Mar 16, 2021 · 116d9e9 · 116d9e9
1 parent 5f847e0
commit 116d9e9
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 1 deletion.
diff --git a/docs/src/main/asciidoc/_configprops.adoc b/docs/src/main/asciidoc/_configprops.adoc
@@ -123,6 +123,8 @@
 |spring.cloud.vault.session.lifecycle.expiry-threshold | `7s` | The expiry threshold for a {@link LoginToken}. The threshold represents a minimum TTL duration to consider a login token as valid. Tokens with a shorter TTL are considered expired and are not used anymore. Should be greater than {@code refreshBeforeExpiry} to prevent token expiry.
 |spring.cloud.vault.session.lifecycle.refresh-before-expiry | `5s` | The time period that is at least required before renewing the {@link LoginToken}.
 |spring.cloud.vault.ssl.cert-auth-path | `cert` | Mount path of the TLS cert authentication backend.
+|spring.cloud.vault.ssl.enabled-cipher-suites |  | List of enabled SSL/TLS cipher suites. @since 3.0.2
+|spring.cloud.vault.ssl.enabled-protocols |  | List of enabled SSL/TLS protocol. @since 3.0.2
 |spring.cloud.vault.ssl.key-store |  | Trust store that holds certificates and private keys.
 |spring.cloud.vault.ssl.key-store-password |  | Password used to access the key store.
 |spring.cloud.vault.ssl.key-store-type |  | Type of the key store. @since 3.0

diff --git a/docs/src/main/asciidoc/other-topics.adoc b/docs/src/main/asciidoc/other-topics.adoc
@@ -71,13 +71,17 @@ spring.cloud.vault:
         trust-store: classpath:keystore.jks
         trust-store-password: changeit
         trust-store-type: JKS
+        enabled-protocols: TLSv1.2,TLSv1.3
+        enabled-cipher-suites: TLS_AES_128_GCM_SHA256
 ----
 ====
 
 * `trust-store` sets the resource for the trust-store.
 SSL-secured Vault communication will validate the Vault SSL certificate with the specified trust-store.
 * `trust-store-password` sets the trust-store password
 * `trust-store-type` sets the trust-store type. Supported values are all supported `KeyStore` types including `PEM`.
+* `enabled-protocols` sets the list of enabled SSL/TLS protocols (since 3.0.2).
+* `enabled-cipher-suites` sets the list of enabled SSL/TLS cipher suites (since 3.0.2).
 
 Please note that configuring `spring.cloud.vault.ssl.*` can be only applied when either Apache Http Components or the OkHttp client is on your class-path.
 

diff --git a/...vault-config/src/main/java/org/springframework/cloud/vault/config/VaultConfiguration.java b/...vault-config/src/main/java/org/springframework/cloud/vault/config/VaultConfiguration.java
@@ -98,7 +98,7 @@ static SslConfiguration createSslConfiguration(Ssl ssl) {
 			}
 		}
 
-		return new SslConfiguration(keyStore, trustStore);
+		return new SslConfiguration(keyStore, trustStore, ssl.getEnabledProtocols(), ssl.getEnabledCipherSuites());
 	}
 
 	ClientHttpRequestFactory createClientHttpRequestFactory() {

diff --git a/...ud-vault-config/src/main/java/org/springframework/cloud/vault/config/VaultProperties.java b/...ud-vault-config/src/main/java/org/springframework/cloud/vault/config/VaultProperties.java
@@ -18,6 +18,8 @@
 
 import java.net.URI;
 import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
@@ -1040,6 +1042,18 @@ public static class Ssl {
 		 */
 		private String certAuthPath = "cert";
 
+		/**
+		 * List of enabled SSL/TLS protocol.
+		 * @since 3.0.2
+		 */
+		private List<String> enabledProtocols = new ArrayList<>();
+
+		/**
+		 * List of enabled SSL/TLS cipher suites.
+		 * @since 3.0.2
+		 */
+		private List<String> enabledCipherSuites = new ArrayList<>();
+
 		@Nullable
 		public Resource getKeyStore() {
 			return this.keyStore;
@@ -1102,6 +1116,22 @@ public void setCertAuthPath(String certAuthPath) {
 			this.certAuthPath = certAuthPath;
 		}
 
+		public List<String> getEnabledProtocols() {
+			return this.enabledProtocols;
+		}
+
+		public void setEnabledProtocols(List<String> enabledProtocols) {
+			this.enabledProtocols = enabledProtocols;
+		}
+
+		public List<String> getEnabledCipherSuites() {
+			return this.enabledCipherSuites;
+		}
+
+		public void setEnabledCipherSuites(List<String> enabledCipherSuites) {
+			this.enabledCipherSuites = enabledCipherSuites;
+		}
+
 	}
 
 	/**

diff --git a/...rc/test/java/org/springframework/cloud/vault/config/VaultBootstrapConfigurationTests.java b/...rc/test/java/org/springframework/cloud/vault/config/VaultBootstrapConfigurationTests.java
@@ -28,6 +28,7 @@
 import org.springframework.vault.authentication.SimpleSessionManager;
 import org.springframework.vault.client.RestTemplateFactory;
 import org.springframework.vault.core.VaultTemplate;
+import org.springframework.vault.support.SslConfiguration;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -54,6 +55,23 @@ public void shouldConfigureWithoutAuthentication() {
 				});
 	}
 
+	@Test
+	public void shouldApplySslSettings() {
+
+		this.contextRunner.withPropertyValues("spring.cloud.vault.kv.enabled=false",
+				"spring.cloud.vault.authentication=NONE", "spring.cloud.bootstrap.enabled=true",
+				"spring.cloud.vault.ssl.enabled-protocols=TLSv1.2,TLSv1.3",
+				"spring.cloud.vault.ssl.enabled-cipher-suites=one,two").run(context -> {
+
+					VaultProperties properties = context.getBean(VaultProperties.class);
+
+					SslConfiguration sslConfiguration = VaultConfiguration.createSslConfiguration(properties.getSsl());
+
+					assertThat(sslConfiguration.getEnabledProtocols()).containsExactly("TLSv1.2", "TLSv1.3");
+					assertThat(sslConfiguration.getEnabledCipherSuites()).containsExactly("one", "two");
+				});
+	}
+
 	@Test
 	public void shouldDisableSessionManagement() {