Add ability to configure client TLS enabled protocol versions and cipher suites via Spring properties.

- Adding the ability to explicitly configure the enabled SSL protocol
versions and cipher suites used by the Vault HTTP client via the
following Spring properties:

* vault.ssl.enabled-protocols
* vault.ssl.enabled-cipher-suites

- Properties should be a comma-separated list of String constants that
correspond to those used by the enabled SSL provider.

Closes gh-635
Original pull request: gh-640.

Author: mryangza

spring-vault-core/src/main/java/org/springframework/vault/client/ClientHttpConnectorFactory.java

@@ -105,6 +105,14 @@ private static void configureSsl(SslConfiguration sslConfiguration, SslContextBu
 				sslContextBuilder.keyManager(createKeyManagerFactory(sslConfiguration.getKeyStoreConfiguration(),
 						sslConfiguration.getKeyConfiguration()));
 			}
+
+			if (sslConfiguration.getEnabledProtocols() != null) {
+				sslContextBuilder.protocols(sslConfiguration.getEnabledProtocols());
+			}
+
+			if (sslConfiguration.getEnabledCipherSuites() != null) {
+				sslContextBuilder.ciphers(sslConfiguration.getEnabledCipherSuites());
+			}
 		}
 		catch (GeneralSecurityException | IOException e) {
 			throw new IllegalStateException(e);
@@ -189,6 +197,16 @@ private static org.eclipse.jetty.client.HttpClient getHttpClient(SslConfiguratio
 					sslContextFactory.setKeyManagerPassword(new String(keyConfiguration.getKeyPassword()));
 				}
 
+				if (sslConfiguration.getEnabledProtocols() != null) {
+					sslContextFactory
+							.setIncludeProtocols(sslConfiguration.getEnabledProtocols().toArray(new String[0]));
+				}
+
+				if (sslConfiguration.getEnabledCipherSuites() != null) {
+					sslContextFactory
+							.setIncludeCipherSuites(sslConfiguration.getEnabledCipherSuites().toArray(new String[0]));
+				}
+
 				return new org.eclipse.jetty.client.HttpClient(sslContextFactory);
 			}
 

spring-vault-core/src/main/java/org/springframework/vault/client/ClientHttpRequestFactoryFactory.java

@@ -43,9 +43,6 @@
 import javax.net.ssl.X509ExtendedKeyManager;
 import javax.net.ssl.X509TrustManager;
 
-import io.netty.handler.ssl.SslContextBuilder;
-import io.netty.handler.ssl.SslProvider;
-import okhttp3.OkHttpClient.Builder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.http.client.config.RequestConfig;
@@ -55,7 +52,6 @@
 import org.apache.http.impl.client.LaxRedirectStrategy;
 import org.apache.http.impl.conn.DefaultSchemePortResolver;
 import org.apache.http.impl.conn.SystemDefaultRoutePlanner;
-
 import org.springframework.http.client.ClientHttpRequestFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.http.client.Netty4ClientHttpRequestFactory;
@@ -69,9 +65,13 @@
 import org.springframework.vault.support.ClientOptions;
 import org.springframework.vault.support.PemObject;
 import org.springframework.vault.support.SslConfiguration;
+import org.springframework.vault.support.SslConfiguration.KeyConfiguration;
 import org.springframework.vault.support.SslConfiguration.KeyStoreConfiguration;
 
-import static org.springframework.vault.support.SslConfiguration.KeyConfiguration;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import okhttp3.ConnectionSpec;
+import okhttp3.OkHttpClient.Builder;
 
 /**
  * Factory for {@link ClientHttpRequestFactory} that supports Apache HTTP Components,
@@ -298,7 +298,21 @@ static ClientHttpRequestFactory usingHttpComponents(ClientOptions options, SslCo
 			if (hasSslConfiguration(sslConfiguration)) {
 
 				SSLContext sslContext = getSSLContext(sslConfiguration, getTrustManagers(sslConfiguration));
-				SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
+
+				String[] enabledProtocols = null;
+
+				if (sslConfiguration.getEnabledProtocols() != null) {
+					enabledProtocols = sslConfiguration.getEnabledProtocols().toArray(new String[0]);
+				}
+
+				String[] enabledCipherSuites = null;
+
+				if (sslConfiguration.getEnabledCipherSuites() != null) {
+					enabledCipherSuites = sslConfiguration.getEnabledCipherSuites().toArray(new String[0]);
+				}
+
+				SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext,
+						enabledProtocols, enabledCipherSuites, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
 				httpClientBuilder.setSSLSocketFactory(sslSocketFactory);
 				httpClientBuilder.setSSLContext(sslContext);
 			}
@@ -332,6 +346,8 @@ static ClientHttpRequestFactory usingOkHttp3(ClientOptions options, SslConfigura
 
 			Builder builder = new Builder();
 
+			ConnectionSpec sslConnectionSpec = ConnectionSpec.MODERN_TLS;
+
 			if (hasSslConfiguration(sslConfiguration)) {
 
 				TrustManager[] trustManagers = getTrustManagers(sslConfiguration);
@@ -344,9 +360,24 @@ static ClientHttpRequestFactory usingOkHttp3(ClientOptions options, SslConfigura
 				X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
 				SSLContext sslContext = getSSLContext(sslConfiguration, trustManagers);
 
+				ConnectionSpec.Builder sslConnectionSpecBuilder = new ConnectionSpec.Builder(sslConnectionSpec);
+
+				if (sslConfiguration.getEnabledProtocols() != null) {
+					sslConnectionSpecBuilder.tlsVersions(sslConfiguration.getEnabledProtocols().toArray(new String[0]));
+				}
+
+				if (sslConfiguration.getEnabledCipherSuites() != null) {
+					sslConnectionSpecBuilder
+							.cipherSuites(sslConfiguration.getEnabledCipherSuites().toArray(new String[0]));
+				}
+
+				sslConnectionSpec = sslConnectionSpecBuilder.build();
+
 				builder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
 			}
 
+			builder.connectionSpecs(Arrays.asList(sslConnectionSpec, ConnectionSpec.CLEARTEXT));
+
 			builder.connectTimeout(options.getConnectionTimeout().toMillis(), TimeUnit.MILLISECONDS)
 					.readTimeout(options.getReadTimeout().toMillis(), TimeUnit.MILLISECONDS);
 
@@ -382,6 +413,14 @@ static ClientHttpRequestFactory usingNetty(ClientOptions options, SslConfigurati
 							sslConfiguration.getKeyConfiguration()));
 				}
 
+				if (sslConfiguration.getEnabledProtocols() != null) {
+					sslContextBuilder.protocols(sslConfiguration.getEnabledProtocols());
+				}
+
+				if (sslConfiguration.getEnabledCipherSuites() != null) {
+					sslContextBuilder.ciphers(sslConfiguration.getEnabledCipherSuites());
+				}
+
 				requestFactory.setSslContext(sslContextBuilder.sslProvider(SslProvider.JDK).build());
 			}
 

spring-vault-core/src/main/java/org/springframework/vault/config/EnvironmentVaultConfiguration.java

@@ -16,10 +16,11 @@
 package org.springframework.vault.config;
 
 import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
@@ -231,7 +232,12 @@ public SslConfiguration sslConfiguration() {
 		KeyStoreConfiguration trustStoreConfiguration = getKeyStoreConfiguration("vault.ssl.trust-store",
 				"vault.ssl.trust-store-password", "vault.ssl.trust-store-type");
 
-		return new SslConfiguration(keyStoreConfiguration, trustStoreConfiguration);
+		List<String> enabledProtocols = getList("vault.ssl.enabled-protocols");
+
+		List<String> enabledCipherSuites = getList("vault.ssl.enabled-cipher-suites");
+
+		return new SslConfiguration(keyStoreConfiguration, trustStoreConfiguration, enabledProtocols,
+				enabledCipherSuites);
 	}
 
 	private KeyStoreConfiguration getKeyStoreConfiguration(String resourceProperty, String passwordProperty,
@@ -421,6 +427,16 @@ protected ClientAuthentication kubeAuthentication() {
 		return new KubernetesAuthentication(builder.build(), restOperations());
 	}
 
+	private List<String> getList(String key) {
+		String val = getEnvironment().getProperty(key);
+
+		if (val == null) {
+			return null;
+		}
+
+		return Arrays.asList(val.split(","));
+	}
+
 	@Nullable
 	private String getProperty(String key) {
 		return getEnvironment().getProperty(key);

spring-vault-core/src/main/java/org/springframework/vault/support/SslConfiguration.java

@@ -18,7 +18,10 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 
 import org.springframework.core.io.AbstractResource;
 import org.springframework.core.io.Resource;
@@ -60,6 +63,10 @@ public class SslConfiguration {
 
 	private final KeyConfiguration keyConfiguration;
 
+	private final List<String> enabledProtocols;
+
+	private final List<String> enabledCipherSuites;
+
 	/**
 	 * Create a new {@link SslConfiguration} with the default {@link KeyStore} type.
 	 * @param keyStore the key store resource, must not be {@literal null}.
@@ -96,14 +103,23 @@ public SslConfiguration(KeyStoreConfiguration keyStoreConfiguration,
 	 * Create a new {@link SslConfiguration}.
 	 * @param keyStoreConfiguration the key store configuration, must not be
 	 * {@literal null}.
-	 * @param keyConfiguration the configuration for a specific key in
-	 * {@code keyStoreConfiguration} to use.
 	 * @param trustStoreConfiguration the trust store configuration, must not be
 	 * {@literal null}.
-	 * @since 2.2
+	 * @param enabledProtocols the enabled SSL protocols, elements must match protocol
+	 * version strings used by the enabled Java SSL provider. May be {@literal null} to
+	 * indicate the SSL socket factory should use a default list of enabled protocol
+	 * versions.
+	 * @param enabledCipherSuites the enabled SSL cipher suites, elements must match
+	 * cipher suite strings used by the enabled Java SSL provider. May be {@literal null}
+	 * to indicate the SSL socket factory should use a default list of enabled cipher
+	 * suites.
+	 * @since 2.4
+	 * @see sun.security.ssl.ProtocolVersion
+	 * @see sun.security.ssl.CipherSuite
 	 */
 	public SslConfiguration(KeyStoreConfiguration keyStoreConfiguration, KeyConfiguration keyConfiguration,
-			KeyStoreConfiguration trustStoreConfiguration) {
+			KeyStoreConfiguration trustStoreConfiguration, List<String> enabledProtocols,
+			List<String> enabledCipherSuites) {
 
 		Assert.notNull(keyStoreConfiguration, "KeyStore configuration must not be null");
 		Assert.notNull(keyConfiguration, "KeyConfiguration must not be null");
@@ -112,6 +128,50 @@ public SslConfiguration(KeyStoreConfiguration keyStoreConfiguration, KeyConfigur
 		this.keyStoreConfiguration = keyStoreConfiguration;
 		this.keyConfiguration = keyConfiguration;
 		this.trustStoreConfiguration = trustStoreConfiguration;
+		this.enabledProtocols = enabledProtocols != null
+				? Collections.unmodifiableList(new ArrayList<>(enabledProtocols)) : null;
+		this.enabledCipherSuites = enabledCipherSuites != null
+				? Collections.unmodifiableList(new ArrayList<>(enabledCipherSuites)) : null;
+	}
+
+	/**
+	 * Create a new {@link SslConfiguration}.
+	 * @param keyStoreConfiguration the key store configuration, must not be
+	 * {@literal null}.
+	 * @param keyConfiguration the configuration for a specific key in
+	 * {@code keyStoreConfiguration} to use.
+	 * @param trustStoreConfiguration the trust store configuration, must not be
+	 * {@literal null}.
+	 * @since 2.2
+	 */
+	public SslConfiguration(KeyStoreConfiguration keyStoreConfiguration, KeyConfiguration keyConfiguration,
+			KeyStoreConfiguration trustStoreConfiguration) {
+		this(keyStoreConfiguration, keyConfiguration, trustStoreConfiguration, null, null);
+	}
+
+	/**
+	 * Create a new {@link SslConfiguration}.
+	 * @param keyStoreConfiguration the key store configuration, must not be
+	 * {@literal null}.
+	 * @param trustStoreConfiguration the trust store configuration, must not be
+	 * {@literal null}.
+	 * @param enabledProtocols the enabled SSL protocols, elements must match protocol
+	 * version strings used by the enabled Java SSL provider. May be {@literal null} to
+	 * indicate the SSL socket factory should use a default list of enabled protocol
+	 * versions.
+	 * @param enabledCipherSuites the enabled SSL cipher suites, elements must match
+	 * cipher suite strings used by the enabled Java SSL provider. May be {@literal null}
+	 * to indicate the SSL socket factory should use a default list of enabled cipher
+	 * suites.
+	 * @since 2.4
+	 * @see sun.security.ssl.ProtocolVersion
+	 * @see sun.security.ssl.CipherSuite
+	 */
+	public SslConfiguration(KeyStoreConfiguration keyStoreConfiguration, KeyStoreConfiguration trustStoreConfiguration,
+			List<String> enabledProtocols, List<String> enabledCipherSuites) {
+
+		this(keyStoreConfiguration, KeyConfiguration.unconfigured(), trustStoreConfiguration, enabledProtocols,
+				enabledCipherSuites);
 	}
 
 	/**
@@ -299,6 +359,54 @@ public static SslConfiguration unconfigured() {
 		return new SslConfiguration(KeyStoreConfiguration.unconfigured(), KeyStoreConfiguration.unconfigured());
 	}
 
+	/**
+	 * The list of SSL protocol versions that must be enabled. A value of {@literal null}
+	 * indicates that the SSL socket factory should use a default list of enabled protocol
+	 * versions.
+	 * @return the list of enabled SSL protocol versions.
+	 * @since 2.4
+	 */
+	public List<String> getEnabledProtocols() {
+		return this.enabledProtocols;
+	}
+
+	/**
+	 * Create a new {@link SslConfiguration} with the enabled protocol versions applied
+	 * retaining the other configuration from this instance.
+	 * @param enabledProtocols may be {@literal null}.
+	 * @return a new {@link SslConfiguration} with the enabled protocol versions applied.
+	 * @since 2.4
+	 * @see sun.security.ssl.ProtocolVersion
+	 */
+	public SslConfiguration withEnabledProtocols(List<String> enabledProtocols) {
+		return new SslConfiguration(this.keyStoreConfiguration, this.keyConfiguration, this.trustStoreConfiguration,
+				enabledProtocols, this.enabledCipherSuites);
+	}
+
+	/**
+	 * The list of SSL cipher suites that must be enabled. A value of {@literal null}
+	 * indicates that the SSL socket factory should use a default list of enabled cipher
+	 * suites.
+	 * @return the list of enabled SSL cipher suites.
+	 * @since 2.4
+	 */
+	public List<String> getEnabledCipherSuites() {
+		return this.enabledCipherSuites;
+	}
+
+	/**
+	 * Create a new {@link SslConfiguration} with the enabled cipher suites applied
+	 * retaining the other configuration from this instance.
+	 * @param enabledCipherSuites may be {@literal null}.
+	 * @return a new {@link SslConfiguration} with the enabled cipher suites applied.
+	 * @since 2.4
+	 * @see sun.security.ssl.CipherSuite
+	 */
+	public SslConfiguration withEnabledCipherSuites(List<String> enabledCipherSuites) {
+		return new SslConfiguration(this.keyStoreConfiguration, this.keyConfiguration, this.trustStoreConfiguration,
+				this.enabledProtocols, enabledCipherSuites);
+	}
+
 	/**
 	 * @return the {@link java.security.KeyStore key store} resource or {@literal null} if
 	 * not configured.