Add configurable TLS protocol versions

Author: antonstamov

docs/guides/implementing-mutual-tls.md

@@ -182,6 +182,7 @@ object ServerApp extends ZIOAppDefault {
       ),
       includeClientCert = false,
       clientAuth = Some(ClientAuth.Required),
+      protocols = Seq("TLSv1.3", "TLSv1.2"),
     )
 
   private val serverConfig =
@@ -201,6 +202,8 @@ Please note that we enabled the `ClientAuth.Required` option in the SSL configur
 
 If we want to access the client certificate, we can enable the `includeClientCert` option in the SSL configuration. This allows us to access the client certificate via `req.remoteCertificate` in the request handler.
 
+The `protocols` parameter in `SSLConfig` allows configuring supported TLS protocol versions. This is useful for disabling older protocol versions for security reasons.
+
 ### Client Implementation
 
 Similarly, the client implementation for mTLS requires both a keystore (containing the client's certificate and private key) and a truststore (containing the CA certificate used to verify the server's certificate). The client will automatically send its certificate during the TLS handshake if configured correctly:

project/MimaSettings.scala

@@ -43,6 +43,14 @@ object MimaSettings {
         ProblemFilters.exclude[MissingClassProblem]("zio.http.netty.NettyHeaderEncoding"),
         ProblemFilters.exclude[MissingClassProblem]("zio.http.netty.NettyHeaderEncoding$"),
         exclude[Problem]("zio.http.template2.*"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.apply"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.copy"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.this"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.fromJavaxNetSsl"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.fromJavaxNetSslKeyStoreResource"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.fromJavaxNetSslKeyStoreFile"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.fromResource"),
+        ProblemFilters.exclude[DirectMissingMethodProblem]("zio.http.SSLConfig.fromFile"),
       ),
       mimaFailOnProblem := failOnProblem,
     )

zio-http/jvm/src/main/scala/zio/http/netty/server/ServerSSLDecoder.scala

@@ -52,6 +52,7 @@ private[netty] object SSLUtil {
       clientAuthConfig.foreach(ca => self.clientAuth(getClientAuth(ca)))
       self
         .sslProvider(toNettyProvider(sslConfig.provider))
+        .protocols(sslConfig.protocols: _*)
         .applicationProtocolConfig(
           new ApplicationProtocolConfig(
             Protocol.ALPN,

zio-http/shared/src/main/scala/zio/http/SSLConfig.scala

@@ -36,6 +36,7 @@ final case class SSLConfig(
   provider: Provider,
   clientAuth: Option[ClientAuth] = None,
   includeClientCert: Boolean = false,
+  protocols: Seq[String] = Seq("TLSv1.3", "TLSv1.2"),
 )
 
 object SSLConfig {
@@ -68,13 +69,15 @@ object SSLConfig {
     clientAuth: Option[ClientAuth] = None,
     trustCertCollectionPath: Option[String] = None,
     includeClientCert: Boolean = false,
+    protocols: Seq[String] = Seq("TLSv1.3", "TLSv1.2"),
   ): SSLConfig =
     new SSLConfig(
       behaviour,
       Data.FromFile(certPath, keyPath, trustCertCollectionPath),
       Provider.JDK,
       clientAuth,
       includeClientCert,
+      protocols,
     )
 
   def fromResource(certPath: String, keyPath: String): SSLConfig =
@@ -90,13 +93,15 @@ object SSLConfig {
     clientAuth: Option[ClientAuth] = None,
     trustCertCollectionPath: Option[String] = None,
     includeClientCert: Boolean = false,
+    protocols: Seq[String] = Seq("TLSv1.3", "TLSv1.2"),
   ): SSLConfig =
     new SSLConfig(
       behaviour,
       Data.FromResource(certPath, keyPath, trustCertCollectionPath),
       Provider.JDK,
       clientAuth,
       includeClientCert,
+      protocols,
     )
 
   def fromJavaxNetSslKeyStoreFile(
@@ -107,6 +112,7 @@ object SSLConfig {
     trustManagerKeyStore: Option[Data.TrustManagerKeyStore] = None,
     clientAuth: Option[ClientAuth] = None,
     includeClientCert: Boolean = false,
+    protocols: Seq[String] = Seq("TLSv1.3", "TLSv1.2"),
   ): SSLConfig =
     new SSLConfig(
       behaviour,
@@ -119,6 +125,7 @@ object SSLConfig {
       Provider.JDK,
       clientAuth,
       includeClientCert,
+      protocols,
     )
 
   def fromJavaxNetSslKeyStoreFile(keyManagerFile: String, keyManagerPassword: Secret): SSLConfig =
@@ -131,6 +138,7 @@ object SSLConfig {
     trustManagerKeyStore: Option[Data.TrustManagerKeyStore] = None,
     clientAuth: Option[ClientAuth] = None,
     includeClientCert: Boolean = false,
+    protocols: Seq[String] = Seq("TLSv1.3", "TLSv1.2"),
   ): SSLConfig = {
     fromJavaxNetSsl(
       Data.FromJavaxNetSsl(
@@ -142,6 +150,7 @@ object SSLConfig {
       HttpBehaviour.Redirect,
       clientAuth,
       includeClientCert,
+      protocols,
     )
   }
 
@@ -150,13 +159,15 @@ object SSLConfig {
     behaviour: HttpBehaviour = HttpBehaviour.Redirect,
     clientAuth: Option[ClientAuth] = None,
     includeClientCert: Boolean = false,
+    protocols: Seq[String] = Seq("TLSv1.3", "TLSv1.2"),
   ): SSLConfig =
     new SSLConfig(
       behaviour,
       data,
       Provider.JDK,
       clientAuth,
       includeClientCert,
+      protocols,
     )
 
   def fromJavaxNetSslKeyStoreResource(keyManagerResource: String, keyManagerPassword: Secret): SSLConfig =