Default TLS protocol to TLSv1.3 and warn when not enabled

BREAKING CHANGE: Changes the default TLS protocol from "TLSv1.3,TLSv1.2" to just "TLSv1.3". Applications requiring TLSv1.2 support must now explicitly configure it using the `protocols` property (set to TLSv1.3,TLSv1.2)

Adds a warning log when TLSv1.3 is not enabled in a TLS bucket configuration.

Author: cescoffier

extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/VertxCertificateHolder.java

@@ -7,6 +7,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.KeyManager;
@@ -15,6 +16,8 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 
+import org.jboss.logging.Logger;
+
 import io.quarkus.tls.TlsConfiguration;
 import io.quarkus.tls.runtime.config.TlsBucketConfig;
 import io.quarkus.tls.runtime.config.TlsConfigUtils;
@@ -114,6 +117,8 @@ public synchronized SSLOptions getSSLOptions() {
         options.setSslHandshakeTimeout(config().handshakeTimeout().toSeconds());
         options.setEnabledSecureTransportProtocols(config().protocols());
 
+        warnIfNotTls13(options.getEnabledSecureTransportProtocols(), name);
+
         for (Buffer buffer : crls) {
             options.addCrlValue(buffer);
         }
@@ -125,6 +130,14 @@ public synchronized SSLOptions getSSLOptions() {
         return options;
     }
 
+    private void warnIfNotTls13(Set<String> protocols, String name) {
+        if (!protocols.stream().map(String::toLowerCase).toList().contains("TLSv1.3".toLowerCase())) {
+            Logger.getLogger(VertxCertificateHolder.class.getName())
+                    .warn("TLSv1.3 protocol is not enabled in TLS bucket '" + name +
+                            "'. It is *strongly* recommended to enable TLSv1.3.");
+        }
+    }
+
     @Override
     public boolean isTrustAll() {
         return config().trustAll() || getTrustStoreOptions() == TrustAllOptions.INSTANCE;

extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/config/TlsBucketConfig.java

@@ -40,16 +40,15 @@ public interface TlsBucketConfig {
     /**
      * Sets the ordered list of enabled TLS protocols.
      * <p>
-     * If not set, it defaults to {@code "TLSv1.3, TLSv1.2"}.
+     * If not set, it defaults to {@code "TLSv1.3"}.
      * The following list of protocols are supported: {@code TLSv1, TLSv1.1, TLSv1.2, TLSv1.3}.
-     * To only enable {@code TLSv1.3}, set the value to {@code to "TLSv1.3"}.
+     * To enable {@code TLSv1.3} and {@code TLSv1.2}, set the value to {@code to "TLSv1.3, TLSv1.2"}.
      * <p>
      * Note that setting an empty list, and enabling TLS is invalid.
      * You must at least have one protocol.
      * <p>
-     * Also, setting this replaces the default list of protocols.
      */
-    @WithDefault("TLSv1.3,TLSv1.2")
+    @WithDefault("TLSv1.3")
     Set<String> protocols();
 
     /**

integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/TlsProtocolVersionDefaultTestCase.java

@@ -20,7 +20,7 @@
 @QuarkusTest
 public class TlsProtocolVersionDefaultTestCase {
 
-    @TestHTTPResource(value = "/hello", ssl = true)
+    @TestHTTPResource(value = "/hello", tls = true)
     String url;
 
     @Inject
@@ -55,16 +55,16 @@ void testWithWebClientRequestingTls13() {
 
     @Test
     void testWithWebClientRequestingTls12() {
-        // The Web client is requesting TLS 1.2, the server is exposing 1.2 and 1.3 - all good
+        // The Web client is requesting TLS 1.2, the server is exposing 1.3 - KO
         WebClient client = WebClient.create(vertx, new WebClientOptions().setSsl(true)
                 .setEnabledSecureTransportProtocols(Set.of("TLSv1.2"))
                 .setKeyStoreOptions(
                         new JksOptions().setPath("src/test/resources/client-keystore-1.jks").setPassword("password"))
                 .setTrustStoreOptions(
                         new JksOptions().setPath("src/test/resources/client-truststore.jks").setPassword("password"))
                 .setVerifyHost(false));
-        var resp = client.getAbs(url).sendAndAwait();
-        Assertions.assertEquals(200, resp.statusCode());
+        Throwable exception = Assertions.assertThrows(CompletionException.class, () -> client.getAbs(url).sendAndAwait());
+        Assertions.assertTrue(exception.getCause() instanceof SSLHandshakeException);
     }
 
     @Test