Skip to content

Default TLS protocol to TLSv1.3 and warn when not enabled #51336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Default TLS protocol to TLSv1.3 and warn when not enabled #51336

wants to merge 1 commit into from
+20 −8

Conversation

@cescoffier
Copy link
Member

@cescoffier cescoffier commented Dec 2, 2025

BREAKING CHANGE: Changes the default TLS protocol from "TLSv1.3,TLSv1.2" to just "TLSv1.3". Applications requiring TLSv1.2 support must now explicitly configure it using the protocols property (set to TLSv1.3, TLSv1.2)

Adds a warning log when TLSv1.3 is not enabled in a TLS bucket configuration.

@cescoffier cescoffier requested a review from gsmet December 2, 2025 15:12
@quarkus-bot

This comment has been minimized.

Sign in to view
@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

🎊 PR Preview a817616 has been successfully built and deployed to https://quarkus-pr-main-51336-preview.surge.sh/version/main/guides/

  • Images of blog posts older than 3 months are not available.
  • Newsletters older than 3 months are not available.

sberyozkin
sberyozkin approved these changes Dec 2, 2025
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

The only thing that probably needs an update is reverting an import collapsing to javax.net.ssl.* and java.util.*, unless it is now recommended ?

@cescoffier
Copy link
Member Author

cescoffier commented Dec 2, 2025

No, good catch, stupid ide.

@sberyozkin
Copy link
Member

sberyozkin commented Dec 2, 2025

I won't be merging in any case, as Guillaume was asked to approve

@quarkus-bot

This comment has been minimized.

Sign in to view
@cescoffier
Copy link
Member Author

cescoffier commented Dec 2, 2025

Ah ah, didn't know we weee testing that. I will update the PR tomorrow

@cescoffier
Default TLS protocol to TLSv1.3 and warn when not enabled
101d6ad 
BREAKING CHANGE: Changes the default TLS protocol from "TLSv1.3,TLSv1.2" to just "TLSv1.3". Applications requiring TLSv1.2 support must now explicitly configure it using the `protocols` property (set to TLSv1.3,TLSv1.2)

Adds a warning log when TLSv1.3 is not enabled in a TLS bucket configuration.
@cescoffier
Copy link
Member Author

cescoffier commented Dec 3, 2025

I updated the PR - however, I believe I will still hit the openapi issue. Let's see.

@quarkus-bot
Copy link

quarkus-bot bot commented Dec 3, 2025

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 101d6ad.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

@quarkus-bot
Copy link

quarkus-bot bot commented Dec 3, 2025
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 101d6ad.

Failing Jobs

Status Name Step Failures Logs Raw logs Build scan
✔️ JVM Tests - JDK 17 Logs Raw logs 🚧
JVM Tests - JDK 21 Build Failures Logs Raw logs 🚧
✔️ JVM Tests - JDK 21 Semeru Logs Raw logs 🚧
JVM Tests - JDK 25 Build Failures Logs Raw logs 🚧

You can consult the Develocity build scans.

Failures

⚙️ JVM Tests - JDK 21 #

- Failing: extensions/smallrye-openapi/deployment 
! Skipped: extensions/agroal/deployment extensions/elytron-security-jdbc/deployment extensions/flyway/deployment and 56 more

📦 extensions/smallrye-openapi/deployment

Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.5.4:test (default-test) on project quarkus-smallrye-openapi-deployment:

See /home/runner/_work/quarkus/quarkus/extensions/smallrye-openapi/deployment/target/surefire-reports for the individual test results.
See dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
There was an error in the forked process

⚙️ JVM Tests - JDK 25 #

- Failing: extensions/smallrye-openapi/deployment 
! Skipped: extensions/agroal/deployment extensions/elytron-security-jdbc/deployment extensions/flyway/deployment and 56 more

📦 extensions/smallrye-openapi/deployment

Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.5.4:test (default-test) on project quarkus-smallrye-openapi-deployment:

See /home/runner/_work/quarkus/quarkus/extensions/smallrye-openapi/deployment/target/surefire-reports for the individual test results.
See dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
There was an error in the forked process

Flaky tests - Develocity

⚙️ JVM Tests - JDK 21

📦 extensions/smallrye-reactive-messaging/deployment

io.quarkus.smallrye.reactivemessaging.hotreload.ConnectorChangeTest.testUpdatingConnector - History

  • Expecting actual: ["-4","-5","-6","-7","-8","-9","-10","-11"] to start with: ["-3", "-4", "-5", "-6"] - java.lang.AssertionError
java.lang.AssertionError: 

Expecting actual:
  ["-4","-5","-6","-7","-8","-9","-10","-11"]
to start with:
  ["-3", "-4", "-5", "-6"]

	at io.quarkus.smallrye.reactivemessaging.hotreload.ConnectorChangeTest.testUpdatingConnector(ConnectorChangeTest.java:36)

⚙️ MicroProfile TCKs Tests

📦 tcks/microprofile-lra

org.eclipse.microprofile.lra.tck.TckRecoveryTests.testCancelWhenParticipantIsUnavailable - History

  • Expecting the metric Compensated callback was called Expected: a value equal to or greater than <1> but: <0> was less than <1> - java.lang.AssertionError
java.lang.AssertionError: 
Expecting the metric Compensated callback was called
Expected: a value equal to or greater than <1>
     but: <0> was less than <1>
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
	at org.eclipse.microprofile.lra.tck.TckRecoveryTests.assertMetricCallbackCalled(TckRecoveryTests.java:210)
	at org.eclipse.microprofile.lra.tck.TckRecoveryTests.testCancelWhenParticipantIsUnavailable(TckRecoveryTests.java:195)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

@gsmet gsmet Awaiting requested review from gsmet

Assignees

No one assigned

Labels

area/vertx release/breaking-change triage/flaky-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cescoffier @sberyozkin