From 101d6adef344c4edb95e7abc79d58f83a59f7b8d Mon Sep 17 00:00:00 2001
From: Clement Escoffier <clement@apache.org>
Date: Tue, 2 Dec 2025 16:11:04 +0100
Subject: [PATCH] Default TLS protocol to TLSv1.3 and warn when not enabled

BREAKING CHANGE: Changes the default TLS protocol from "TLSv1.3,TLSv1.2" to just "TLSv1.3". Applications requiring TLSv1.2 support must now explicitly configure it using the `protocols` property (set to TLSv1.3,TLSv1.2)

Adds a warning log when TLSv1.3 is not enabled in a TLS bucket configuration.
---
 .../quarkus/tls/runtime/VertxCertificateHolder.java | 13 +++++++++++++
 .../quarkus/tls/runtime/config/TlsBucketConfig.java |  7 +++----
 .../it/vertx/TlsProtocolVersionDefaultTestCase.java |  8 ++++----
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/VertxCertificateHolder.java b/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/VertxCertificateHolder.java
index 2291281a7f129..1a43d873cd486 100644
--- a/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/VertxCertificateHolder.java
+++ b/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/VertxCertificateHolder.java
@@ -7,6 +7,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.KeyManager;
@@ -15,6 +16,8 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 
+import org.jboss.logging.Logger;
+
 import io.quarkus.tls.TlsConfiguration;
 import io.quarkus.tls.runtime.config.TlsBucketConfig;
 import io.quarkus.tls.runtime.config.TlsConfigUtils;
@@ -114,6 +117,8 @@ public synchronized SSLOptions getSSLOptions() {
         options.setSslHandshakeTimeout(config().handshakeTimeout().toSeconds());
         options.setEnabledSecureTransportProtocols(config().protocols());
 
+        warnIfNotTls13(options.getEnabledSecureTransportProtocols(), name);
+
         for (Buffer buffer : crls) {
             options.addCrlValue(buffer);
         }
@@ -125,6 +130,14 @@ public synchronized SSLOptions getSSLOptions() {
         return options;
     }
 
+    private void warnIfNotTls13(Set<String> protocols, String name) {
+        if (!protocols.stream().map(String::toLowerCase).toList().contains("TLSv1.3".toLowerCase())) {
+            Logger.getLogger(VertxCertificateHolder.class.getName())
+                    .warn("TLSv1.3 protocol is not enabled in TLS bucket '" + name +
+                            "'. It is *strongly* recommended to enable TLSv1.3.");
+        }
+    }
+
     @Override
     public boolean isTrustAll() {
         return config().trustAll() || getTrustStoreOptions() == TrustAllOptions.INSTANCE;
diff --git a/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/config/TlsBucketConfig.java b/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/config/TlsBucketConfig.java
index 47eab60a8def9..deae42ae5a04f 100644
--- a/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/config/TlsBucketConfig.java
+++ b/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/config/TlsBucketConfig.java
@@ -40,16 +40,15 @@ public interface TlsBucketConfig {
     /**
      * Sets the ordered list of enabled TLS protocols.
      * <p>
-     * If not set, it defaults to {@code "TLSv1.3, TLSv1.2"}.
+     * If not set, it defaults to {@code "TLSv1.3"}.
      * The following list of protocols are supported: {@code TLSv1, TLSv1.1, TLSv1.2, TLSv1.3}.
-     * To only enable {@code TLSv1.3}, set the value to {@code to "TLSv1.3"}.
+     * To enable {@code TLSv1.3} and {@code TLSv1.2}, set the value to {@code to "TLSv1.3, TLSv1.2"}.
      * <p>
      * Note that setting an empty list, and enabling TLS is invalid.
      * You must at least have one protocol.
      * <p>
-     * Also, setting this replaces the default list of protocols.
      */
-    @WithDefault("TLSv1.3,TLSv1.2")
+    @WithDefault("TLSv1.3")
     Set<String> protocols();
 
     /**
diff --git a/integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/TlsProtocolVersionDefaultTestCase.java b/integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/TlsProtocolVersionDefaultTestCase.java
index 645369fad5a94..f1b660c4bd356 100644
--- a/integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/TlsProtocolVersionDefaultTestCase.java
+++ b/integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/TlsProtocolVersionDefaultTestCase.java
@@ -20,7 +20,7 @@
 @QuarkusTest
 public class TlsProtocolVersionDefaultTestCase {
 
-    @TestHTTPResource(value = "/hello", ssl = true)
+    @TestHTTPResource(value = "/hello", tls = true)
     String url;
 
     @Inject
@@ -55,7 +55,7 @@ void testWithWebClientRequestingTls13() {
 
     @Test
     void testWithWebClientRequestingTls12() {
-        // The Web client is requesting TLS 1.2, the server is exposing 1.2 and 1.3 - all good
+        // The Web client is requesting TLS 1.2, the server is exposing 1.3 - KO
         WebClient client = WebClient.create(vertx, new WebClientOptions().setSsl(true)
                 .setEnabledSecureTransportProtocols(Set.of("TLSv1.2"))
                 .setKeyStoreOptions(
@@ -63,8 +63,8 @@ void testWithWebClientRequestingTls12() {
                 .setTrustStoreOptions(
                         new JksOptions().setPath("src/test/resources/client-truststore.jks").setPassword("password"))
                 .setVerifyHost(false));
-        var resp = client.getAbs(url).sendAndAwait();
-        Assertions.assertEquals(200, resp.statusCode());
+        Throwable exception = Assertions.assertThrows(CompletionException.class, () -> client.getAbs(url).sendAndAwait());
+        Assertions.assertTrue(exception.getCause() instanceof SSLHandshakeException);
     }
 
     @Test