Spring Boot 2.5.3 - Cipher Suites for SSL

Question

I have a Spring Boot application running on 2.5.3.

I have configured (hopefully) secure ciphers using:

server:
  port: 8443
  servlet:
    context-path: /somepath
  ssl:
    enabled-protocols: [ TLSv1.2,TLSv1.3 ]
    ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Funny thing is, when I now run SSLyze against my server I just get:

 * TLS 1.2 Cipher Suites:
     Attempted to connect using 156 cipher suites.

     The server accepted the following 2 cipher suites:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  

Still runs fine and browsers can connect. But now we would like to connect a different server and call a REST endpoint on my server. That external server doesn't support either of those two suites.

I am wondering, in Spring Boot, why are only two of my requested suites accepted? Where can I configure this (if I can)?

Thanks in advance!

Sascha

Answer 1

Yeah, it was more obvious than anticipated.

I requested some ciphers in the yaml file, Spring Boot can handle some suites (probably though the JVM). What I saw is the intersection of suites supported by Spring and suites that I requested. And that came out to two.

I removed the ciphers restriction. Got the full list of supported ciphers (around 12). Then we picked one secure cipher that they support and that I can do. And added that back to the "ciphers".