We're writing an application using Spring Boot Webflux and trying to configure SSL.

In application.yml, we have:

server:
  port: 8443
  ssl:
    enabled: true
    key-store: file: fakecert.p12
    key-store-type: PKCS12
    key-store-password: ${}
    key-password: ${}
    protocol: TLS
    enabled-protocols: TLSv1.2
    ciphers: CIPHER_1,CIPHER_2

What is really ambiguous in docs is that ciphers property is not used by all embedded servers (default netty sure doesn't, apparently looking at provided certificate to pick a cipher).

If we switch to tomcat we see it pick up the cipher list but we didn't see it mentioned anywhere.

Questions I had about documentation of SSL: * Should that info (embedded servers that use this field) be in Description field in Server Properties reference? * Should server.ssl.protocol and server.ssl.enabled-protocols have a list of supported options? * Should server.ssl.ciphers specify a preferred naming convention for ciphers? Should we specify IANA name, OpenSSL, GnuTLS? * Should Description field specify variable type? For example, I wasn't sure whether ciphers should be a comma-separated string or a list.

I understand that this is server-dependent and you can't specify everything but it would sure be nice.

Comment From: wilkinsona

What is really ambiguous in docs is that ciphers property is not used by all embedded servers (default netty sure doesn't)

Netty's SSL customization uses the ciphers, configuring them on Netty's SslContextBuilder:

https://github.com/spring-projects/spring-boot/blob/4fd8f376dc9d784f5d990b90dc7a61d721b1bbf2/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/netty/SslServerCustomizer.java#L95-L97

Should that info (embedded servers that use this field) be in Description field in Server Properties reference?

All four containers (Jetty, Netty, Tomcat, and Undertow) use the ciphers. This applies to all server.* properties that aren't beneath server.jetty.*, server.netty.*, server.tomcat.*, or server.undertow.*.

Should server.ssl.protocol and server.ssl.enabled-protocols have a list of supported options?

I don't think they can as the supported protocols cannot be known in advance. They vary depending upon the providers that are registered with the JVM.

Should server.ssl.ciphers specify a preferred naming convention for ciphers? Should we specify IANA name, OpenSSL, GnuTLS?

I don't think they can as, like the protocol, it varies depending upon the providers registered with the JVM. The provider that used to obtain the SSLContext for the configured protocol will then effect the naming convention used for the ciphers that the SSLEngine supports.

Should Description field specify variable type? For example, I wasn't sure whether ciphers should be a comma-separated string or a list.

We prefer not to duplicate the type information in the description as it's already included in a separate field in the metadata that your IDE uses to offer auto-complete for each property. When the property is an array or a list, the binder supports both a comma-separated string or a list in your YAML. If you using YAML, I prefer the latter and I believe your IDE should guide you towards this.

Thanks anyway for the suggestions but, based on the above, I don't think there's anything that we can improve here as any additional information that we might want to include isn't available until runtime.