Fix SSL cipher configuration with Jetty 9.3

Previously, if a list of ciphers were configured, the default excludes were still applied. Prior to Jetty 9.3, there were no default exclude but Jetty 9.3 introduced some and they override the includes. This commit makes sure that the exclude ciphers are cleared if at least one cipher is explicitly configured. Closes gh-6041

Fix SSL cipher configuration with Jetty 9.3
Previously, if a list of ciphers were configured, the default excludes were still applied. Prior to Jetty 9.3, there were no default exclude but Jetty 9.3 introduced some and they override the includes. This commit makes sure that the exclude ciphers are cleared if at least one cipher is explicitly configured. Closes gh-6041
6cf87842 · Stephane Nicoll · 62fa602f · 6cf87842 · 6cf87842
Commit 6cf87842 authored Jun 10, 2016 by Stephane Nicoll
Showing with 5 additions and 1 deletion

JettyEmbeddedServletContainerFactory.java .../embedded/jetty/JettyEmbeddedServletContainerFactory.java +3 -1

JettyEmbeddedServletContainerFactoryTests.java ...dded/jetty/JettyEmbeddedServletContainerFactoryTests.java +2 -0

No files found.
--- a/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java
+++ b/spring-boot/src/main/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactory.java
@@ -75,6 +75,7 @@ import org.springframework.context.ResourceLoaderAware;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
+import org.springframework.util.ObjectUtils;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.util.ResourceUtils;
 import org.springframework.util.StringUtils;
@@ -250,8 +251,9 @@ public class JettyEmbeddedServletContainerFactory
 		configureSslClientAuth(factory, ssl);
 		configureSslPasswords(factory, ssl);
 		factory.setCertAlias(ssl.getKeyAlias());
-		if (ssl.getCiphers() != null) {
+		if (!ObjectUtils.isEmpty(ssl.getCiphers() != null)) {
 			factory.setIncludeCipherSuites(ssl.getCiphers());
+			factory.setExcludeCipherSuites();
 		}
 		if (ssl.getEnabledProtocols() != null) {
 			factory.setIncludeProtocols(ssl.getEnabledProtocols());

--- a/spring-boot/src/test/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactoryTests.java
+++ b/spring-boot/src/test/java/org/springframework/boot/context/embedded/jetty/JettyEmbeddedServletContainerFactoryTests.java
@@ -136,6 +136,8 @@ public class JettyEmbeddedServletContainerFactoryTests
 				.getConnectionFactory(SslConnectionFactory.class);
 		assertThat(connectionFactory.getSslContextFactory().getIncludeCipherSuites())
 				.containsExactly("ALPHA", "BRAVO", "CHARLIE");
+		assertThat(connectionFactory.getSslContextFactory()
+				.getExcludeCipherSuites()).isEmpty();
 	}

 	@Override