Using SSL Bundle for server configuration ignores other server options

[shollander]

I am attempting to use an SSL Bundle to configure the certificate used by the embedded web server.

If I do something like this in my application.yaml file:

spring:
  ssl:
    bundle:
      jks:
        mybundle:
          keystore:
            location: /path/to/keystore
            password: secret
server:
  ssl:
    enabled: true
    enabled-protocols:
      - TLSv1.3
    bundle: mybundle    

It works to configure the server certificate, but the other options (such as server.ssl.enabled-protocols) are ignored.
With this configuration, even though I configure it to only use TLSv1.3, it still responds to TLSv1.2 and TLSv1.3.

If I configure the certificate directly on server.ssl like this:

spring:
  ssl:
    bundle:
      jks:
        mybundle:
          keystore:
            location=/path/to/keystore
            password=secret
server:
  ssl:
    enabled: true
    enabled-protocols:
      - TLSv1.3
    key-store: /path/to/keystore
    key-store-password: secret

then the enabled-protocols setting works and only TLSv1.3 is enabled.

[wilkinsona]

Rather than mixing bundle-based configuration and directly configuring the server's SSL settings, you should only use one or the other. For example:

spring:
  ssl:
    bundle:
      jks:
        mybundle:
          keystore:
            location: /path/to/keystore
            password: secret
          options:
            enabled-protocols:
              - TLSv1.3
server:
  ssl:
    enabled: true
    bundle: mybundle 

We should look at improving the documentation here or perhaps improving the runtime behavior. It could fail-fast when mixing configuration or perhaps the server-specific configuration could somehow override the bundle configuration. Both may have implications for backwards compatibility though.

[philwebb]

We're going to add a NOTE: to the documentation

[scottfrederick]

Closing in favor of #39616