Default TLS protocol to TLSv1.3 and warn when not enabled

BREAKING CHANGE: Changes the default TLS protocol from "TLSv1.3,TLSv1.2" to just "TLSv1.3". Applications requiring TLSv1.2 support must now explicitly configure it using the `protocols` property (set to TLSv1.3,TLSv1.2)

Adds a warning log when TLSv1.3 is not enabled in a TLS bucket configuration.

Author: cescoffier

extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/VertxCertificateHolder.java

@@ -3,17 +3,12 @@
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Optional;
+import java.util.*;
 import java.util.concurrent.TimeUnit;
 
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.*;
+
+import org.jboss.logging.Logger;
 
 import io.quarkus.tls.TlsConfiguration;
 import io.quarkus.tls.runtime.config.TlsBucketConfig;
@@ -114,6 +109,8 @@ public synchronized SSLOptions getSSLOptions() {
         options.setSslHandshakeTimeout(config().handshakeTimeout().toSeconds());
         options.setEnabledSecureTransportProtocols(config().protocols());
 
+        warnIfNotTls13(options.getEnabledSecureTransportProtocols(), name);
+
         for (Buffer buffer : crls) {
             options.addCrlValue(buffer);
         }
@@ -125,6 +122,14 @@ public synchronized SSLOptions getSSLOptions() {
         return options;
     }
 
+    private void warnIfNotTls13(Set<String> protocols, String name) {
+        if (!protocols.stream().map(String::toLowerCase).toList().contains("TLSv1.3".toLowerCase())) {
+            Logger.getLogger(VertxCertificateHolder.class.getName())
+                    .warn("TLSv1.3 protocol is not enabled in TLS bucket '" + name +
+                            "'. It is *strongly* recommended to enable TLSv1.3.");
+        }
+    }
+
     @Override
     public boolean isTrustAll() {
         return config().trustAll() || getTrustStoreOptions() == TrustAllOptions.INSTANCE;

extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/config/TlsBucketConfig.java

@@ -40,16 +40,15 @@ public interface TlsBucketConfig {
     /**
      * Sets the ordered list of enabled TLS protocols.
      * <p>
-     * If not set, it defaults to {@code "TLSv1.3, TLSv1.2"}.
+     * If not set, it defaults to {@code "TLSv1.3"}.
      * The following list of protocols are supported: {@code TLSv1, TLSv1.1, TLSv1.2, TLSv1.3}.
-     * To only enable {@code TLSv1.3}, set the value to {@code to "TLSv1.3"}.
+     * To enable {@code TLSv1.3} and {@code TLSv1.2}, set the value to {@code to "TLSv1.3, TLSv1.2"}.
      * <p>
      * Note that setting an empty list, and enabling TLS is invalid.
      * You must at least have one protocol.
      * <p>
-     * Also, setting this replaces the default list of protocols.
      */
-    @WithDefault("TLSv1.3,TLSv1.2")
+    @WithDefault("TLSv1.3")
     Set<String> protocols();
 
     /**