refactor: use SSLContext.getInstance("TLSv1.3") instead of "TLS" + setProtocols

jetersen · jetersen · commit 0527147eaf2e · 2026-05-28T15:59:01.000+02:00
On Java 11+ SunJSSE, "TLSv1.3" enables [TLSv1.3, TLSv1.2] by default,
which is more explicit about intent than "TLS" + manual setProtocols.
Drops the SSLParameters block from Rest.getClient().
diff --git a/src/main/java/io/github/jopenlibs/vault/SslConfig.java b/src/main/java/io/github/jopenlibs/vault/SslConfig.java
@@ -578,7 +578,7 @@ private SSLContext buildSslContextFromJks() throws VaultException {
         }
 
         try {
-            final SSLContext sslContext = SSLContext.getInstance("TLS");
+            final SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
             sslContext.init(keyManagers, trustManagers, null);
             return sslContext;
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
@@ -643,7 +643,7 @@ private SSLContext buildSslContextFromPem() throws VaultException {
                 keyManagers = keyManagerFactory.getKeyManagers();
             }
 
-            final SSLContext sslContext = SSLContext.getInstance("TLS");
+            final SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
             sslContext.init(keyManagers, trustManagers, null);
             return sslContext;
         } catch (CertificateException | IOException | NoSuchAlgorithmException | KeyStoreException |
diff --git a/src/main/java/io/github/jopenlibs/vault/rest/Rest.java b/src/main/java/io/github/jopenlibs/vault/rest/Rest.java
@@ -29,7 +29,6 @@
 import java.util.TreeMap;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509ExtendedTrustManager;
 
@@ -79,7 +78,7 @@ public class Rest {
 
     static {
         try {
-            DISABLED_SSL_CONTEXT = SSLContext.getInstance("TLS");
+            DISABLED_SSL_CONTEXT = SSLContext.getInstance("TLSv1.3");
             DISABLED_SSL_CONTEXT.init(null, new TrustManager[]{new X509ExtendedTrustManager() {
                 @Override
                 public void checkClientTrusted(X509Certificate[] chain, String authType,
@@ -475,9 +474,6 @@ private HttpClient getClient() {
         } else if (sslContext != null) {
             client.sslContext(sslContext);
         }
-        final SSLParameters sslParameters = new SSLParameters();
-        sslParameters.setProtocols(new String[]{"TLSv1.2", "TLSv1.3"});
-        client.sslParameters(sslParameters);
         return client.build();
     }
 
diff --git a/src/test/java/io/github/jopenlibs/vault/SSLTests.java b/src/test/java/io/github/jopenlibs/vault/SSLTests.java
@@ -14,7 +14,6 @@
 
 import java.util.Arrays;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLParameters;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -293,15 +292,5 @@ public void testSslContextFromPemSupportsTls13() throws Exception {
         assertTrue("SSLContext from PEM must support TLSv1.2", supported.contains("TLSv1.2"));
     }
 
-    @Test
-    public void testRestSslParametersExcludesLegacyProtocols() {
-        final SSLParameters params = new SSLParameters();
-        params.setProtocols(new String[]{"TLSv1.2", "TLSv1.3"});
-        final java.util.List<String> enabled = Arrays.asList(params.getProtocols());
-        assertTrue(enabled.contains("TLSv1.2"));
-        assertTrue(enabled.contains("TLSv1.3"));
-        assertTrue("TLSv1 must not be enabled", !enabled.contains("TLSv1"));
-        assertTrue("TLSv1.1 must not be enabled", !enabled.contains("TLSv1.1"));
-    }
 
 }
