fix: use TLSv1.3 SSLContext to allow TLS 1.3 and drop insecure 1.0/1.1

jetersen · jetersen · commit 508089b2e2a9 · 2026-05-28T15:59:44.000+02:00
SSLContext.getInstance("TLSv1.2") hard-caps negotiation at TLS 1.2, causing handshake failures against Vault servers with tls_min_version=tls13. Replacing with "TLSv1.3" enables [TLSv1.3, TLSv1.2] on Java 11+ (SunJSSE default) while dropping TLS 1.0/1.1. Affects three sites: Rest.java DISABLED_SSL_CONTEXT, SslConfig.buildSslContextFromJks(), and SslConfig.buildSslContextFromPem(). Reported via jenkinsci/hashicorp-vault-plugin#361.
diff --git a/src/main/java/io/github/jopenlibs/vault/SslConfig.java b/src/main/java/io/github/jopenlibs/vault/SslConfig.java
@@ -578,7 +578,7 @@ private SSLContext buildSslContextFromJks() throws VaultException {
         }
 
         try {
-            final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            final SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
             sslContext.init(keyManagers, trustManagers, null);
             return sslContext;
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
@@ -643,7 +643,7 @@ private SSLContext buildSslContextFromPem() throws VaultException {
                 keyManagers = keyManagerFactory.getKeyManagers();
             }
 
-            final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            final SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
             sslContext.init(keyManagers, trustManagers, null);
             return sslContext;
         } catch (CertificateException | IOException | NoSuchAlgorithmException | KeyStoreException |
diff --git a/src/main/java/io/github/jopenlibs/vault/rest/Rest.java b/src/main/java/io/github/jopenlibs/vault/rest/Rest.java
@@ -78,7 +78,7 @@ public class Rest {
 
     static {
         try {
-            DISABLED_SSL_CONTEXT = SSLContext.getInstance("TLSv1.2");
+            DISABLED_SSL_CONTEXT = SSLContext.getInstance("TLSv1.3");
             DISABLED_SSL_CONTEXT.init(null, new TrustManager[]{new X509ExtendedTrustManager() {
                 @Override
                 public void checkClientTrusted(X509Certificate[] chain, String authType,
diff --git a/src/test/java/io/github/jopenlibs/vault/SSLTests.java b/src/test/java/io/github/jopenlibs/vault/SSLTests.java
@@ -12,7 +12,10 @@
 import org.eclipse.jetty.server.Server;
 import org.junit.Test;
 
+import java.util.Arrays;
+import javax.net.ssl.SSLContext;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 /**
  * Unit tests for the Vault driver, having no dependency on an actual Vault server instance being
@@ -279,4 +282,15 @@ public void testSslJks_loadKeyStoreAndTrustStore() throws Exception {
         VaultTestUtils.shutdownMockVault(server);
     }
 
+    @Test
+    public void testSslContextFromPemSupportsTls13() throws Exception {
+        final SslConfig sslConfig = new SslConfig().pemResource("/cert.pem").build();
+        final SSLContext sslContext = sslConfig.getSslContext();
+        final java.util.List<String> supported = Arrays.asList(
+                sslContext.getSupportedSSLParameters().getProtocols());
+        assertTrue("SSLContext from PEM must support TLSv1.3", supported.contains("TLSv1.3"));
+        assertTrue("SSLContext from PEM must support TLSv1.2", supported.contains("TLSv1.2"));
+    }
+
+
 }
