[2201.11.x] Add TLSv1.3 supported ciphers in the default supported ciphers

.github/workflows/build-with-bal-test-graalvm.yml

@@ -29,7 +29,8 @@ on:
             - 2201.7.x
             - 2201.8.x
             - 2201.9.x
-            - java21
+            - 2201.10.x
+            - 2201.11.x
         types: [opened, synchronize, reopened, labeled, unlabeled]
 
 concurrency:

ballerina-tests/http-security-tests/tests/ssl_protocol_test.bal

@@ -15,12 +15,11 @@
 // under the License.
 
 import ballerina/http;
-// import ballerina/log;
 import ballerina/lang.'string as strings;
 import ballerina/test;
 import ballerina/http_test_common as common;
 
-http:ListenerConfiguration sslProtocolServiceConfig = {
+http:ListenerConfiguration sslProtocol12ServiceConfig = {
     httpVersion: http:HTTP_1_1,
     secureSocket: {
         key: {
@@ -34,23 +33,20 @@ http:ListenerConfiguration sslProtocolServiceConfig = {
     }
 };
 
-listener http:Listener sslProtocolListener = new (9249, config = sslProtocolServiceConfig);
+listener http:Listener sslProtocol12Listener = new (tls12Port, config = sslProtocol12ServiceConfig);
 
-service /protocol on sslProtocolListener {
+service /protocol on sslProtocol12Listener {
 
-    resource function get protocolResource(http:Caller caller, http:Request req) {
-        error? result = caller->respond("Hello World!");
-        if result is error {
-            // log:printError("Failed to respond", 'error = result);
-        }
+    resource function get protocolResource() returns string {
+        return "Hello, World!";
     }
 }
 
-http:ClientConfiguration sslProtocolClientConfig = {
+http:ListenerConfiguration sslProtocol13ServiceConfig = {
     httpVersion: http:HTTP_1_1,
     secureSocket: {
-        cert: {
-            path: common:TRUSTSTORE_PATH,
+        key: {
+            path: common:KEYSTORE_PATH,
             password: "ballerina"
         },
         protocol: {
@@ -60,10 +56,81 @@ http:ClientConfiguration sslProtocolClientConfig = {
     }
 };
 
+listener http:Listener sslProtocol13Listener = new (tls13Port, config = sslProtocol13ServiceConfig);
+
+service /protocol on sslProtocol13Listener {
+
+    resource function get protocolResource() returns string {
+        return "Hello, World!";
+    }
+}
+
+http:ClientSecureSocket sslProtocolClientConfig = {
+    cert: {
+        path: common:TRUSTSTORE_PATH,
+        password: "ballerina"
+    }
+};
+
+@test:Config {}
+public function testTLS12() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.2"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls12Port}`, secureSocket = sslConfig, httpVersion = http:HTTP_1_1);
+    string resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+}
+
+@test:Config {}
+public function testTLS13() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.3"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls13Port}`, secureSocket = sslConfig, httpVersion = http:HTTP_1_1);
+    string resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+}
+
 @test:Config {}
 public function testSslProtocol() returns error? {
-    http:Client clientEP = check new ("https://localhost:9249", sslProtocolClientConfig);
-    http:Response|error resp = clientEP->get("/protocol/protocolResource");
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.2", "TLSv1.3"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls13Port}`, secureSocket = sslConfig, httpVersion = http:HTTP_1_1);
+    string resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+
+    sslConfig.protocol.versions = ["TLSv1.3", "TLSv1.2"];
+    clientEP = check new (string `https://localhost:${tls12Port}`, secureSocket = sslConfig, httpVersion = http:HTTP_1_1);
+    resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+}
+
+@test:Config {}
+public function testSslProtocolConflict() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.2"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls13Port}`, secureSocket = sslConfig, httpVersion = http:HTTP_1_1);
+    http:Response|error resp = clientEP->/protocol/protocolResource;
+    if resp is http:Response {
+        test:assertFail(msg = "Found unexpected output: Expected an error");
+    } else {
+        test:assertTrue(strings:includes(resp.message(), "SSL connection failed"));
+    }
+
+    sslConfig.protocol.versions = ["TLSv1.3"];
+    clientEP = check new (string `https://localhost:${tls12Port}`, secureSocket = sslConfig, httpVersion = http:HTTP_1_1);
+    resp = clientEP->/protocol/protocolResource;
     if resp is http:Response {
         test:assertFail(msg = "Found unexpected output: Expected an error");
     } else {

ballerina-tests/http-security-tests/tests/test_service_ports.bal

@@ -22,3 +22,6 @@ const int http2SslGeneralPort = 9107;
 
 const int http2SniListenerPort = 9207;
 const int http1SniListenerPort = 9208;
+
+const int tls12Port = 9249;
+const int tls13Port = 9250;

ballerina-tests/http2-tests/tests/http2_ssl_protocol_test.bal

@@ -0,0 +1,137 @@
+// Copyright (c) 2025 WSO2 LLC. (http://www.wso2.org).
+//
+// WSO2 LLC. licenses this file to you under the Apache License,
+// Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import ballerina/http;
+import ballerina/lang.'string as strings;
+import ballerina/test;
+import ballerina/http_test_common as common;
+
+http:ListenerConfiguration sslProtocol12ServiceConfig = {
+    secureSocket: {
+        key: {
+            path: common:KEYSTORE_PATH,
+            password: "ballerina"
+        },
+        protocol: {
+            name: http:TLS,
+            versions: ["TLSv1.2"]
+        }
+    }
+};
+
+listener http:Listener sslProtocol12Listener = new (tls12Port, config = sslProtocol12ServiceConfig);
+
+service /protocol on sslProtocol12Listener {
+
+    resource function get protocolResource() returns string {
+        return "Hello, World!";
+    }
+}
+
+http:ListenerConfiguration sslProtocol13ServiceConfig = {
+    secureSocket: {
+        key: {
+            path: common:KEYSTORE_PATH,
+            password: "ballerina"
+        },
+        protocol: {
+            name: http:TLS,
+            versions: ["TLSv1.3"]
+        }
+    }
+};
+
+listener http:Listener sslProtocol13Listener = new (tls13Port, config = sslProtocol13ServiceConfig);
+
+service /protocol on sslProtocol13Listener {
+
+    resource function get protocolResource() returns string {
+        return "Hello, World!";
+    }
+}
+
+http:ClientSecureSocket sslProtocolClientConfig = {
+    cert: {
+        path: common:TRUSTSTORE_PATH,
+        password: "ballerina"
+    }
+};
+
+@test:Config {}
+public function testTLS12() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.2"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls12Port}`, secureSocket = sslConfig);
+    string resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+}
+
+@test:Config {}
+public function testTLS13() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.3"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls13Port}`, secureSocket = sslConfig);
+    string resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+}
+
+@test:Config {}
+public function testSslProtocol() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.2", "TLSv1.3"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls13Port}`, secureSocket = sslConfig);
+    string resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+
+    sslConfig.protocol.versions = ["TLSv1.3", "TLSv1.2"];
+    clientEP = check new (string `https://localhost:${tls12Port}`, secureSocket = sslConfig);
+    resp = check clientEP->/protocol/protocolResource;
+    test:assertEquals(resp, "Hello, World!");
+}
+
+@test:Config {}
+public function testSslProtocolConflict() returns error? {
+    http:ClientSecureSocket sslConfig = sslProtocolClientConfig.clone();
+    sslConfig.protocol = {
+        name: http:TLS,
+        versions: ["TLSv1.2"]
+    };
+    http:Client clientEP = check new (string `https://localhost:${tls13Port}`, secureSocket = sslConfig);
+    http:Response|error resp = clientEP->/protocol/protocolResource;
+    if resp is http:Response {
+        test:assertFail(msg = "Found unexpected output: Expected an error");
+    } else {
+        test:assertTrue(strings:includes(resp.message(), "SSL connection failed"));
+    }
+
+    sslConfig.protocol.versions = ["TLSv1.3"];
+    clientEP = check new (string `https://localhost:${tls12Port}`, secureSocket = sslConfig);
+    resp = clientEP->/protocol/protocolResource;
+    if resp is http:Response {
+        test:assertFail(msg = "Found unexpected output: Expected an error");
+    } else {
+        test:assertTrue(strings:includes(resp.message(), "SSL connection failed"));
+    }
+}

ballerina-tests/http2-tests/tests/test_service_ports.bal

@@ -63,3 +63,6 @@ const int reuseRequestTestPort = 9528;
 const int connectionNativeTestPort = 9014;
 const int http2ClientContinueTestPort = 9630;
 const int headerParamBindingTestPort = 9631;
+
+const int tls12Port = 9249;
+const int tls13Port = 9250;

ballerina/http_service_endpoint.bal

@@ -247,7 +247,8 @@ public type ListenerSecureSocket record {|
                         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
                         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
                         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"];
+                        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384",
+                        "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256"];
     boolean shareSession = true;
     decimal handshakeTimeout?;
     decimal sessionTimeout?;

changelog.md

@@ -11,6 +11,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - [Move SSL context creation to the client initialization](https://github.com/ballerina-platform/ballerina-library/issues/1798)
 
+### Fixed
+
+- [Add TLSv1.3 supported cipher suites to the default configuration](https://github.com/ballerina-platform/ballerina-library/issues/7658)
+
 ## [2.13.3] - 2025-02-20
 
 ### Added