Provide configuration for enabled SSL protocols

pom.xml

@@ -138,7 +138,7 @@
         <version.lib.microprofile-fault-tolerance-api>1.1.3</version.lib.microprofile-fault-tolerance-api>
         <version.lib.mockito>2.23.4</version.lib.mockito>
         <version.lib.mysql-connector-java>8.0.11</version.lib.mysql-connector-java>
-        <version.lib.netty>4.1.30.Final</version.lib.netty>
+        <version.lib.netty>4.1.34.Final</version.lib.netty>
         <version.lib.oci-java-sdk-objectstorage>1.2.44</version.lib.oci-java-sdk-objectstorage>
         <version.lib.ojdbc8>12.2.0.1</version.lib.ojdbc8>
         <version.lib.opentracing>0.31.0</version.lib.opentracing>

webserver/webserver/src/main/java/io/helidon/webserver/NettyWebServer.java

@@ -45,6 +45,7 @@
 import io.netty.handler.logging.LogLevel;
 import io.netty.handler.logging.LoggingHandler;
 import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.IdentityCipherSuiteFilter;
 import io.netty.handler.ssl.JdkSslContext;
 import io.netty.util.concurrent.Future;
 
@@ -99,7 +100,10 @@ class NettyWebServer implements WebServer {
             if (soConfig.ssl() != null) {
                 // TODO configuration support for CLIENT AUTH (btw, ClientAuth.REQUIRE doesn't seem to work with curl nor with
                 // Chrome)
-                sslContext = new JdkSslContext(soConfig.ssl(), false, ClientAuth.NONE);
+                sslContext = new JdkSslContext(
+                        soConfig.ssl(), false, null,
+                        IdentityCipherSuiteFilter.INSTANCE, null,
+                        ClientAuth.NONE, soConfig.enabledSslProtocols(), false);
             }
 
             if (soConfig.backlog() > 0) {

webserver/webserver/src/main/java/io/helidon/webserver/ServerBasicConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -70,6 +70,11 @@ public SSLContext ssl() {
         return socketConfig.ssl();
     }
 
+    @Override
+    public String[] enabledSslProtocols() {
+        return socketConfig.enabledSslProtocols();
+    }
+
     @Override
     public int workersCount() {
         return workers;
@@ -123,6 +128,7 @@ static class SocketConfig implements SocketConfiguration {
         private final int timeoutMillis;
         private final int receiveBufferSize;
         private final SSLContext sslContext;
+        private final String[] enabledSslProtocols;
 
         /**
          * Creates new instance.
@@ -137,6 +143,7 @@ static class SocketConfig implements SocketConfiguration {
         SocketConfig(int port,
                      InetAddress bindAddress,
                      SSLContext sslContext,
+                     String[] sslProtocols,
                      int backlog,
                      int timeoutMillis,
                      int receiveBufferSize) {
@@ -146,13 +153,14 @@ static class SocketConfig implements SocketConfiguration {
             this.timeoutMillis = timeoutMillis <= 0 ? 0 : timeoutMillis;
             this.receiveBufferSize = receiveBufferSize <= 0 ? 0 : receiveBufferSize;
             this.sslContext = sslContext;
+            this.enabledSslProtocols = sslProtocols;
         }
 
         /**
          * Creates default values instance.
          */
         SocketConfig() {
-            this(0, null, null, 0, 0, 0);
+            this(0, null, null, null, 0, 0, 0);
         }
 
         @Override
@@ -184,5 +192,10 @@ public int receiveBufferSize() {
         public SSLContext ssl() {
             return sslContext;
         }
+
+        @Override
+        public String[] enabledSslProtocols() {
+            return enabledSslProtocols;
+        }
     }
 }

webserver/webserver/src/main/java/io/helidon/webserver/SocketConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2019 Oracle and/or its affiliates. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -86,6 +86,13 @@ public interface SocketConfiguration {
      */
     SSLContext ssl();
 
+    /**
+     * Returns the SSL protocols to enable, or {@code null} to enable the default
+     * protocols.
+     * @return the SSL protocols to enable
+     */
+    String[] enabledSslProtocols();
+
     /**
      * Creates a builder of {@link SocketConfiguration} class.
      *
@@ -101,6 +108,7 @@ final class Builder implements io.helidon.common.Builder<SocketConfiguration> {
         private int port = 0;
         private InetAddress bindAddress = null;
         private SSLContext sslContext = null;
+        private String[] enabledSslProtocols = null;
         private int backlog = 0;
         private int timeoutMillis = 0;
         private int receiveBufferSize = 0;
@@ -195,9 +203,22 @@ public Builder ssl(Supplier<? extends SSLContext> sslContextBuilder) {
             return ssl(sslContextBuilder != null ? sslContextBuilder.get() : null);
         }
 
+        /**
+         * Configures the SSL protocols to enable with the server socket.
+         * @param protocols protocols to enable, if {@code null} enables the
+         * default protocols
+         * @return this builder
+         */
+        public Builder enabledSSlProtocols(String... protocols){
+            this.enabledSslProtocols = protocols;
+            return this;
+        }
+
         @Override
         public SocketConfiguration build() {
-            return new ServerBasicConfig.SocketConfig(port, bindAddress, sslContext, backlog, timeoutMillis, receiveBufferSize);
+            return new ServerBasicConfig.SocketConfig(port, bindAddress,
+                    sslContext, enabledSslProtocols, backlog, timeoutMillis,
+                    receiveBufferSize);
         }
     }
 }