From ffee7da92275270a718baa2a14e23624a66db251 Mon Sep 17 00:00:00 2001
From: janossch <janossch@gmail.com>
Date: Fri, 25 Jul 2025 15:47:53 +0200
Subject: [PATCH] Apply SslOptions from SslBundle to SslContextBuilder. Fixes
 https://github.com/spring-cloud/spring-cloud-gateway/issues/3860

Signed-off-by: janossch <janossch@gmail.com>
---
 .../gateway/config/GrpcSslConfigurer.java     | 16 +++++++++++-----
 .../config/HttpClientSslConfigurer.java       | 19 +++++++++++++------
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/GrpcSslConfigurer.java b/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/GrpcSslConfigurer.java
index 23299c4093..6877707eb4 100644
--- a/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/GrpcSslConfigurer.java
+++ b/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/GrpcSslConfigurer.java
@@ -27,6 +27,7 @@
 
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.ssl.SslOptions;
 
 /**
  * @author Alberto C. Ríos
@@ -49,7 +50,7 @@ private SslContext getSslContext() throws SSLException {
 
 		final HttpClientProperties.Ssl ssl = getSslProperties();
 		boolean useInsecureTrustManager = ssl.isUseInsecureTrustManager();
-		SslBundle bundle = getBundle();
+		SslBundle sslBundle = getBundle();
 		if (useInsecureTrustManager) {
 			sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE.getTrustManagers()[0]);
 		}
@@ -57,12 +58,17 @@ private SslContext getSslContext() throws SSLException {
 		if (!useInsecureTrustManager && ssl.getTrustedX509Certificates().size() > 0) {
 			sslContextBuilder.trustManager(getTrustedX509CertificatesForTrustManager());
 		}
-		else if (bundle != null) {
-			sslContextBuilder.trustManager(bundle.getManagers().getTrustManagerFactory());
+		else if (sslBundle != null) {
+			sslContextBuilder.trustManager(sslBundle.getManagers().getTrustManagerFactory());
 		}
 
-		if (bundle != null) {
-			sslContextBuilder.keyManager(bundle.getManagers().getKeyManagerFactory());
+		if (sslBundle != null) {
+			sslContextBuilder.keyManager(sslBundle.getManagers().getKeyManagerFactory());
+			SslOptions sslOptions = sslBundle.getOptions();
+			if (sslOptions != null && sslOptions.isSpecified()) {
+				sslContextBuilder.ciphers(SslOptions.asSet(sslOptions.getCiphers()));
+				sslContextBuilder.protocols(sslOptions.getEnabledProtocols());
+			}
 		}
 		else {
 			sslContextBuilder.keyManager(getKeyManagerFactory());
diff --git a/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/HttpClientSslConfigurer.java b/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/HttpClientSslConfigurer.java
index 163f2bc00f..76dbafde15 100644
--- a/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/HttpClientSslConfigurer.java
+++ b/spring-cloud-gateway-server-webflux/src/main/java/org/springframework/cloud/gateway/config/HttpClientSslConfigurer.java
@@ -18,6 +18,7 @@
 
 import java.security.cert.X509Certificate;
 
+import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import reactor.netty.http.Http11SslContextSpec;
 import reactor.netty.http.Http2SslContextSpec;
@@ -26,6 +27,7 @@
 
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.ssl.SslOptions;
 import org.springframework.boot.web.server.autoconfigure.ServerProperties;
 
 public class HttpClientSslConfigurer extends AbstractSslConfigurer<HttpClient, HttpClient> {
@@ -52,24 +54,29 @@ public HttpClient configureSsl(HttpClient client) {
 	}
 
 	protected void configureSslContext(HttpClientProperties.Ssl ssl, SslProvider.SslContextSpec sslContextSpec) {
-		SslProvider.ProtocolSslContextSpec clientSslContext = (serverProperties.getHttp2().isEnabled())
+		SslProvider.GenericSslContextSpec<SslContextBuilder> clientSslContext = serverProperties.getHttp2().isEnabled()
 				? Http2SslContextSpec.forClient() : Http11SslContextSpec.forClient();
 		clientSslContext.configure(sslContextBuilder -> {
 			X509Certificate[] trustedX509Certificates = getTrustedX509CertificatesForTrustManager();
-			SslBundle bundle = getBundle();
+			SslBundle sslBundle = getBundle();
 			if (trustedX509Certificates.length > 0) {
 				setTrustManager(sslContextBuilder, trustedX509Certificates);
 			}
 			else if (ssl.isUseInsecureTrustManager()) {
 				setTrustManager(sslContextBuilder, InsecureTrustManagerFactory.INSTANCE);
 			}
-			else if (bundle != null) {
-				setTrustManager(sslContextBuilder, bundle.getManagers().getTrustManagerFactory());
+			else if (sslBundle != null) {
+				setTrustManager(sslContextBuilder, sslBundle.getManagers().getTrustManagerFactory());
 			}
 
 			try {
-				if (bundle != null) {
-					sslContextBuilder.keyManager(bundle.getManagers().getKeyManagerFactory());
+				if (sslBundle != null) {
+					sslContextBuilder.keyManager(sslBundle.getManagers().getKeyManagerFactory());
+					SslOptions sslOptions = sslBundle.getOptions();
+					if (sslOptions != null && sslOptions.isSpecified()) {
+						sslContextBuilder.ciphers(SslOptions.asSet(sslOptions.getCiphers()));
+						sslContextBuilder.protocols(sslOptions.getEnabledProtocols());
+					}
 				}
 				else {
 					sslContextBuilder.keyManager(getKeyManagerFactory());