When using WebClient with boring ssl and jdk support TLSv1.3, Configuring ssl ciphers in WebClient does not take effect。 Please see reproduce demo: ssl-demo and run test case: com.example.SslTest#should_handshake_fail with jdk which support TLSv1.3, such as this: Java SE Development Kit 8u341 I have tested it on windows.
More Info:
I captured packets with wireshark, client sends ciphers which is not configured:
Comment From: rstoyanchev
Thanks for the sample. This is not due to anything the WebClient does. I changed the test to use the Reactor Netty HttpClient directly, and it gives the same result.
I also don't think it's anything Reactor Netty does, but rather it seems to be expected behavior. When I run the test, I see the following log message:
2023-02-20 11:42:32.586 INFO 606977 --- [ main] i.n.h.s.ReferenceCountedOpenSslContext : BoringSSL doesn't allow to enable or disable TLSv1.3 ciphers explicitly. Provided TLSv1.3 ciphers: 'TLS_AES_128_GCM_SHA256', default TLSv1.3 ciphers that will be used: 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'.