Enabled cipher suites are set twice

[tommystendahl]

We set enabled cipher suites twice, at these places:

ecchronos/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/ReloadingCertificateHandler.java

Line 110 in 893bfd0

tlsConfig.getCipherSuites().ifPresent(sslEngine::setEnabledCipherSuites);

ecchronos/application/src/main/java/com/ericsson/bss/cassandra/ecchronos/application/ReloadingCertificateHandler.java

Line 306 in 893bfd0

builder.ciphers(Arrays.asList(tlsConfig.getCipherSuites().get()));

The first use javax and the second use the netty API, it would be nice if we could remove the first and keep the one using Netty API.

[paulchandler]

Following discussions with Johan, we have decided to put this on hold.

This section is used for the Unit Tests, but there are no tests for the ciphers. So we are unsure whether it can be removed.

[0rlych1kk4]

Hi, I noticed this issue was paused due to missing cipher-related tests. Would it be helpful if I explored adding test coverage or validation around TLS cipher configuration behavior first?
I'm particularly interested in understanding whether both configuration paths are required for compatibility across different deployment environments or JVM / Netty versions.

Happy to start with investigation or test scaffolding if that would be useful.

[tommystendahl]

Since we use Netty I think we should stick to the Netty API as much as possible. I think the line using javax is a leftover that should have been removed when the switch to Netty was done. I have not investigated the test coverage in this area but before we start changing anything we should make sure that there are tests covering this.

[0rlych1kk4]

Thanks, that makes sense. I’ll start by looking into adding test coverage around the TLS cipher configuration using the Netty path, so we have confidence before removing the legacy javax-based line.
I’ll share findings or a small test-focused PR once I have something concrete.

[0rlych1kk4]

Opened a PR #1373 that adds test coverage to verify that configured TLS cipher suites are propagated to the SSLEngine.
The test skips when the suites are not supported by the current JDK/provider to avoid environment-specific failures.

Verified locally with:
mvn -pl application test