Got it, let's figure out how to set a prioritized cipher suite order in Spring Boot 2.0.0 to boost your SSL Labs rating. I’ve worked through this scenario before, so here are two reliable approaches:

Spring Boot 2.0.0 lets you define SSL settings directly in application.properties or application.yml. You just need to specify the cipher suites in your desired priority order—Tomcat will use this sequence when negotiating with clients.

Here’s an example application.properties snippet with a secure, SSL Labs-friendly cipher suite order:

# Enable SSL
server.ssl.enabled=true
server.ssl.key-store=classpath:your-keystore.jks
server.ssl.key-store-password=your-keystore-password
server.ssl.key-password=your-key-password

# Prioritize secure cipher suites (ECDHE first for forward secrecy, avoid weak algorithms)
server.ssl.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256

# Disable outdated protocols (only allow TLS 1.2+ for better rating)
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3

For YAML fans, here’s the equivalent application.yml:

server:
  ssl:
    enabled: true
    key-store: classpath:your-keystore.jks
    key-store-password: your-keystore-password
    key-password: your-key-password
    ciphers: >
      ECDHE-ECDSA-AES256-GCM-SHA384,
      ECDHE-RSA-AES256-GCM-SHA384,
      ECDHE-ECDSA-CHACHA20-POLY1305,
      ECDHE-RSA-CHACHA20-POLY1305,
      ECDHE-ECDSA-AES128-GCM-SHA256,
      ECDHE-RSA-AES128-GCM-SHA256,
      DHE-RSA-AES256-GCM-SHA384,
      DHE-RSA-AES128-GCM-SHA256
    enabled-protocols: TLSv1.2,TLSv1.3

If you need more granular control—like conditional cipher suites based on environment, or additional SSL tweaks—you can create a custom Tomcat connector via a configuration class.

Here’s a complete example:

import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.Http11NioProtocol;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SslConfig {

    @Bean
    public ServletWebServerFactory servletWebServerFactory() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
        tomcat.addConnectorCustomizers((Connector connector) -> {
            Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
            
            // Set cipher suites in priority order
            protocol.setSslEnabledProtocols("TLSv1.2,TLSv1.3");
            protocol.setCiphers("ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256");
            
            // Optional: Enable HTTP/2 if needed (helps with SSL Labs rating too)
            protocol.setHttp2Protocol("h2");
        });
        return tomcat;
    }
}

• JDK Compatibility: Make sure your JDK supports the cipher suites you’re using. For example, TLS 1.3 requires JDK 8u261 or later, and some ChaCha20 suites need updated JDK versions. Spring Boot 2.0.0 defaults to JDK 8, so double-check your version.
• Avoid Weak Algorithms: Never include outdated ciphers like 3DES, RC4, or any cipher with SHA-1—SSL Labs will penalize you heavily for these.
• Test After Configuration: Always run your site through the SSL Labs Test to verify the cipher order is applied correctly and your rating improves.

内容的提问来源于stack exchange，提问作者tcelvis