A Tomcat update splits TLSv1.3 cipher configuration into a new attribute, silently dropping your Spring Boot cipher restrictions. Here's how to fix it.

Foojay.io's platform is a central hub for Java developers, offering insights into Java programming language, JVM ecosystem, and Java-related technologies. Through articles, tutorials, and community forums, Foojay.io offers insights into building scalable and maintainable Java applications. Developers can learn about Java language features, performance tuning tips, and best practices in Java development to write efficient and reliable software.

Foojay.io

A recent Apache Tomcat update (9.0.115+, 10.1.52+, 11.0.18+) splits TLS cipher configuration into two attributes: `ciphers` for TLSv1.2 and below, and a new `cipherSuites` for TLSv1.3. Spring Boot applications that configure TLSv1.3 ciphers via `server.ssl.ciphers` or SSL Bundle `options.ciphers` will have those settings silently ignored after upgrading, causing Tomcat to fall back to all default TLSv1.3 ciphers. This is a compliance risk in regulated environments (FIPS, PCI-DSS) where specific cipher restrictions are mandated. The fix is available in Spring Boot 3.5.11 and 4.0.3. Verification can be done using `openssl s_client` or `nmap --script ssl-enum-ciphers`. EOL Spring Boot versions can use HeroDevs NES patches.

Tomcat TLSv1.3 cipher configuration