Configure Ciphers and SSL protocols in Ballerina

Ballerina comes with cipher suite support to establish a secure connection. Cipher suites are used as encryption algorithms used in establishing secure connections. There are many ciphers available for communication. But some of the ciphers provide better security in encryption compared to others. And all the servers and clients are not capable of supporting all the ciphers.

When a server or a client specify ciphers in their SSL connection configuration, the connecting party also should support the same ciphers in order to have a successful connection.

import ballerina/io;
import ballerina/http;

endpoint http:Listener echo {
    port:9095,
    secureSocket: {
        keyStore: {
            path:    ${ballerina.home}/bre/security/ballerinaKeystore.p12",
            password: "ballerina"
        },
        protocol: {
           name: "TLSv1.2",
           versions: ["TLSv1.2","TLSv1.1"]
        },
        ciphers:["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
    }
};

@http:ServiceConfig {
     endpoints:[echo],
     basePath:"/echo"
}

service<http:Service> helloWorld bind echo {

    @http:ResourceConfig {
        methods:["GET"],
        path:"/"
    }
    sayHello (endpoint conn, http:Request req) {
        http:Response res = new;
        res.setTextPayload("hello world");
        _ = conn -> respond( res);
        io:println("successful");
    }
}

Ciphers can be given in the service configuration of the server connector as given above. If you want to have multiple ciphers configured you can add them in a comma-separated manner. Also, we can specify which SSL protocols to be enabled during the SSL handshake process.

When defining sslEnabledProtocols and ciphers both, you need to verify that given ciphers are supported by the given protocol.