Add default cipher suites for HTTPS transport SSL configuration

[KD23243]

Purpose

Add a default set of secure TLS cipher suites to the HTTPS transport SSL host configuration in `default.json`. This ensures that when users configure HTTPS transport, only strong, modern cipher suites are used by default — including ECDHE, DHE, and TLS 1.3 suites — improving the security posture of the server out of the box without requiring manual configuration.

Implementation

Added the `transport.https.sslHostConfig.properties.ciphers` key to `distribution/kernel/carbon-home/repository/resources/conf/default.json` with a curated list of secure cipher suites:

These suites were selected based on the Mozilla SSL Configuration Generator (Intermediate configuration for Tomcat 11.0.1, Guideline 5.7) to ensure a balance between strong security and broad client compatibility:

• TLS 1.2 ECDHE suites: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
• TLS 1.2 DHE suites: `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
• TLS 1.3 suites: `TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`

Related Issue

wso2/product-is#27335

[coderabbitai]

📝 Walkthrough

Walkthrough

A new TLS cipher suite configuration property was added to the default configuration file to explicitly specify the allowed cipher suites for HTTPS SSL host connections.

Changes

Cohort / File(s)	Summary
TLS Configuration distribution/kernel/carbon-home/repository/resources/conf/default.json	Added transport.https.sslHostConfig.properties.ciphers configuration entry to define explicit comma-separated list of allowed cipher suites for HTTPS SSL.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description covers Purpose and Implementation but is missing several required sections from the template including Goals, User Stories, Release Notes, Documentation, Training, Certification, Marketing, Automation Tests, Security Checks, and Test Environment.	Complete the PR description by adding all required sections from the template: Goals, User Stories, Release Notes, Documentation, Training, Certification, Marketing, Automation Tests (with code coverage details), Security Checks, and Test Environment. Provide specific details for each section or mark as N/A with explanation.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and concisely describes the main change: adding default cipher suites for HTTPS transport SSL configuration, which directly matches the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/23780167698

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/23780167698
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/23780167698