Skip to content

Commit 22cefa0

Browse files
Merge pull request #4804 from OpenLiberty/26.0.0.5-beta-post
Update 26.0.0.5-beta-post into draft
2 parents f191d9d + 60f619d commit 22cefa0

1 file changed

Lines changed: 22 additions & 11 deletions

File tree

posts/2026-05-05-26.0.0.5-beta.adoc

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
11
---
22
layout: post
3-
title: "MCP server updates and Transport Security in 26.0.0.5-beta"
3+
title: "Updates to MCP Server and TLS/SSL Cipher Support in 26.0.0.5 Beta"
44
# Do NOT change the categories section
55
categories: blog
66
author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
77
author_github: https://github.com/navaneethsnair1
8-
seo-title: "MCP server updates and Transport Security in 26.0.0.5-beta- OpenLiberty.io"
8+
seo-title: "Updates to MCP Server and TLS/SSL Cipher Support in 26.0.0.5 Beta- OpenLiberty.io"
99
seo-description: This beta release updates the `mcpServer-1.0` feature and simplifies SSL cipher configuration by using JDK defaults and flexible `enabledCiphers` syntax.
1010
blog_description: This beta release updates the `mcpServer-1.0` feature and simplifies SSL cipher configuration by using JDK defaults and flexible `enabledCiphers` syntax.
1111
open-graph-image: https://openliberty.io/img/twitter_card.jpg
1212
open-graph-image-alt: Open Liberty Logo
1313
---
14-
= MCP server updates and Transport Security in 26.0.0.5-beta
14+
= Updates to MCP Server and TLS/SSL Cipher Support in 26.0.0.5 Beta
1515
Navaneeth S Nair <https://github.com/navaneethsnair1>
1616
:imagesdir: /
1717
:url-prefix:
@@ -30,7 +30,7 @@ This beta release updates the `mcpServer-1.0` feature and simplifies SSL cipher
3030
The link:{url-about}[Open Liberty] 26.0.0.5-beta includes the following beta features (along with link:{url-prefix}/docs/latest/reference/feature/feature-overview.html[all GA features]):
3131

3232
* <<mcp, Updates to `mcpServer-1.0`>>
33-
* <<transportSecurity, Transport Security>>
33+
* <<ssl, Update to TLS/SSL Cipher support>>
3434

3535
// // // // // // // //
3636
// In the preceding section:
@@ -150,8 +150,8 @@ This has been fixed to ensure proper isolation of encoder beans per application,
150150
// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/34374
151151
// Contact/Reviewer: rangaran
152152
// // // // // // // //
153-
[#transportSecurity]
154-
== Transport Security
153+
[#ssl]
154+
== Update to TLS/SSL Cipher support
155155

156156
Liberty uses the default cipher list from the JDK. The `securityLevel` attribute in the SSL configuration is not used anymore. In addition, the `enabledCiphers` attribute in the SSL config is updated to customize the SSL ciphers in a more flexible way.
157157

@@ -161,17 +161,28 @@ Liberty's `securityLevel` based cipher categories no longer provide meaningful v
161161

162162
The `enabledCiphers` attribute includes a new syntax option to add '+' or remove '–' specific ciphers from the effective JDK cipher list without redefining everything. A static list and +/- syntax in the same `enabledCiphers` entry is not allowed. If the value set in `enabledCiphers` contains a static entry and a +/- entry, an error is logged, and the server ignores the `enabledCiphers` value by returning the effective JDK cipher list.
163163

164-
*Example Usage*
164+
*Existing Usage - A user sets `securityLevel` as `HIGH`*
165165

166166
[source,xml]
167167
----
168-
<ssl id="defaultSSL" securityLevel="HIGH"/>
169-
<ssl id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384..../"> <!-- basically everything except TLS_RSA ciphers from the effective jdk list -->
170-
<ssl id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_RSA_WITH_AES_128_GCM_SHA256"/>
168+
<ssl id="defaultSSL" securityLevel=HIGH/>
171169
----
172170

173-
*Example with new syntax*
171+
*Example with new syntax - `securityLevel` is not required and is ignored if provided*
174172

173+
[source,xml]
174+
----
175+
<ssl id="defaultSSL"/>
176+
----
177+
178+
*Existing Usage - A user specifies all ciphers from the effective jdk list excluding all TLS_RSA ciphers except for one (TLS_RSA_WITH_AES_128_GCM_SHA256)*
179+
180+
[source,xml]
181+
----
182+
<ssl id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256">
183+
----
184+
185+
*Example with new syntax - Use wildcards to achieve the same logic*
175186
[source,xml]
176187
----
177188
<ssl id="defaultSSL" enabledCiphers="-TLS_RSA* +TLS_RSA_WITH_AES_128_GCM_SHA256"/>

0 commit comments

Comments
 (0)