ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer

[PDavid]

reviewers: meszibalu, anmolnar
Author: PDavid
Closes #2359 from PDavid/ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers

(cherry picked from commit eab1659)

[PDavid]

This is a backport of #2359 for branch-3.8. The patch did no applied cleanly, I had to resolve conflicts in JettyAdminServerTest.java and zookeeperAdmin.md.

Testing

I tested this locally the same way as in the original:
#2359 (comment)

Restrict TLS version to 1.2, and ciphers to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:

ssl.quorum.enabledProtocols=TLSv1.2
ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

call with curl:

curl -v -k https://localhost:8080/commands/stat
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8080...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / secp256r1 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=your.server.com
*  start date: Mar 10 12:58:28 2026 GMT
*  expire date: Mar 10 12:58:28 2027 GMT
*  issuer: CN=your.server.com
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to localhost (::1) port 8080
* using HTTP/1.x
> GET /commands/stat HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.15.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Tue, 24 Mar 2026 12:54:28 GMT
< Strict-Transport-Security: max-age=86400; includeSubDomains
< Content-Type: application/json
< Content-Length: 1036
< Server: Jetty(9.4.58.v20250814)
< 
{
  "version" : "3.8.7-SNAPSHOT-22c50e6ba25daa4801c9605e70e166a7ec63c463-dirty, built on 2026-03-24 12:44 UTC",
  "read_only" : false,
  "server_stats" : {
    "packets_sent" : 0,
    "packets_received" : 0,
    "fsync_threshold_exceed_count" : 0,
    "client_response_stats" : {
      "last_buffer_size" : -1,
      "min_buffer_size" : -1,
      "max_buffer_size" : -1
    },
    "uptime" : 22731,
    "provider_null" : false,
    "data_dir_size" : 134219173,
    "log_dir_size" : 134219173,
    "last_processed_zxid" : 23,
    "outstanding_requests" : 0,
    "server_state" : "standalone",
    "avg_latency" : 0.0,
    "max_latency" : 0,
    "min_latency" : 0,
    "num_alive_client_connections" : 0,
    "auth_failed_count" : 0,
    "non_mtlsremote_conn_count" : 0,
    "non_mtlslocal_conn_count" : 0
  },
  "client_response" : {
    "last_buffer_size" : -1,
    "min_buffer_size" : -1,
    "max_buffer_size" : -1
  },
  "node_count" : 5,
  "connections" : [ ],
  "secure_connections" : [ ],
  "command" : "stats",
  "error" : null
* Connection #0 to host localhost left intact
}%

[PDavid]

This section was already present in master, since this branch also supports AdminServer with TLS, so it is relevant and useful here, I added it here.

[PDavid]

Closing this because there is no need to backport this to 3.8 because this is not a security fix.