Enable TLS 1.3 by default in SSLContext

Summary: Previously, TLS 1.3 support had to be enabled explicitly. Let's now enable it by default, while retaining TLS 1.2 as the minimum version. We can remove the `enableTLS13()` method and its callsites in a later diff. Reviewed By: AjanthanAsogamoorthy Differential Revision: D39469027 fbshipit-source-id: 87a9f6ebcd057428ff1a1fbbc3e8ff24779294bd
facebook · Dec 7, 2022 · c250f4b · c250f4b
1 parent 46d83e6
commit c250f4b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 20 deletions.
diff --git a/folly/io/async/SSLContext.cpp b/folly/io/async/SSLContext.cpp
@@ -44,13 +44,6 @@ int getExDataIndex() {
  */
 void configureProtocolVersion(SSL_CTX* ctx, SSLContext::SSLVersion version) {
 #if FOLLY_OPENSSL_PREREQ(1, 1, 0)
-  // Disable TLS 1.3 by default, for now, if this version of OpenSSL
-  // supports it. There are some semantic differences (e.g. assumptions
-  // on getSession() returning a resumable session, SSL_CTX_set_ciphersuites,
-  // etc.)
-  //
-  SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
-
   /*
    * From the OpenSSL docs https://fburl.com/ii9k29qw:
    * Setting the minimum or maximum version to 0, will enable protocol versions
@@ -70,9 +63,11 @@ void configureProtocolVersion(SSL_CTX* ctx, SSLContext::SSLVersion version) {
     case SSLContext::SSLVersion::TLSv1_2:
       minVersion = TLS1_2_VERSION;
       break;
-    // TODO: Handle this correctly once the max protocol version
-    // is no longer limited to TLS 1.2.
+#if FOLLY_OPENSSL_HAS_TLS13
     case SSLContext::SSLVersion::TLSv1_3:
+      minVersion = TLS1_3_VERSION;
+      break;
+#endif
     case SSLContext::SSLVersion::SSLv2:
     default:
       // do nothing
@@ -130,15 +125,6 @@ static int dispatchTicketCrypto(
 SSLContext::SSLContext(SSLVersion version) {
   folly::ssl::init();
 
-  // version represents the desired minimum protocol version. Since TLS 1.2
-  // is currently set as the maximum protocol version, we can't allow a min
-  // version of TLS 1.3.
-  // TODO: Remove this error once the max is no longer limited to TLS 1.2.
-  if (version == SSLContext::SSLVersion::TLSv1_3) {
-    throw std::runtime_error(
-        "A minimum TLS version of TLS 1.3 is currently unsupported.");
-  }
-
   ctx_ = SSL_CTX_new(SSLv23_method());
   if (ctx_ == nullptr) {
     throw std::runtime_error("SSL_CTX_new: " + getErrors());

diff --git a/folly/io/async/SSLContext.h b/folly/io/async/SSLContext.h
@@ -97,7 +97,9 @@ class SSLContext {
     SSLv3,
     TLSv1, // support TLS 1.0+
     TLSv1_2, // support for only TLS 1.2+
+#if FOLLY_OPENSSL_HAS_TLS13
     TLSv1_3,
+#endif
   };
 
   /**

diff --git a/folly/io/async/test/SSLContextTest.cpp b/folly/io/async/test/SSLContextTest.cpp
@@ -260,9 +260,13 @@ TEST_F(SSLContextTest, TestSetInvalidCiphersuite) {
 }
 #endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
 
-TEST_F(SSLContextTest, TestTLS13MinVersionThrow) {
-  EXPECT_THROW(SSLContext{SSLContext::SSLVersion::TLSv1_3}, std::runtime_error);
+#if FOLLY_OPENSSL_HAS_TLS13
+TEST_F(SSLContextTest, TestTLS13MinVersion) {
+  SSLContext sslContext{SSLContext::SSLVersion::TLSv1_3};
+  int minProtoVersion = SSL_CTX_get_min_proto_version(sslContext.getSSLCtx());
+  EXPECT_EQ(minProtoVersion, TLS1_3_VERSION);
 }
+#endif
 
 TEST_F(SSLContextTest, AdvertisedNextProtocols) {
   EXPECT_EQ(ctx.getAdvertisedNextProtocols(), "");