From 34957ee223f861805599572786731d4eb86afffe Mon Sep 17 00:00:00 2001
From: Jan <jsteemann@users.noreply.github.com>
Date: Wed, 28 Aug 2019 13:05:00 +0200
Subject: [PATCH] Feature 3.5/enable tlsv13 (#9818)

* define TLS_V13 symbol only conditionally

* updated CHANGELOG
---
 CHANGELOG                                    | 16 ++++++++++++++++
 lib/SimpleHttpClient/SslClientConnection.cpp |  8 +++-----
 lib/Ssl/ssl-helper.cpp                       | 14 +++++++++-----
 lib/Ssl/ssl-helper.h                         |  2 ++
 4 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 8e4377e884..6bdcca3859 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,22 @@
 v3.5.1 (XXXX-XX-XX)
 -------------------
 
+* Added support for TLS 1.3 for the arangod server and the client tools.
+
+  The default TLS protocol for the arangod server is still TLS 1.2 however, in order
+  to keep compatibility with previous versions of ArangoDB.
+
+  The arangod server and any of the client tools can be started with option 
+  `--ssl.protocol 6` to make use of TLS 1.3.
+
+  To configure the TLS version for arangod instances started by the ArangoDB starter,
+  one can use the `--all.ssl.protocol=VALUE` startup option for the ArangoDB starter,
+  where VALUE is one of the following:
+
+  - 4 = TLSv1
+  - 5 = TLSv1.2
+  - 6 = TLSv1.3
+
 * Fixed parsing of "NOT IN" in AQL, which previously didn't correctly parse
   "NOT IN_RANGE(...)" because it checked if the "NOT" token was followed by
   whitespace and then the two letters "IN".
diff --git a/lib/SimpleHttpClient/SslClientConnection.cpp b/lib/SimpleHttpClient/SslClientConnection.cpp
index 8865492b09..1d9ffb7421 100644
--- a/lib/SimpleHttpClient/SslClientConnection.cpp
+++ b/lib/SimpleHttpClient/SslClientConnection.cpp
@@ -242,18 +242,14 @@ void SslClientConnection::init(uint64_t sslProtocol) {
 #endif
       break;
 
-    case TLS_V13:
       // TLS 1.3, only supported from OpenSSL 1.1.1 onwards
 
       // openssl version number format is
       // MNNFFPPS: major minor fix patch status
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
+    case TLS_V13:
       meth = TLS_client_method();
       break;
-#else
-      // no TLS 1.3 support
-      THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
-                                     "TLS 1.3 is not supported in this build");
 #endif
 
     case SSL_UNKNOWN:
@@ -319,7 +315,9 @@ bool SslClientConnection::connectSocket() {
   switch (SslProtocol(_sslProtocol)) {
     case TLS_V1:
     case TLS_V12:
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
     case TLS_V13:
+#endif
     default:
       SSL_set_tlsext_host_name(_ssl, _endpoint->host().c_str());
   }
diff --git a/lib/Ssl/ssl-helper.cpp b/lib/Ssl/ssl-helper.cpp
index 6c76ecaabd..218612d541 100644
--- a/lib/Ssl/ssl-helper.cpp
+++ b/lib/Ssl/ssl-helper.cpp
@@ -67,17 +67,13 @@ asio_ns::ssl::context arangodb::sslContext(SslProtocol protocol, std::string con
       meth = context::method::tlsv12_server;
       break;
     
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
     case TLS_V13: 
       // TLS 1.3, only supported from OpenSSL 1.1.1 onwards
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
       // openssl version number format is
       // MNNFFPPS: major minor fix patch status
       meth = context::method::tlsv13_server;
       break;
-#else
-      // no TLS 1.3 support
-      THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
-                                     "TLS 1.3 is not supported in this build");
 #endif
 
     default:
@@ -137,8 +133,10 @@ std::string arangodb::protocolName(SslProtocol protocol) {
     case TLS_V12:
       return "TLSv12";
     
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
     case TLS_V13:
       return "TLSv13";
+#endif
 
     default:
       return "unknown";
@@ -163,9 +161,15 @@ std::unordered_set<uint64_t> arangodb::availableSslProtocols() {
 }
 
 std::string arangodb::availableSslProtocolsDescription() {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+  return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
+         "(negotiated), 3 = SSLv3, 4 = "
+         "TLSv1, 5 = TLSv1.2, 6 = TLSv1.3)";
+#else
   return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
          "(negotiated), 3 = SSLv3, 4 = "
          "TLSv1, 5 = TLSv1.2)";
+#endif
 }
 
 ////////////////////////////////////////////////////////////////////////////////
diff --git a/lib/Ssl/ssl-helper.h b/lib/Ssl/ssl-helper.h
index 3b357d36d3..5c7cac8615 100644
--- a/lib/Ssl/ssl-helper.h
+++ b/lib/Ssl/ssl-helper.h
@@ -48,7 +48,9 @@ enum SslProtocol {
   SSL_V3 = 3,
   TLS_V1 = 4,
   TLS_V12 = 5,
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
   TLS_V13 = 6,
+#endif
 
   SSL_LAST
 };