From 7c5c1dd6cc06cf49e5c4d9415b7aa2100a5a37d0 Mon Sep 17 00:00:00 2001
From: Jan <jsteemann@users.noreply.github.com>
Date: Mon, 4 Nov 2019 11:31:09 +0100
Subject: [PATCH] @neunhoef (#10335)

---
 CHANGELOG                                    | 12 +++++++-----
 arangod/GeneralServer/SslServerFeature.cpp   |  6 +-----
 lib/SimpleHttpClient/SslClientConnection.cpp |  5 +++++
 lib/Ssl/ssl-helper.cpp                       | 16 ++++++++++++----
 lib/Ssl/ssl-helper.h                         |  1 +
 5 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index e7bee717ab..0667213f14 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -167,12 +167,13 @@ devel
 * Fixed internal issue #4407: remove storage engine warning.
 
 * Added support for TLS 1.3 for the arangod server and the client tools.
+  
+  The arangod server can be started with option `--ssl.protocol 6` to make it require
+  TLS 1.3 for incoming client connections. The server can be started with option 
+  `--ssl.protocol 5` to make it require TLS 1.2, as in previous versions of arangod.
 
-  The default TLS protocol for the arangod server is now TLS 1.3 as well, in
-  contrast to TLS 1.2 in previous versions.
-
-  The arangod server can be started with option `--ssl.protocol 5` to make it use
-  TLS 1.2 again.
+  The default TLS protocol for the arangod server is now generic TLS, which will allow
+  the negotation of the TLS version between the client and the server.
 
   All client tools also support TLS 1.3, by using the `--ssl.protocol 6` option when
   invoking them. The client tools will use TLS 1.2 by default, in order to be
@@ -185,6 +186,7 @@ devel
   - 4 = TLSv1
   - 5 = TLSv1.2
   - 6 = TLSv1.3
+  - 9 = generic TLS
 
 * Added TransactionStatistics to ServerStatistics (transactions started /
   aborted / committed and number of intermediate commits).
diff --git a/arangod/GeneralServer/SslServerFeature.cpp b/arangod/GeneralServer/SslServerFeature.cpp
index d7dee35364..017cd5a443 100644
--- a/arangod/GeneralServer/SslServerFeature.cpp
+++ b/arangod/GeneralServer/SslServerFeature.cpp
@@ -67,11 +67,7 @@ SslServerFeature::SslServerFeature(application_features::ApplicationServer& serv
       _keyfile(),
       _sessionCache(false),
       _cipherList("HIGH:!EXPORT:!aNULL@STRENGTH"),
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-      _sslProtocol(TLS_V13),
-#else
-      _sslProtocol(TLS_V12),
-#endif
+      _sslProtocol(TLS_GENERIC),
       _sslOptions(asio_ns::ssl::context::default_workarounds |
                   asio_ns::ssl::context::single_dh_use),
       _ecdhCurve("prime256v1") {
diff --git a/lib/SimpleHttpClient/SslClientConnection.cpp b/lib/SimpleHttpClient/SslClientConnection.cpp
index 895254648e..e559021d93 100644
--- a/lib/SimpleHttpClient/SslClientConnection.cpp
+++ b/lib/SimpleHttpClient/SslClientConnection.cpp
@@ -265,6 +265,10 @@ void SslClientConnection::init(uint64_t sslProtocol) {
       break;
 #endif
 
+    case TLS_GENERIC:
+      meth = TLS_client_method();
+      break;
+
     case SSL_UNKNOWN:
     default:
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
@@ -331,6 +335,7 @@ bool SslClientConnection::connectSocket() {
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
     case TLS_V13:
 #endif
+    case TLS_GENERIC:
     default:
       SSL_set_tlsext_host_name(_ssl, _endpoint->host().c_str());
   }
diff --git a/lib/Ssl/ssl-helper.cpp b/lib/Ssl/ssl-helper.cpp
index 94557b6ebf..7e660d39bd 100644
--- a/lib/Ssl/ssl-helper.cpp
+++ b/lib/Ssl/ssl-helper.cpp
@@ -86,6 +86,10 @@ asio_ns::ssl::context arangodb::sslContext(SslProtocol protocol, std::string con
       break;
 #endif
 
+    case TLS_GENERIC:
+      meth = asio_ns::ssl::context::method::tls_server;
+      break;
+
     default:
       THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
                                      "unknown SSL protocol method");
@@ -149,6 +153,9 @@ std::string arangodb::protocolName(SslProtocol protocol) {
     case TLS_V13:
       return "TLSv13";
 #endif
+    
+    case TLS_GENERIC:
+      return "TLS";
 
     default:
       return "unknown";
@@ -163,12 +170,13 @@ std::unordered_set<uint64_t> arangodb::availableSslProtocols() {
   return std::unordered_set<uint64_t>{SslProtocol::SSL_V2,  // unsupported!
                                       SslProtocol::SSL_V23, SslProtocol::SSL_V3,
                                       SslProtocol::TLS_V1, SslProtocol::TLS_V12,
-                                      SslProtocol::TLS_V13};
+                                      SslProtocol::TLS_V13, SslProtocol::TLS_GENERIC};
 #else
   // no support for TLS 1.3                                      
   return std::unordered_set<uint64_t>{SslProtocol::SSL_V2,  // unsupported!
                                       SslProtocol::SSL_V23, SslProtocol::SSL_V3,
-                                      SslProtocol::TLS_V1, SslProtocol::TLS_V12};
+                                      SslProtocol::TLS_V1, SslProtocol::TLS_V12,
+                                      SslProtocol::TLS_GENERIC};
 #endif
 }
 
@@ -176,11 +184,11 @@ std::string arangodb::availableSslProtocolsDescription() {
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
   return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
          "(negotiated), 3 = SSLv3, 4 = "
-         "TLSv1, 5 = TLSv1.2, 6 = TLSv1.3)";
+         "TLSv1, 5 = TLSv1.2, 6 = TLSv1.3, 9 = generic TLS)";
 #else
   return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
          "(negotiated), 3 = SSLv3, 4 = "
-         "TLSv1, 5 = TLSv1.2)";
+         "TLSv1, 5 = TLSv1.2, 9 = generic TLS)";
 #endif
 }
 
diff --git a/lib/Ssl/ssl-helper.h b/lib/Ssl/ssl-helper.h
index 6215d2aa1c..d063d2e549 100644
--- a/lib/Ssl/ssl-helper.h
+++ b/lib/Ssl/ssl-helper.h
@@ -53,6 +53,7 @@ enum SslProtocol {
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
   TLS_V13 = 6,
 #endif
+  TLS_GENERIC = 9,
 
   SSL_LAST
 };