Add the ability to turn on non-DHE resumption for clients in TLS 1.3

Summary:
Add API to allow clients to advertise support for psk_ke (non-DHE) resumption. Unfortunately, OpenSSL has no option to allow servers to support psk_ke resumption.

SSL_OP_ALLOW_NO_DHE_KEX option was added in OpenSSL 1.1.1, so add the appropriate guard.

Reviewed By: mingtaoy

Differential Revision: D24546720

fbshipit-source-id: fd7c5b3a9f4c572876f9b421ee8f74ba7d5e252c

folly/io/async/SSLContext.cpp

@@ -778,6 +778,15 @@ void SSLContext::setCiphersuitesOrThrow(const std::string& ciphersuites) {
     throw std::runtime_error("SSL_CTX_set_ciphersuites: " + getErrors());
   }
 }
+
+void SSLContext::setAllowNoDheKex(bool flag) {
+  auto opt = SSL_OP_ALLOW_NO_DHE_KEX;
+  if (flag) {
+    SSL_CTX_set_options(ctx_, opt);
+  } else {
+    SSL_CTX_clear_options(ctx_, opt);
+  }
+}
 #endif // FOLLY_OPENSSL_PREREQ(1, 1, 1)
 
 std::ostream& operator<<(std::ostream& os, const PasswordCollector& collector) {

folly/io/async/SSLContext.h

@@ -567,6 +567,13 @@ class SSLContext {
    * Throws if unsuccessful.
    */
   void setCiphersuitesOrThrow(const std::string& ciphersuites);
+
+  /**
+   * Enables/disables non-DHE (Ephemeral Diffie-Hellman) PSK key
+   * exchange for TLS 1.3 resumption. Note that this key exchange
+   * mode gives up forward secrecy on the resumed session.
+   */
+  void setAllowNoDheKex(bool flag);
 #endif
 
   [[deprecated("Use folly::ssl::init")]] static void initializeOpenSSL();