Add ability to enable TLS 1.3 in folly::SSLContext

Summary: As a step to eventually supporting TLS 1.3 by default for OpenSSL, we want to add the ability to selectively enable TLS 1.3 in folly::SSLContext.

Reviewed By: mingtaoy

Differential Revision: D20102778

fbshipit-source-id: 0865821ad2730482e797b888d16561b6989dca62

folly/io/async/SSLContext.cpp

@@ -63,8 +63,8 @@ SSLContext::SSLContext(SSLVersion version) {
     // on getSession() returning a resumable session, SSL_CTX_set_ciphersuites,
     // etc.)
     //
-#if FOLLY_OPENSSL_HAS_TLS13
-  opt |= SSL_OP_NO_TLSv1_3;
+#if FOLLY_OPENSSL_IS_110
+  SSL_CTX_set_max_proto_version(ctx_, TLS1_2_VERSION);
 #endif
 
   int newOpt = SSL_CTX_set_options(ctx_, opt);
@@ -649,6 +649,12 @@ std::string SSLContext::getErrors(int errnoCopy) {
   return errors;
 }
 
+void SSLContext::enableTLS13() {
+#if FOLLY_OPENSSL_IS_110
+  SSL_CTX_set_max_proto_version(ctx_, 0);
+#endif
+}
+
 std::ostream& operator<<(std::ostream& os, const PasswordCollector& collector) {
   os << collector.describe();
   return os;

folly/io/async/SSLContext.h

@@ -552,6 +552,13 @@ class SSLContext {
    */
   static bool matchName(const char* host, const char* pattern, int size);
 
+  /**
+   * Temporary. Will be removed after TLS1.3 is enabled by default.
+   * Function to enable TLS1.3 in OpenSSL versions that support it.
+   * Used to migrate users to TLS1.3 piecemeal.
+   */
+  void enableTLS13();
+
   [[deprecated("Use folly::ssl::init")]] static void initializeOpenSSL();
 
  protected: