From f28b729cfff668951a239364e3959cf3a0d9988c Mon Sep 17 00:00:00 2001
From: Kajetan Nobel <k.nobel@routegroup.pl>
Date: Thu, 12 Oct 2023 20:19:48 +0200
Subject: [PATCH] Support for TLS v1.3 (#5133)

* feat: adds support for TLSv1.3

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>

* feat: update changelog

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>

---------

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
---
 CHANGELOG.md                                  |  1 +
 .../core_usage_data_service.mock.ts           |  2 +-
 .../core_usage_data_service.test.ts           |  1 +
 .../__snapshots__/http_config.test.ts.snap    |  1 +
 src/core/server/http/ssl_config.test.ts       | 23 ++++++++++++-------
 src/core/server/http/ssl_config.ts            | 10 ++++++--
 6 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c4b1bf70e1..91fe7172b96 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [CVE-2019-11358] Bump version of tinygradient from 0.4.3 to 1.1.5 ([#4742](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4742))
 - [CVE-2021-3520] Bump `lmdb` from `2.8.0` to `2.8.5` ([#4804](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4804))
 - Remove examples and other unwanted artifacts from installed dependencies ([#4896](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4896))
+- Add support for TLS v1.3 ([#5133](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5133))
 
 ### 📈 Features/Enhancements
 
diff --git a/src/core/server/core_usage_data/core_usage_data_service.mock.ts b/src/core/server/core_usage_data/core_usage_data_service.mock.ts
index 5e1bcbe7867..ae6326a8c2e 100644
--- a/src/core/server/core_usage_data/core_usage_data_service.mock.ts
+++ b/src/core/server/core_usage_data/core_usage_data_service.mock.ts
@@ -105,7 +105,7 @@ const createStartContractMock = () => {
               keyConfigured: false,
               keystoreConfigured: false,
               redirectHttpFromPortConfigured: false,
-              supportedProtocols: ['TLSv1.1', 'TLSv1.2'],
+              supportedProtocols: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
               truststoreConfigured: false,
             },
             xsrf: {
diff --git a/src/core/server/core_usage_data/core_usage_data_service.test.ts b/src/core/server/core_usage_data/core_usage_data_service.test.ts
index ff3b0f1a113..7e28a74b98d 100644
--- a/src/core/server/core_usage_data/core_usage_data_service.test.ts
+++ b/src/core/server/core_usage_data/core_usage_data_service.test.ts
@@ -163,6 +163,7 @@ describe('CoreUsageDataService', () => {
                   "supportedProtocols": Array [
                     "TLSv1.1",
                     "TLSv1.2",
+                    "TLSv1.3",
                   ],
                   "truststoreConfigured": false,
                 },
diff --git a/src/core/server/http/__snapshots__/http_config.test.ts.snap b/src/core/server/http/__snapshots__/http_config.test.ts.snap
index 70c8abf4ed7..120299b6a34 100644
--- a/src/core/server/http/__snapshots__/http_config.test.ts.snap
+++ b/src/core/server/http/__snapshots__/http_config.test.ts.snap
@@ -78,6 +78,7 @@ Object {
     "supportedProtocols": Array [
       "TLSv1.1",
       "TLSv1.2",
+      "TLSv1.3",
     ],
     "truststore": Object {},
   },
diff --git a/src/core/server/http/ssl_config.test.ts b/src/core/server/http/ssl_config.test.ts
index db83e44e282..e1331f74e6b 100644
--- a/src/core/server/http/ssl_config.test.ts
+++ b/src/core/server/http/ssl_config.test.ts
@@ -277,14 +277,19 @@ describe('#sslSchema', () => {
         certificate: '/path/to/certificate',
         enabled: true,
         key: '/path/to/key',
-        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2'],
+        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
       };
 
       const singleKnownProtocolConfig = sslSchema.validate(singleKnownProtocol);
       expect(singleKnownProtocolConfig.supportedProtocols).toEqual(['TLSv1']);
 
       const allKnownProtocolsConfig = sslSchema.validate(allKnownProtocols);
-      expect(allKnownProtocolsConfig.supportedProtocols).toEqual(['TLSv1', 'TLSv1.1', 'TLSv1.2']);
+      expect(allKnownProtocolsConfig.supportedProtocols).toEqual([
+        'TLSv1',
+        'TLSv1.1',
+        'TLSv1.2',
+        'TLSv1.3',
+      ]);
     });
 
     test('rejects unknown protocols`', () => {
@@ -299,21 +304,23 @@ describe('#sslSchema', () => {
         certificate: '/path/to/certificate',
         enabled: true,
         key: '/path/to/key',
-        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'SOMEv100500'],
+        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', 'SOMEv100500'],
       };
 
       expect(() => sslSchema.validate(singleUnknownProtocol)).toThrowErrorMatchingInlineSnapshot(`
 "[supportedProtocols.0]: types that failed validation:
 - [supportedProtocols.0.0]: expected value to equal [TLSv1]
 - [supportedProtocols.0.1]: expected value to equal [TLSv1.1]
-- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]"
+- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]
+- [supportedProtocols.0.3]: expected value to equal [TLSv1.3]"
 `);
       expect(() => sslSchema.validate(allKnownWithOneUnknownProtocols))
         .toThrowErrorMatchingInlineSnapshot(`
-"[supportedProtocols.3]: types that failed validation:
-- [supportedProtocols.3.0]: expected value to equal [TLSv1]
-- [supportedProtocols.3.1]: expected value to equal [TLSv1.1]
-- [supportedProtocols.3.2]: expected value to equal [TLSv1.2]"
+"[supportedProtocols.4]: types that failed validation:
+- [supportedProtocols.4.0]: expected value to equal [TLSv1]
+- [supportedProtocols.4.1]: expected value to equal [TLSv1.1]
+- [supportedProtocols.4.2]: expected value to equal [TLSv1.2]
+- [supportedProtocols.4.3]: expected value to equal [TLSv1.3]"
 `);
     });
   });
diff --git a/src/core/server/http/ssl_config.ts b/src/core/server/http/ssl_config.ts
index 8887c14a13e..8fc725ca937 100644
--- a/src/core/server/http/ssl_config.ts
+++ b/src/core/server/http/ssl_config.ts
@@ -41,6 +41,7 @@ const protocolMap = new Map<string, number>([
   ['TLSv1', cryptoConstants.SSL_OP_NO_TLSv1],
   ['TLSv1.1', cryptoConstants.SSL_OP_NO_TLSv1_1],
   ['TLSv1.2', cryptoConstants.SSL_OP_NO_TLSv1_2],
+  ['TLSv1.3', cryptoConstants.SSL_OP_NO_TLSv1_3],
 ]);
 
 export const sslSchema = schema.object(
@@ -67,8 +68,13 @@ export const sslSchema = schema.object(
     }),
     redirectHttpFromPort: schema.maybe(schema.number()),
     supportedProtocols: schema.arrayOf(
-      schema.oneOf([schema.literal('TLSv1'), schema.literal('TLSv1.1'), schema.literal('TLSv1.2')]),
-      { defaultValue: ['TLSv1.1', 'TLSv1.2'], minSize: 1 }
+      schema.oneOf([
+        schema.literal('TLSv1'),
+        schema.literal('TLSv1.1'),
+        schema.literal('TLSv1.2'),
+        schema.literal('TLSv1.3'),
+      ]),
+      { defaultValue: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], minSize: 1 }
     ),
     clientAuthentication: schema.oneOf(
       [schema.literal('none'), schema.literal('optional'), schema.literal('required')],