added preliminary TLSv1.3 support with OpenSSL version 1.1.1

NetSSL_OpenSSL/include/Poco/Net/Context.h

@@ -42,6 +42,23 @@ class NetSSL_API Context: public Poco::RefCountedObject
 	///
 	/// The Context class is also used to control
 	/// SSL session caching on the server and client side.
+	///
+	/// A Note Regarding TLSv1.3 Support:
+	///
+	/// TLSv1.3 support requires at least OpenSSL version 1.1.1.
+	/// In order to enable TLSv1.3 support, specify TLSV1_3_CLIENT_USE
+	/// or TLSV1_3_SERVER_USE and make sure that the TLSv1.3
+	/// cipher suites are enabled:
+	///
+	///   - TLS_AES_256_GCM_SHA384
+	///   - TLS_CHACHA20_POLY1305_SHA256
+	///   - TLS_AES_128_GCM_SHA256
+	///   - TLS_AES_128_CCM_8_SHA256
+	///   - TLS_AES_128_CCM_SHA256
+	///
+	/// The first three of the above cipher suites should be enabled
+	/// by default in OpenSSL if you do not provide an explicit
+	/// cipher configuration (cipherList).
 {
 public:
 	typedef Poco::AutoPtr<Context> Ptr;
@@ -55,7 +72,9 @@ public:
 		TLSV1_1_CLIENT_USE, /// Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
 		TLSV1_1_SERVER_USE, /// Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
 		TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
-		TLSV1_2_SERVER_USE  /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
+		TLSV1_2_SERVER_USE, /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
+		TLSV1_3_CLIENT_USE, /// Context is used by a client requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
+		TLSV1_3_SERVER_USE  /// Context is used by a server requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
 	};
 
 	enum VerificationMode
@@ -101,7 +120,8 @@ public:
 		PROTO_SSLV3   = 0x02,
 		PROTO_TLSV1   = 0x04,
 		PROTO_TLSV1_1 = 0x08,
-		PROTO_TLSV1_2 = 0x10
+		PROTO_TLSV1_2 = 0x10,
+		PROTO_TLSV1_3 = 0x20
 	};
 
 	struct NetSSL_API Params

NetSSL_OpenSSL/include/Poco/Net/SSLManager.h

@@ -42,7 +42,7 @@ class Context;
 
 
 class NetSSL_API SSLManager
-	/// SSLManager is a singleton for holding the default server/client 
+	/// SSLManager is a singleton for holding the default server/client
 	/// Context and handling callbacks for certificate verification errors
 	/// and private key passphrases.
 	///
@@ -62,7 +62,7 @@ class NetSSL_API SSLManager
 	/// ClientVerificationError and PrivateKeyPassphraseRequired events
 	/// must be registered.
 	///
-	/// An exemplary documentation which sets either the server or client default context and creates 
+	/// An exemplary documentation which sets either the server or client default context and creates
 	/// a PrivateKeyPassphraseHandler that reads the password from the XML file looks like this:
 	///
 	///    <AppConfig>
@@ -93,7 +93,8 @@ class NetSSL_API SSLManager
 	///            <requireTLSv1>true|false</requireTLSv1>
 	///            <requireTLSv1_1>true|false</requireTLSv1_1>
 	///            <requireTLSv1_2>true|false</requireTLSv1_2>
-	///            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2</disableProtocols>
+	///            <requireTLSv1_3>true|false</requireTLSv1_3>
+	///            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2,tlsv1_3</disableProtocols>
 	///            <dhParamsFile>dh.pem</dhParamsFile>
 	///            <ecdhCurve>prime256v1</ecdhCurve>
 	///          </server|client>
@@ -104,7 +105,7 @@ class NetSSL_API SSLManager
 	/// Following is a list of supported configuration properties. Property names must always
 	/// be prefixed with openSSL.server or openSSL.client. Some properties are only supported
 	/// for servers.
-	/// 
+	///
 	///    - privateKeyFile (string): The path to the file containing the private key for the certificate
 	///      in PEM format (or containing both the private key and the certificate).
 	///    - certificateFile (string): The Path to the file containing the server's or client's certificate
@@ -117,9 +118,9 @@ class NetSSL_API SSLManager
 	///    - loadDefaultCAFile (boolean): Specifies whether the builtin CA certificates from OpenSSL are used.
 	///    - cipherList (string): Specifies the supported ciphers in OpenSSL notation
 	///      (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH").
-	///    - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the 
-	///      client preferences. When not called, the SSL server will always follow the clients 
-	///      preferences. When called, the SSL/TLS server will choose following its own 
+	///    - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the
+	///      client preferences. When not called, the SSL server will always follow the clients
+	///      preferences. When called, the SSL/TLS server will choose following its own
 	///      preferences.
 	///    - privateKeyPassphraseHandler.name (string): The name of the class (subclass of PrivateKeyPassphraseHandler)
 	///      used for obtaining the passphrase for accessing the private key.
@@ -127,14 +128,14 @@ class NetSSL_API SSLManager
 	///    - invalidCertificateHandler.name: The name of the class (subclass of CertificateHandler)
 	///      used for confirming invalid certificates.
 	///    - cacheSessions (boolean): Enables or disables session caching.
-	///    - sessionIdContext (string): contains the application's unique session ID context, which becomes 
-	///      part of each session identifier generated by the server. Can be an arbitrary sequence 
+	///    - sessionIdContext (string): contains the application's unique session ID context, which becomes
+	///      part of each session identifier generated by the server. Can be an arbitrary sequence
 	///      of bytes with a maximum length of SSL_MAX_SSL_SESSION_ID_LENGTH. Should be specified
 	///      for a server to enable session caching. Should be specified even if session caching
 	///      is disabled to avoid problems with clients that request session caching (e.g. Firefox 3.6).
 	///      If not specified, defaults to ${application.name}.
 	///    - sessionCacheSize (integer): Sets the maximum size of the server session cache, in number of
-	///      sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too 
+	///      sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too
 	///      large for many applications, especially on embedded platforms with limited memory.
 	///      Specifying a size of 0 will set an unlimited cache size.
 	///    - sessionTimeout (integer):  Sets the timeout (in seconds) of cached sessions on the server.
@@ -143,14 +144,17 @@ class NetSSL_API SSLManager
 	///    - requireTLSv1 (boolean): Require a TLSv1 connection.
 	///    - requireTLSv1_1 (boolean): Require a TLSv1.1 connection.
 	///    - requireTLSv1_2 (boolean): Require a TLSv1.2 connection.
+	///    - requireTLSv1_3 (boolean): Require a TLSv1.3 connection
 	///    - disableProtocols (string): A comma-separated list of protocols that should be
-	///      disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2.
+	///      disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3.
 	///    - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters.
 	///      If not specified or empty, the default parameters are used.
 	///    - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based
 	///      on the curve names specified in RFC 4492. Defaults to "prime256v1".
-	///    - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version 
+	///    - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version
 	///      that this library is built against supports FIPS mode.
+	///
+	/// Please see the Context class documentation regarding TLSv1.3 support.
 {
 public:
 	typedef Poco::SharedPtr<PrivateKeyPassphraseHandler> PrivateKeyPassphraseHandlerPtr;
@@ -176,7 +180,7 @@ public:
 		/// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates
 		/// must be registered with the ServerVerificationError and PrivateKeyPassphraseRequired events.
 		///
-		/// Note: Always create the handlers (or register the corresponding event delegates) before creating 
+		/// Note: Always create the handlers (or register the corresponding event delegates) before creating
 		/// the Context, as during creation of the Context the passphrase for the private key might be needed.
 		///
 		/// Valid initialization code would be:
@@ -192,7 +196,7 @@ public:
 		/// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates
 		/// must be registered with the ClientVerificationError and PrivateKeyPassphraseRequired events.
 		///
-		/// Note: Always create the handlers (or register the corresponding event delegates) before creating 
+		/// Note: Always create the handlers (or register the corresponding event delegates) before creating
 		/// the Context, as during creation of the Context the passphrase for the private key might be needed.
 		///
 		/// Valid initialization code would be:
@@ -202,13 +206,13 @@ public:
 		///     SSLManager::instance().initializeClient(pConsoleHandler, pInvalidCertHandler, pContext);
 
 	Context::Ptr defaultServerContext();
-		/// Returns the default Context used by the server. 
+		/// Returns the default Context used by the server.
 		///
 		/// Unless initializeServer() has been called, the first call to this method initializes the default Context
 		/// from the application configuration.
 
 	Context::Ptr defaultClientContext();
-		/// Returns the default Context used by the client. 
+		/// Returns the default Context used by the client.
 		///
 		/// Unless initializeClient() has been called, the first call to this method initializes the default Context
 		/// from the application configuration.
@@ -230,16 +234,16 @@ public:
 		/// If none is set, it will try to auto-initialize one from an application configuration.
 
 	PrivateKeyFactoryMgr& privateKeyFactoryMgr();
-		/// Returns the private key factory manager which stores the 
+		/// Returns the private key factory manager which stores the
 		/// factories for the different registered passphrase handlers for private keys.
 
 	CertificateHandlerFactoryMgr& certificateHandlerFactoryMgr();
-		/// Returns the CertificateHandlerFactoryMgr which stores the 
+		/// Returns the CertificateHandlerFactoryMgr which stores the
 		/// factories for the different registered certificate handlers.
 
 	static bool isFIPSEnabled();
 		// Returns true if FIPS mode is enabled, false otherwise.
-		
+
 	void shutdown();
 		/// Shuts down the SSLManager and releases the default Context
 		/// objects. After a call to shutdown(), the SSLManager can no
@@ -267,7 +271,7 @@ protected:
 		/// Method is invoked by OpenSSL to retrieve a passwd for an encrypted certificate.
 		/// The request is delegated to the PrivatekeyPassword event. This method returns the
 		/// length of the password.
-		
+
 	static Poco::Util::AbstractConfiguration& appConfig();
 		/// Returns the application configuration.
 		///
@@ -333,6 +337,7 @@ private:
 	static const std::string CFG_REQUIRE_TLSV1;
 	static const std::string CFG_REQUIRE_TLSV1_1;
 	static const std::string CFG_REQUIRE_TLSV1_2;
+	static const std::string CFG_REQUIRE_TLSV1_3;
 	static const std::string CFG_DISABLE_PROTOCOLS;
 	static const std::string CFG_DH_PARAMS_FILE;
 	static const std::string CFG_ECDH_CURVE;