Extend TLS Support (#8505)

* tls13: This commit brings TLS 1.3 to Netdata

* tls13: Update variables on slave side

* tls13: Fix compilation error for old libraries

* tls13: Fix compilation error for old libraries 2

* tls13 remove ciphers

* tls13: TLS versions

This commit brings the missing tls versions accpeted for Netdata
and it also brings documentation update related to these versions

* tls13: Remove dupplication

This commit removes wrong dupplication of code

* tls13: Documentation

This commit brings fix for the documentation

* tls13: Remove magic number

This commit removes the magic number to allow the code to be readable

* tls13: TLS version

Small adjust with TLS version

* tls13: Security Init

This commit removes array from the function and overwrite the magic number
with a string

* tls13: Remove new variable name from stream

* tls13: OpenSSL versions and old key name

This commit removes the new key names and also update the names
used to define openssl version

2 files changed, 61 insertions, 26 deletions

diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 6781dc6f5b..486a2f711b 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -7,6 +7,8 @@ SSL_CTX *netdata_client_ctx=NULL;
 SSL_CTX *netdata_srv_ctx=NULL;
 const char *security_key=NULL;
 const char *security_cert=NULL;
+const char *tls_version=NULL;
+const char *tls_ciphers=NULL;
 int netdata_validate_server =  NETDATA_SSL_VALID_CERTIFICATE;
 
 /**
@@ -32,14 +34,12 @@ static void security_info_callback(const SSL *ssl, int where, int ret __maybe_un
  */
 void security_openssl_library()
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-# if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110
+# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097)
     OPENSSL_config(NULL);
 # endif
 
-# if OPENSSL_API_COMPAT < 0x10100000L
     SSL_load_error_strings();
-# endif
 
     SSL_library_init();
 #else
@@ -49,32 +49,60 @@ void security_openssl_library()
 #endif
 }
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110
+/**
+ * TLS version
+ *
+ * Returns the TLS version depending of the user input.
+ *
+ * @param lversion is the user input.
+ *
+ * @return it returns the version number.
+ */
+int tls_select_version(const char *lversion) {
+    if (!strcmp(lversion, "1") || !strcmp(lversion, "1.0"))
+        return TLS1_VERSION;
+    else if (!strcmp(lversion, "1.1"))
+        return TLS1_1_VERSION;
+    else if (!strcmp(lversion, "1.2"))
+        return TLS1_2_VERSION;
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_111
+    else if (!strcmp(lversion, "1.3"))
+        return TLS1_3_VERSION;
+#endif
+
+    return TLS_MAX_VERSION;
+}
+#endif
+
 /**
  * OpenSSL common options
  *
  * Clients and SERVER have common options, this function is responsible to set them in the context.
  *
- * @param ctx
+ * @param ctx the initialized SSL context.
+ * @param side 0 means server, and 1 client.
  */
-void security_openssl_common_options(SSL_CTX *ctx) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-    static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"};
+void security_openssl_common_options(SSL_CTX *ctx, int side) {
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110
+    if (!side) {
+        int version =  tls_select_version(tls_version) ;
 #endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110
+        SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
 #else
-    SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-    //We are avoiding the TLS v1.3 for while, because Google Chrome
-    //is giving the message net::ERR_SSL_VERSION_INTERFERENCE with it.
-    SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
-#endif
-    SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+        SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+        SSL_CTX_set_max_proto_version(ctx, version);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-    if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
-        error("SSL error. cannot set the cipher list");
+        if(tls_ciphers  && strcmp(tls_ciphers, "none") != 0) {
+            if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) {
+                error("SSL error. cannot set the cipher list");
+            }
+        }
     }
 #endif
+
+    SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 }
 
 /**
@@ -86,13 +114,13 @@ void security_openssl_common_options(SSL_CTX *ctx) {
  */
 SSL_CTX * security_initialize_openssl_client() {
     SSL_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110
     ctx = SSL_CTX_new(SSLv23_client_method());
 #else
     ctx = SSL_CTX_new(TLS_client_method());
 #endif
     if(ctx) {
-        security_openssl_common_options(ctx);
+        security_openssl_common_options(ctx, 1);
     }
 
     return ctx;
@@ -111,7 +139,7 @@ static SSL_CTX * security_initialize_openssl_server() {
 	static int netdata_id_context = 1;
 
     //TO DO: Confirm the necessity to check return for other OPENSSL function
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110
 	ctx = SSL_CTX_new(SSLv23_server_method());
     if (!ctx) {
 		error("Cannot create a new SSL context, netdata won't encrypt communication");
@@ -128,7 +156,7 @@ static SSL_CTX * security_initialize_openssl_server() {
 
     SSL_CTX_use_certificate_chain_file(ctx, security_cert);
 #endif
-    security_openssl_common_options(ctx);
+    security_openssl_common_options(ctx, 0);
 
     SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM);
 
@@ -142,7 +170,7 @@ static SSL_CTX * security_initialize_openssl_server() {
 	SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context));
     SSL_CTX_set_info_callback(ctx,security_info_callback);
 
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095)
 	SSL_CTX_set_verify_depth(ctx,1);
 #endif
     debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n");
@@ -207,7 +235,7 @@ void security_clean_openssl() {
         SSL_CTX_free(netdata_opentsdb_ctx);
     }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110
     ERR_free_strings();
 #endif
 }
diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h
index 741135c1f9..01703d7863 100644
--- a/libnetdata/socket/security.h
+++ b/libnetdata/socket/security.h
@@ -17,9 +17,14 @@
 
 # ifdef ENABLE_HTTPS
 
+#define OPENSSL_VERSION_095 0x00905100L
+#define OPENSSL_VERSION_097 0x0907000L
+#define OPENSSL_VERSION_110 0x10100000L
+#define OPENSSL_VERSION_111 0x10101000L
+
 #  include <openssl/ssl.h>
 #  include <openssl/err.h>
-#  if (SSLEAY_VERSION_NUMBER >= 0x0907000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#  if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110)
 #   include <openssl/conf.h>
 #  endif
 
@@ -33,6 +38,8 @@ extern SSL_CTX *netdata_client_ctx;
 extern SSL_CTX *netdata_srv_ctx;
 extern const char *security_key;
 extern const char *security_cert;
+extern const char *tls_version;
+extern const char *tls_ciphers;
 extern int netdata_validate_server;
 extern int security_location_for_context(SSL_CTX *ctx,char *file,char *path);