From 756bc3c33f9837dd97a045420547d0278e33e4cf Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Mon, 23 Mar 2026 12:18:46 +0100 Subject: [PATCH 1/2] add TLSv1.3 support to disableProtocols configuration The disableProtocols mechanism only handled sslv2 through tlsv1_2. Specifying "tlsv1_3" in the config was silently ignored, so TLS 1.3 connections could not be disabled. This matters for FIPS testing where we need to verify that disabling all protocols actually prevents all connections. Add PROTO_TLSV1_3 to the Protocols enum, handle SSL_OP_NO_TLSv1_3 in Context::disableProtocols(), and parse "tlsv1_3" in all four config readers (SSLManager, TLSHandler, PostgreSQLHandler, KeeperServer). --- base/poco/NetSSL_OpenSSL/include/Poco/Net/Context.h | 3 ++- base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h | 2 +- base/poco/NetSSL_OpenSSL/src/Context.cpp | 6 ++++++ base/poco/NetSSL_OpenSSL/src/SSLManager.cpp | 2 ++ src/Coordination/KeeperServer.cpp | 2 ++ src/Server/PostgreSQLHandler.cpp | 2 ++ src/Server/TLSHandler.cpp | 2 ++ 7 files changed, 17 insertions(+), 2 deletions(-) diff --git a/base/poco/NetSSL_OpenSSL/include/Poco/Net/Context.h b/base/poco/NetSSL_OpenSSL/include/Poco/Net/Context.h index 2c56875835e7..b36a2053b4df 100644 --- a/base/poco/NetSSL_OpenSSL/include/Poco/Net/Context.h +++ b/base/poco/NetSSL_OpenSSL/include/Poco/Net/Context.h @@ -102,7 +102,8 @@ namespace Net PROTO_SSLV3 = 0x02, PROTO_TLSV1 = 0x04, PROTO_TLSV1_1 = 0x08, - PROTO_TLSV1_2 = 0x10 + PROTO_TLSV1_2 = 0x10, + PROTO_TLSV1_3 = 0x20 }; struct NetSSL_API CAPaths diff --git a/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h b/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h index 25dc133fb204..452cb7f60ff4 100644 --- a/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h +++ b/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h @@ -96,7 +96,7 @@ namespace Net /// true|false /// true|false /// true|false - /// sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2 + /// sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2,tlsv1_3 /// dh.pem /// prime256v1 /// diff --git a/base/poco/NetSSL_OpenSSL/src/Context.cpp b/base/poco/NetSSL_OpenSSL/src/Context.cpp index 6a5aa1af48ab..177761a09f7c 100644 --- a/base/poco/NetSSL_OpenSSL/src/Context.cpp +++ b/base/poco/NetSSL_OpenSSL/src/Context.cpp @@ -515,6 +515,12 @@ void Context::disableProtocols(int protocols) { #if defined(SSL_OP_NO_TLSv1_2) SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_2); +#endif + } + if (protocols & PROTO_TLSV1_3) + { +#if defined(SSL_OP_NO_TLSv1_3) + SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_3); #endif } } diff --git a/base/poco/NetSSL_OpenSSL/src/SSLManager.cpp b/base/poco/NetSSL_OpenSSL/src/SSLManager.cpp index ae04a9947865..6a4b12f42f6d 100644 --- a/base/poco/NetSSL_OpenSSL/src/SSLManager.cpp +++ b/base/poco/NetSSL_OpenSSL/src/SSLManager.cpp @@ -324,6 +324,8 @@ void SSLManager::initDefaultContext(bool server) disabledProtocols |= Context::PROTO_TLSV1_1; else if (*it == "tlsv1_2") disabledProtocols |= Context::PROTO_TLSV1_2; + else if (*it == "tlsv1_3") + disabledProtocols |= Context::PROTO_TLSV1_3; } if (server) _ptrDefaultServerContext->disableProtocols(disabledProtocols); diff --git a/src/Coordination/KeeperServer.cpp b/src/Coordination/KeeperServer.cpp index 7865b0c23735..517005d56d93 100644 --- a/src/Coordination/KeeperServer.cpp +++ b/src/Coordination/KeeperServer.cpp @@ -138,6 +138,8 @@ auto getSslContextProvider(const Poco::Util::AbstractConfiguration & config, std disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_1; else if (token == "tlsv1_2") disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_2; + else if (token == "tlsv1_3") + disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_3; } auto prefer_server_cypher = config.getBool(fmt::format("openSSL.{}.preferServerCiphers", key), false); diff --git a/src/Server/PostgreSQLHandler.cpp b/src/Server/PostgreSQLHandler.cpp index e07ef9db35d0..7258759918bb 100644 --- a/src/Server/PostgreSQLHandler.cpp +++ b/src/Server/PostgreSQLHandler.cpp @@ -122,6 +122,8 @@ PostgreSQLHandler::PostgreSQLHandler( disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_1; else if (token == "tlsv1_2") disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_2; + else if (token == "tlsv1_3") + disabled_protocols |= Poco::Net::Context::PROTO_TLSV1_3; } extended_verification = config.getBool(prefix + Poco::Net::SSLManager::CFG_EXTENDED_VERIFICATION, false); diff --git a/src/Server/TLSHandler.cpp b/src/Server/TLSHandler.cpp index b0ed342c2512..c7debf0c9bec 100644 --- a/src/Server/TLSHandler.cpp +++ b/src/Server/TLSHandler.cpp @@ -82,6 +82,8 @@ DB::TLSHandler::TLSHandler( disabled_protocols |= Context::PROTO_TLSV1_1; else if (token == "tlsv1_2") disabled_protocols |= Context::PROTO_TLSV1_2; + else if (token == "tlsv1_3") + disabled_protocols |= Context::PROTO_TLSV1_3; } extended_verification = config.getBool(prefix + SSLManager::CFG_EXTENDED_VERIFICATION, false); From 73c8ae4fada5edd20ec8d1c3b2cd756eda79833c Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Mon, 23 Mar 2026 12:26:25 +0100 Subject: [PATCH 2/2] minor comment fix --- base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h b/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h index 452cb7f60ff4..b93536e99336 100644 --- a/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h +++ b/base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h @@ -147,7 +147,7 @@ namespace Net /// - requireTLSv1_1 (boolean): Require a TLSv1.1 connection. /// - requireTLSv1_2 (boolean): Require a TLSv1.2 connection. /// - disableProtocols (string): A comma-separated list of protocols that should be - /// disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2. + /// disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3. /// - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters. /// If not specified or empty, the default parameters are used. /// - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based