Ak WIP - adding tls13 to default security policies

bindings/rust/s2n-tls-tokio/tests/common/mod.rs

@@ -5,7 +5,7 @@ use s2n_tls::{
     config,
     connection::Builder,
     error::Error,
-    security::{DEFAULT, DEFAULT_TLS13},
+    security::{self, DEFAULT_TLS13},
 };
 use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
 use std::time::Duration;
@@ -67,14 +67,14 @@ pub fn server_config() -> Result<config::Builder, Error> {
 
 pub fn client_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    builder.set_security_policy(&security::Policy::from_version("20240502")?)?;
     builder.trust_pem(RSA_CERT_PEM)?;
     Ok(builder)
 }
 
 pub fn server_config_tls12() -> Result<config::Builder, Error> {
     let mut builder = config::Config::builder();
-    builder.set_security_policy(&DEFAULT)?;
+    builder.set_security_policy(&security::Policy::from_version("20240502")?)?;
     builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
     Ok(builder)
 }

bindings/rust/s2n-tls/src/testing/resumption.rs

@@ -66,11 +66,13 @@ mod tests {
     fn resume_session() -> Result<(), Box<dyn Error>> {
         let keypair = CertKeyPair::default();
 
+        let tls12_policy = security::Policy::from_version("20240502")?;
         // Initialize config for server with a ticket key
         let mut server_config_builder = Builder::new();
         server_config_builder
             .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
-            .load_pem(keypair.cert(), keypair.key())?;
+            .load_pem(keypair.cert(), keypair.key())?
+            .set_security_policy(&tls12_policy)?;
         let server_config = server_config_builder.build()?;
 
         let handler = SessionTicketHandler::default();
@@ -83,7 +85,8 @@ mod tests {
             .set_session_ticket_callback(handler.clone())?
             .trust_pem(keypair.cert())?
             .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?
-            .set_connection_initializer(handler)?;
+            .set_connection_initializer(handler)?
+            .set_security_policy(&tls12_policy)?;
         let client_config = client_config_builder.build()?;
 
         // initial handshake, no resumption

default.diff

@@ -0,0 +1,17 @@
+diff --git a/default.old b/default.new
+index 5e6a085f9..90fc3254a 100644
+--- a/default.old
++++ b/default.new
+@@ -1,9 +1,11 @@
+-name: 20240501
++name: default
+ min version: TLS1.2
+ rules:
+ - Perfect Forward Secrecy: yes
+ - FIPS 140-3 (2019): no
+ cipher suites:
++- TLS_AES_256_GCM_SHA384
++- TLS_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

default.new

@@ -0,0 +1,34 @@
+name: default
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_AES_256_GCM_SHA384
+- TLS_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- x25519
+- secp384r1
+- secp521r1

default.old

@@ -0,0 +1,32 @@
+name: 20240501
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): no
+cipher suites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- x25519
+- secp384r1
+- secp521r1

default_fips.diff

@@ -0,0 +1,17 @@
+diff --git a/default_fips.old b/default_fips.new
+index a06198b37..cbfab484f 100644
+--- a/default_fips.old
++++ b/default_fips.new
+@@ -1,9 +1,11 @@
+-name: 20240502
++name: default_fips
+ min version: TLS1.2
+ rules:
+ - Perfect Forward Secrecy: yes
+ - FIPS 140-3 (2019): yes
+ cipher suites:
++- TLS_AES_256_GCM_SHA384
++- TLS_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

default_fips.new

@@ -0,0 +1,48 @@
+name: default_fips
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): yes
+cipher suites:
+- TLS_AES_256_GCM_SHA384
+- TLS_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- secp384r1
+- secp521r1
+certificate signature schemes:
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224

default_fips.old

@@ -0,0 +1,46 @@
+name: 20240502
+min version: TLS1.2
+rules:
+- Perfect Forward Secrecy: yes
+- FIPS 140-3 (2019): yes
+cipher suites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+curves:
+- secp256r1
+- secp384r1
+- secp521r1
+certificate signature schemes:
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
+- legacy_ecdsa_sha224

docs/usage-guide/topics/ch06-security-policies.md

@@ -6,7 +6,7 @@ s2n-tls uses pre-made security policies to help avoid common misconfiguration mi
 
 ## Supported TLS Versions
 
-Currently TLS 1.2 is our default version, but we recommend TLS 1.3 where possible. To use TLS 1.3 you need a security policy that supports TLS 1.3.
+TLS 1.3 support is enabled by default.
 
 ### SSL 3.0, TLS 1.0, and TLS 1.1
 s2n-tls supports older versions, but their use is not recommended.
@@ -17,16 +17,21 @@ Compatibility with older versions of TLS may also require support for older ciph
 s2n-tls will not negotiate SSL 2.0, but will accept SSLv2 ClientHellos advertising a higher protocol version like TLS1.2. See the ["Compatibility with SSL 2.0"](https://datatracker.ietf.org/doc/html/rfc5246#appendix-E.2) section in the TLS 1.2 RFC.
 
 Compatibility with SSLv2 ClientHellos advertising TLS1.2 may require similar support for older ciphersuites as compatibility with older versions of TLS does. In particular, SSLv2 ClientHellos are likely to require support for SHA1 and either RSA or DHE key exchange. This is due to technical limitations of the SSLv2 ClientHello, which does not include TLS extensions.
+||||||| parent of 36abc9eef (wip: add tls13 to default)
+Currently TLS 1.2 is our default version, but we recommend TLS 1.3 where possible. To use TLS 1.3 you need a security policy that supports TLS 1.3.
+**Note:** s2n-tls does not support SSL2.0 for sending and receiving encrypted data, but does accept SSL2.0 hello messages.
 
 ### Chart: Security Policy Version To Protocol Version And Ciphersuites
 
 The following chart maps the security policy version to protocol version and ciphersuites supported.
 
 |    version    | TLS1.0 | TLS1.1 | TLS1.2 | TLS1.3 | AES-CBC | AES-GCM | CHACHAPOLY | 3DES | RC4 | DHE | ECDHE | RSA kx |
 |---------------|--------|--------|--------|--------|---------|---------|------------|------|-----|-----|-------|--------|
-|    default    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
-| default_fips  |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
+|    default    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
+| default_fips  |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 | default_tls13 |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
+|   20240701    |        |        |    X   |    X   |    X    |    X    |      X     |      |     |     |   X   |        |
+|   20240702    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
 |   20240501    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
 |   20240502    |        |        |    X   |        |    X    |    X    |            |      |     |     |   X   |        |
 |   20240503    |        |        |    X   |    X   |    X    |    X    |            |      |     |     |   X   |        |
@@ -55,12 +60,11 @@ The following chart maps the security policy version to protocol version and cip
 The "default", "default_tls13", and "default_fips" versions are special in that they will be updated with future s2n-tls changes to keep up-to-date with current security best practices. Ciphersuites, protocol versions, and other options may be added or removed, or their internal order of preference might change. **Warning**: this means that the default policies may change as a result of library updates, which could break peers that rely on legacy options.
 
 In contrast, numbered or dated versions are fixed and will never change. The numbered equivalents of the default policies are currently:
-* "default": "20240501"
-* "default_fips": "20240502"
+* "default": "20240701"
+* "default_fips": "20240702"
 * "default_tls13": "20240503"
-For previous defaults, see the "Default Policy History" section below.
 
-"default_fips" does not currently support TLS1.3. If you need a policy that supports both FIPS and TLS1.3, choose "20230317". We plan to add TLS1.3 support to both "default" and "default_fips" in the future.
+For previous defaults versions, see the "Default Policy History" section below.
 
 "rfc9151" is derived from [Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3](https://datatracker.ietf.org/doc/html/rfc9151). This policy restricts the algorithms allowed for signatures on certificates in the certificate chain to RSA or ECDSA with sha384, which may require you to update your certificates.
 Like the default policies, this policy may also change if the source RFC definition changes.
@@ -85,6 +89,8 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 |    default    |     X     |   X   |              |    X    |
 | default_fips  |     X     |   X   |              |    X    |
 | default_tls13 |     X     |   X   |              |    X    |
+|   20240701    |     X     |   X   |              |    X    |
+|   20240701    |     X     |   X   |              |    X    |
 |   20240501    |     X     |   X   |              |    X    |
 |   20240502    |     X     |   X   |              |    X    |
 |   20240503    |     X     |   X   |              |    X    |
@@ -120,6 +126,8 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 |    default    |     X     |     X     |    X   |
 | default_fips  |     X     |     X     |        |
 | default_tls13 |     X     |     X     |    X   |
+|   20240701    |     X     |     X     |    X   |
+|   20240702    |     X     |     X     |        |
 |   20240501    |     X     |     X     |    X   |
 |   20240502    |     X     |     X     |        |
 |   20240503    |     X     |     X     |    X   |
@@ -147,5 +155,6 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly
 ### Default Policy History
 |  Version   | "default" | "default_fips" | "default_tls13" |
 |------------|-----------|----------------|-----------------|
+|  v1.4.TODO   | 20240701  |   20247502     |    20240503     |
 |  v1.4.16   | 20240501  |   20240502     |    20240503     |
 |   Older    | 20170210  |   20240416     |    20240417     |

policy.new

@@ -0,0 +1,15 @@
+NEW
+
+                                   protocol                        security_policy
+
+                                | tls12  tls13  |  default  default_fips  default_tls13  default_tls12
+                                |               |
+ * non_fips:                    |               |
+ *   no_call:                   |          N    |     x
+ *   s2n_enable_tls13_in_test:  |          x    |     N
+ *   s2n_disable_tls13_in_test: |   x           |                                            N
+ *                              |               |
+ * fips:                        |               |
+ *   no_call:                   |          N    |               x
+ *   s2n_enable_tls13_in_test:  |          x    |               N
+ *   s2n_disable_tls13_in_test: |   x           |                                            N

policy.old

@@ -0,0 +1,16 @@
+OLD
+
+                                   protocol                        security_policy
+
+                                | tls12  tls13  |  default  default_fips  default_tls13  default_tls12
+                                |               |
+ * non_fips:                    |               |
+ *   no_call:                   |   x           |     x
+ *   s2n_enable_tls13_in_test:  |          x    |                             x
+ *   s2n_disable_tls13_in_test: |   x           |     x
+ *                              |               |
+ * fips:                        |               |
+ *   no_call:                   |   x           |               x
+ *   s2n_enable_tls13_in_test:  |          x    |                             x
+ *   s2n_disable_tls13_in_test: |   x           |               x
+