From a1587743641c5719f5b297971c0ed69e867f8241 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Fri, 6 May 2022 00:30:36 +0200
Subject: [PATCH 1/2] hackney adapter helper & reverse proxy client: enable
 TLSv1.3

The list of TLS versions was added by
8bd2b6eb138ace3408a03c78ecc339fc35b19f10 when hackney version was
pinned to 1.15.2. Later hackney version was upgraded
(166455c88441b22455d996ed528ed4804514a3c0) but the list of TLS
versions wasn't removed. From the hackney point of view, this list has
been replaced by the OTP defaults since 0.16.0
(734694ea4e24f267864c459a2f050e943adc6694).

It looks like the same issue already occurred before:
0cb7b0ea8477bdd7af2e5e9071843be5b8623dff.

A way to test this issue (where example.com is an ActivityPub site
which uses TLSv1.3 only):

   $ PLEROMA_CONFIG_PATH=/path/to/config.exs pleroma start_iex
   Erlang/OTP 22 [erts-10.7.2.16] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

   Erlang/OTP 22 [erts-10.7.2.16] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

   Interactive Elixir (1.10.4) - press Ctrl+C to exit (type h() ENTER for help)
   iex(pleroma@127.0.0.1)2> Pleroma.Object.Fetcher.fetch_and_contain_remote_object_from_id("https://example.com/@/Nick/")
   {:error,
    {:tls_alert,
     {:protocol_version,
      'TLS client: In state hello received SERVER ALERT: Fatal - Protocol Version\n'}}}

With this patch, the output is the expected one:

   iex(pleroma@127.0.0.1)3> Pleroma.Object.Fetcher.fetch_and_contain_remote_object_from_id("https://example.com/@/Nick/")
   {:error,
   {:ok,
    %{
      "@context" => [
        "https://www.w3.org/ns/activitystreams",
        "https://w3id.org/security/v1",
        %{
          "Emoji" => "toot:Emoji",
          "Hashtag" => "as:Hashtag",
          "atomUri" => "ostatus:atomUri",
          "conversation" => "ostatus:conversation",
          "featured" => "toot:featured",
          "focalPoint" => %{"@container" => "@list", "@id" => "toot:focalPoint"},
          "inReplyToAtomUri" => "ostatus:inReplyToAtomUri",
          "manuallyApprovesFollowers" => "as:manuallyApprovesFollowers",
          "movedTo" => "as:movedTo",
          "ostatus" => "http://ostatus.org#",
          "sensitive" => "as:sensitive",
          "toot" => "http://joinmastodon.org/ns#"
        }
      ],
      "endpoints" => %{"sharedInbox" => "https://example.com/inbox"},
      "followers" => "https://example.com/@/Nick/followers",
      "following" => nil,
      "icon" => %{
        "type" => "Image",
        "url" => "https://example.com/static/media/[...].png"
      },
      "id" => "https://example.com/@/Nick/",
      "inbox" => "https://example.com/@/Nick/inbox",
      "liked" => nil,
      "name" => "Nick",
      "outbox" => "https://example.com/@/Nick/outbox",
      "preferredUsername" => "Nick",
      "publicKey" => %{
        "id" => "https://example.com/@/Nick/#main-key",
        "owner" => "https://example.com/@/Nick/",
        "publicKeyPem" => "[...]
      },
      "summary" => "",
      "type" => "Person",
      "url" => "https://example.com/@/Nick/"
    }}

A way to test the reverse proxy bits of this issue (where example.com allows TLSv1.3 only):

    iex(pleroma@127.0.0.1)1> Pleroma.ReverseProxy.Client.Hackney.request("GET", "https://example.com", [], [])
    {:error,
     {:tls_alert,
      {:protocol_version,
       'TLS client: In state hello received SERVER ALERT: Fatal - Protocol Version\n'}}}
---
 lib/pleroma/http/adapter_helper/hackney.ex  | 4 ----
 lib/pleroma/reverse_proxy/client/hackney.ex | 1 -
 2 files changed, 5 deletions(-)

diff --git a/lib/pleroma/http/adapter_helper/hackney.ex b/lib/pleroma/http/adapter_helper/hackney.ex
index b4f2f0cc2..f3be1f3d0 100644
--- a/lib/pleroma/http/adapter_helper/hackney.ex
+++ b/lib/pleroma/http/adapter_helper/hackney.ex
@@ -24,10 +24,6 @@ defmodule Pleroma.HTTP.AdapterHelper.Hackney do
     |> Pleroma.HTTP.AdapterHelper.maybe_add_proxy(proxy)
   end
 
-  defp add_scheme_opts(opts, %URI{scheme: "https"}) do
-    Keyword.put(opts, :ssl_options, versions: [:"tlsv1.2", :"tlsv1.1", :tlsv1])
-  end
-
   defp add_scheme_opts(opts, _), do: opts
 
   defp maybe_add_with_body(opts) do
diff --git a/lib/pleroma/reverse_proxy/client/hackney.ex b/lib/pleroma/reverse_proxy/client/hackney.ex
index 41eaf06cc..d3e986912 100644
--- a/lib/pleroma/reverse_proxy/client/hackney.ex
+++ b/lib/pleroma/reverse_proxy/client/hackney.ex
@@ -7,7 +7,6 @@ defmodule Pleroma.ReverseProxy.Client.Hackney do
 
   @impl true
   def request(method, url, headers, body, opts \\ []) do
-    opts = Keyword.put(opts, :ssl_options, versions: [:"tlsv1.2", :"tlsv1.1", :tlsv1])
     :hackney.request(method, url, headers, body, opts)
   end
 

From 6f23fc8e08ae5a968cd9aa8dd8744e21ee9e3872 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Thu, 19 May 2022 02:12:55 +0200
Subject: [PATCH 2/2] Add tlsv1.3 to suggestions

---
 config/description.exs               | 2 +-
 test/pleroma/config_db_test.exs      | 5 +++--
 test/pleroma/docs/generator_test.exs | 4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/config/description.exs b/config/description.exs
index 704af8f68..7caad18b4 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -2726,7 +2726,7 @@ config :pleroma, :config_description, [
                 key: :versions,
                 type: {:list, :atom},
                 description: "List of TLS version to use",
-                suggestions: [:tlsv1, ":tlsv1.1", ":tlsv1.2"]
+                suggestions: [:tlsv1, ":tlsv1.1", ":tlsv1.2", ":tlsv1.3"]
               }
             ]
           }
diff --git a/test/pleroma/config_db_test.exs b/test/pleroma/config_db_test.exs
index ea44b716f..ba7c615e2 100644
--- a/test/pleroma/config_db_test.exs
+++ b/test/pleroma/config_db_test.exs
@@ -238,10 +238,11 @@ defmodule Pleroma.ConfigDBTest do
     end
 
     test "ssl options" do
-      assert ConfigDB.to_elixir_types([":tlsv1", ":tlsv1.1", ":tlsv1.2"]) == [
+      assert ConfigDB.to_elixir_types([":tlsv1", ":tlsv1.1", ":tlsv1.2", ":tlsv1.3"]) == [
                :tlsv1,
                :"tlsv1.1",
-               :"tlsv1.2"
+               :"tlsv1.2",
+               :"tlsv1.3"
              ]
     end
 
diff --git a/test/pleroma/docs/generator_test.exs b/test/pleroma/docs/generator_test.exs
index 92b4d13e4..5e41d6ccb 100644
--- a/test/pleroma/docs/generator_test.exs
+++ b/test/pleroma/docs/generator_test.exs
@@ -86,7 +86,7 @@ defmodule Pleroma.Docs.GeneratorTest do
           key: :versions,
           type: {:list, :atom},
           description: "List of TLS version to use",
-          suggestions: [:tlsv1, ":tlsv1.1", ":tlsv1.2"]
+          suggestions: [:tlsv1, ":tlsv1.1", ":tlsv1.2", ":tlsv1.3"]
         }
       ]
     },
@@ -213,7 +213,7 @@ defmodule Pleroma.Docs.GeneratorTest do
     test "suggestion for tls versions" do
       [%{children: children} | _] = Generator.convert_to_strings(@descriptions)
       child = Enum.at(children, 8)
-      assert child[:suggestions] == [":tlsv1", ":tlsv1.1", ":tlsv1.2"]
+      assert child[:suggestions] == [":tlsv1", ":tlsv1.1", ":tlsv1.2", ":tlsv1.3"]
     end
 
     test "subgroup with module name" do