Re-add support for older TLS versions

bin/kibana

@@ -21,4 +21,4 @@ if [ ! -x "$NODE" ]; then
   exit 1
 fi
 
-NODE_ENV=production exec "${NODE}" --no-warnings --max-http-header-size=65536 $NODE_OPTIONS "${DIR}/src/cli" ${@}
+NODE_ENV=production exec "${NODE}" --no-warnings --max-http-header-size=65536 --tls-min-v1.0 $NODE_OPTIONS "${DIR}/src/cli" ${@}

docs/setup/settings.asciidoc

@@ -225,13 +225,13 @@ deprecated:[5.3.0,Replaced by `server.ssl.certificate`]
 
 `server.ssl.certificateAuthorities:`:: List of paths to PEM encoded certificate files that should be trusted.
 
-`server.ssl.cipherSuites:`:: *Default: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT)
+`server.ssl.cipherSuites:`:: *Default: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT)
 
 `server.ssl.keyPassphrase:`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
 
 `server.ssl.redirectHttpFromPort:`:: Kibana will bind to this port and redirect all http requests to https over the port configured as `server.port`.
 
-`server.ssl.supportedProtocols:`:: *Default: TLSv1, TLSv1.1, TLSv1.2*  An array of supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
+`server.ssl.supportedProtocols:`:: *Default: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3*  An array of supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`.
 
 `status.allowAnonymous:`:: *Default: false* If authentication is enabled, setting this to `true` allows
 unauthenticated users to access the Kibana server status API and status page.

src/core/server/http/__snapshots__/http_config.test.ts.snap

@@ -21,6 +21,9 @@ Object {
   "rewriteBasePath": false,
   "ssl": Object {
     "cipherSuites": Array [
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_AES_128_GCM_SHA256",
       "ECDHE-RSA-AES128-GCM-SHA256",
       "ECDHE-ECDSA-AES128-GCM-SHA256",
       "ECDHE-RSA-AES256-GCM-SHA384",
@@ -60,14 +63,16 @@ exports[`with TLS should accept known protocols\` 1`] = `
 "[ssl.supportedProtocols.0]: types that failed validation:
 - [ssl.supportedProtocols.0.0]: expected value to equal [TLSv1] but got [SOMEv100500]
 - [ssl.supportedProtocols.0.1]: expected value to equal [TLSv1.1] but got [SOMEv100500]
-- [ssl.supportedProtocols.0.2]: expected value to equal [TLSv1.2] but got [SOMEv100500]"
+- [ssl.supportedProtocols.0.2]: expected value to equal [TLSv1.2] but got [SOMEv100500]
+- [ssl.supportedProtocols.0.3]: expected value to equal [TLSv1.3] but got [SOMEv100500]"
 `;
 
 exports[`with TLS should accept known protocols\` 2`] = `
 "[ssl.supportedProtocols.3]: types that failed validation:
 - [ssl.supportedProtocols.3.0]: expected value to equal [TLSv1] but got [SOMEv100500]
 - [ssl.supportedProtocols.3.1]: expected value to equal [TLSv1.1] but got [SOMEv100500]
-- [ssl.supportedProtocols.3.2]: expected value to equal [TLSv1.2] but got [SOMEv100500]"
+- [ssl.supportedProtocols.3.2]: expected value to equal [TLSv1.2] but got [SOMEv100500]
+- [ssl.supportedProtocols.3.3]: expected value to equal [TLSv1.3] but got [SOMEv100500]"
 `;
 
 exports[`with TLS throws if TLS is enabled but \`certificate\` is not specified 1`] = `"[ssl]: must specify [certificate] and [key] when ssl is enabled"`;

src/core/server/http/http_server.test.ts

@@ -543,7 +543,7 @@ describe('with defined `redirectHttpFromPort`', () => {
       ...config,
       ssl: {
         certificate: '/certificate',
-        cipherSuites: ['cipherSuite'],
+        cipherSuites: ['TLS_AES_256_GCM_SHA384'],
         enabled: true,
         getSecureOptions: () => 0,
         key: '/key',

src/core/server/http/ssl_config.ts

@@ -18,16 +18,14 @@
  */
 
 import { schema, TypeOf } from '@kbn/config-schema';
-import crypto from 'crypto';
-
-// `crypto` type definitions doesn't currently include `crypto.constants`, see
-// https://github.com/DefinitelyTyped/DefinitelyTyped/blob/fa5baf1733f49cf26228a4e509914572c1b74adf/types/node/v6/index.d.ts#L3412
-const cryptoConstants = (crypto as any).constants;
+import { constants as cryptoConstants } from 'crypto';
 
 const protocolMap = new Map<string, number>([
   ['TLSv1', cryptoConstants.SSL_OP_NO_TLSv1],
   ['TLSv1.1', cryptoConstants.SSL_OP_NO_TLSv1_1],
   ['TLSv1.2', cryptoConstants.SSL_OP_NO_TLSv1_2],
+  // @ts-expect-error According to the docs SSL_OP_NO_TLSv1_3 should exist (https://nodejs.org/docs/latest-v12.x/api/crypto.html)
+  ['TLSv1.3', cryptoConstants.SSL_OP_NO_TLSv1_3],
 ]);
 
 const sslSchema = schema.object(
@@ -51,6 +49,7 @@ const sslSchema = schema.object(
           schema.literal('TLSv1'),
           schema.literal('TLSv1.1'),
           schema.literal('TLSv1.2'),
+          schema.literal('TLSv1.3'),
         ])
       )
     ),