From dc8ba080f7cc0240604317eab96e523d49df58c2 Mon Sep 17 00:00:00 2001
From: Adriana Gonzalez <adriana.gonzalez@schneider-electric.com>
Date: Fri, 5 Feb 2021 21:24:42 +0000
Subject: [PATCH 1/5] strip out options unsupported in TLS1.3 before listening
 on socket

---
 src/ranch_acceptors_sup.erl | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/ranch_acceptors_sup.erl b/src/ranch_acceptors_sup.erl
index 801fec5b5a..e51c4ce1d2 100644
--- a/src/ranch_acceptors_sup.erl
+++ b/src/ranch_acceptors_sup.erl
@@ -26,7 +26,8 @@ start_link(Ref, Transport, Logger) ->
 
 -spec init([term()]) -> {ok, {supervisor:sup_flags(), [supervisor:child_spec()]}}.
 init([Ref, Transport, Logger]) ->
-	TransOpts = ranch_server:get_transport_options(Ref),
+	TransOptsTemp = ranch_server:get_transport_options(Ref),
+	TransOpts = strip_usupported_options(TransOptsTemp),
 	NumAcceptors = maps:get(num_acceptors, TransOpts, 10),
 	NumListenSockets = maps:get(num_listen_sockets, TransOpts, 1),
 	LSockets = case get(lsockets) of
@@ -100,3 +101,20 @@ format_error(reuseport_local) ->
 	"num_listen_sockets must be set to 1 for local sockets";
 format_error(Reason) ->
 	inet:format_error(Reason).
+
+-spec strip_usupported_options(ranch:transport_opts(ranch_ssl:opts())) -> ranch:transport_opts(ranch_ssl:opts()).
+strip_usupported_options(#{socket_opts := SockOpts} = AllOpts) ->
+	case lists:keyfind(versions, 1, SockOpts) of
+		{versions, ['tlsv1.3']} ->
+			Intermediate1 = lists:keydelete(secure_renegotiate, 1, SockOpts),
+			Intermediate2 = lists:keydelete(reuse_sessions, 1, Intermediate1),
+			Intermediate3 = lists:keydelete(next_protocols_advertised, 1, Intermediate2),
+			NewSockOpts = lists:keydelete(alpn_preferred_protocols, 1, Intermediate3),
+			NewTransOpts = maps:update(socket_opts, NewSockOpts, AllOpts),
+			NewTransOpts;
+		_ ->
+			AllOpts
+	end;
+strip_usupported_options(AllOpts) ->
+	AllOpts.
+

From 4c8e58ffee9cda7d0cd60762a90cb9614afa8720 Mon Sep 17 00:00:00 2001
From: Adriana Gonzalez <adriana.gonzalez@schneider-electric.com>
Date: Fri, 26 Feb 2021 11:00:06 +0000
Subject: [PATCH 2/5] Revert "strip out options unsupported in TLS1.3 before
 listening on socket"

This reverts commit dc8ba080f7cc0240604317eab96e523d49df58c2.
---
 src/ranch_acceptors_sup.erl | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/src/ranch_acceptors_sup.erl b/src/ranch_acceptors_sup.erl
index e51c4ce1d2..801fec5b5a 100644
--- a/src/ranch_acceptors_sup.erl
+++ b/src/ranch_acceptors_sup.erl
@@ -26,8 +26,7 @@ start_link(Ref, Transport, Logger) ->
 
 -spec init([term()]) -> {ok, {supervisor:sup_flags(), [supervisor:child_spec()]}}.
 init([Ref, Transport, Logger]) ->
-	TransOptsTemp = ranch_server:get_transport_options(Ref),
-	TransOpts = strip_usupported_options(TransOptsTemp),
+	TransOpts = ranch_server:get_transport_options(Ref),
 	NumAcceptors = maps:get(num_acceptors, TransOpts, 10),
 	NumListenSockets = maps:get(num_listen_sockets, TransOpts, 1),
 	LSockets = case get(lsockets) of
@@ -101,20 +100,3 @@ format_error(reuseport_local) ->
 	"num_listen_sockets must be set to 1 for local sockets";
 format_error(Reason) ->
 	inet:format_error(Reason).
-
--spec strip_usupported_options(ranch:transport_opts(ranch_ssl:opts())) -> ranch:transport_opts(ranch_ssl:opts()).
-strip_usupported_options(#{socket_opts := SockOpts} = AllOpts) ->
-	case lists:keyfind(versions, 1, SockOpts) of
-		{versions, ['tlsv1.3']} ->
-			Intermediate1 = lists:keydelete(secure_renegotiate, 1, SockOpts),
-			Intermediate2 = lists:keydelete(reuse_sessions, 1, Intermediate1),
-			Intermediate3 = lists:keydelete(next_protocols_advertised, 1, Intermediate2),
-			NewSockOpts = lists:keydelete(alpn_preferred_protocols, 1, Intermediate3),
-			NewTransOpts = maps:update(socket_opts, NewSockOpts, AllOpts),
-			NewTransOpts;
-		_ ->
-			AllOpts
-	end;
-strip_usupported_options(AllOpts) ->
-	AllOpts.
-

From 8aef9e6fc45ba9bfdb2edf340471acbe050462fe Mon Sep 17 00:00:00 2001
From: Adriana Gonzalez <adriana.gonzalez@schneider-electric.com>
Date: Fri, 26 Feb 2021 11:04:07 +0000
Subject: [PATCH 3/5] strip out options unsupported in TLS1.3 before listening
 on socket (moved from acceptors)

---
 src/ranch_ssl.erl | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl
index bdfd2e40b8..812d559dfa 100644
--- a/src/ranch_ssl.erl
+++ b/src/ranch_ssl.erl
@@ -129,7 +129,8 @@ do_listen(SocketOpts0, Logger) ->
 	SocketOpts1 = ranch:set_option_default(SocketOpts0, backlog, 1024),
 	SocketOpts2 = ranch:set_option_default(SocketOpts1, nodelay, true),
 	SocketOpts3 = ranch:set_option_default(SocketOpts2, send_timeout, 30000),
-	SocketOpts = ranch:set_option_default(SocketOpts3, send_timeout_close, true),
+	SocketOpts4 = ranch:set_option_default(SocketOpts3, send_timeout_close, true),
+	SocketOpts = strip_usupported_options(SocketOpts4),
 	%% We set the port to 0 because it is given in the Opts directly.
 	%% The port in the options takes precedence over the one in the
 	%% first argument.
@@ -296,3 +297,18 @@ cleanup(#{socket_opts:=SocketOpts}) ->
 	end;
 cleanup(_) ->
 	ok.
+
+-spec strip_usupported_options(opts()) -> opts().
+strip_usupported_options(SocketOpts) ->
+    case lists:keyfind(versions, 1, SocketOpts) of
+        {versions, ['tlsv1.3']} ->
+            Intermediate1 = lists:keydelete(secure_renegotiate, 1, SocketOpts),
+            Intermediate2 = lists:keydelete(reuse_sessions, 1, Intermediate1),
+            Intermediate3 = lists:keydelete(next_protocols_advertised, 1, Intermediate2),
+            lists:keydelete(alpn_preferred_protocols, 1, Intermediate3);
+        _ ->
+            SocketOpts
+    end;
+strip_usupported_options(SocketOpts) ->
+    SocketOpts.
+

From 67d26b4dbaa3471131afb236aa2f55af77198964 Mon Sep 17 00:00:00 2001
From: Adriana Gonzalez <adriana.gonzalez@schneider-electric.com>
Date: Wed, 14 Apr 2021 14:33:00 +0100
Subject: [PATCH 4/5] check for protocol_versions in Socket Options, drop all
 occurrences of unsupported options

---
 src/ranch_ssl.erl | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl
index 812d559dfa..d00daa0dbf 100644
--- a/src/ranch_ssl.erl
+++ b/src/ranch_ssl.erl
@@ -130,7 +130,7 @@ do_listen(SocketOpts0, Logger) ->
 	SocketOpts2 = ranch:set_option_default(SocketOpts1, nodelay, true),
 	SocketOpts3 = ranch:set_option_default(SocketOpts2, send_timeout, 30000),
 	SocketOpts4 = ranch:set_option_default(SocketOpts3, send_timeout_close, true),
-	SocketOpts = strip_usupported_options(SocketOpts4),
+	SocketOpts = strip_unsupported_options(SocketOpts4),
 	%% We set the port to 0 because it is given in the Opts directly.
 	%% The port in the options takes precedence over the one in the
 	%% first argument.
@@ -298,17 +298,19 @@ cleanup(#{socket_opts:=SocketOpts}) ->
 cleanup(_) ->
 	ok.
 
--spec strip_usupported_options(opts()) -> opts().
-strip_usupported_options(SocketOpts) ->
-    case lists:keyfind(versions, 1, SocketOpts) of
-        {versions, ['tlsv1.3']} ->
-            Intermediate1 = lists:keydelete(secure_renegotiate, 1, SocketOpts),
-            Intermediate2 = lists:keydelete(reuse_sessions, 1, Intermediate1),
-            Intermediate3 = lists:keydelete(next_protocols_advertised, 1, Intermediate2),
-            lists:keydelete(alpn_preferred_protocols, 1, Intermediate3);
-        _ ->
+-spec strip_unsupported_options(opts()) -> opts().
+strip_unsupported_options(SocketOpts) ->
+    Versions1 = lists:keyfind(versions, 1, SocketOpts),
+    Versions2 = lists:keyfind(protocol_versions, 1, SocketOpts),
+    if
+        (Versions1 == {versions, ['tlsv1.3']}) or (Versions2 == {protocol_versions, ['tlsv1.3']}) ->
+            NewSocketOpts = lists:filter(fun({X, _}) ->
+                    (X /= secure_renegotiate) and (X /= reuse_sessions) and (X /= next_protocols_advertised) and (X /= alpn_preferred_protocols);
+                (_) ->
+                    true
+                end, SocketOpts),
+            NewSocketOpts;
+        true ->
             SocketOpts
-    end;
-strip_usupported_options(SocketOpts) ->
-    SocketOpts.
+    end.
 

From 40c11ff1dd8c80f7e61c387e1b2003b9c81f8572 Mon Sep 17 00:00:00 2001
From: Adriana Gonzalez <adriana.gonzalez@schneider-electric.com>
Date: Wed, 14 Apr 2021 14:33:58 +0100
Subject: [PATCH 5/5] log warning for dropping TLS1.3-only unsupported Socket
 Options

---
 src/ranch_ssl.erl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/ranch_ssl.erl b/src/ranch_ssl.erl
index d00daa0dbf..4512d03821 100644
--- a/src/ranch_ssl.erl
+++ b/src/ranch_ssl.erl
@@ -309,6 +309,11 @@ strip_unsupported_options(SocketOpts) ->
                 (_) ->
                     true
                 end, SocketOpts),
+            if
+                NewSocketOpts /= SocketOpts ->
+                    error_logger:warning_msg("~p~n dropping options unsupported by TLS1.3-only ssl sockets: " ++
+                    "secure_renegotiate, reuse_sessions, next_protocols_advertised and/or alpn_preferred_protocols from ~p~n", [?MODULE, SocketOpts])
+            end,
             NewSocketOpts;
         true ->
             SocketOpts