Support allowing TLS 1.3 only

src/cowboy.erl

@@ -52,11 +52,15 @@ start_clear(Ref, TransOpts0, ProtoOpts0) ->
 	-> {ok, pid()} | {error, any()}.
 start_tls(Ref, TransOpts0, ProtoOpts0) ->
 	TransOpts1 = ranch:normalize_opts(TransOpts0),
-	SocketOpts = maps:get(socket_opts, TransOpts1, []),
-	TransOpts2 = TransOpts1#{socket_opts => [
-		{next_protocols_advertised, [<<"h2">>, <<"http/1.1">>]},
-		{alpn_preferred_protocols, [<<"h2">>, <<"http/1.1">>]}
-	|SocketOpts]},
+	SocketOpts0 = maps:get(socket_opts, TransOpts1, []),
+	SocketOpts1 = case lists:keyfind(versions, 1, SocketOpts0) of
+		{versions,['tlsv1.3']} ->
+			SocketOpts0;
+		_ ->
+			[{next_protocols_advertised, [<<"h2">>, <<"http/1.1">>]} | SocketOpts0]
+	end,
+	SocketOpts = [{alpn_preferred_protocols, [<<"h2">>, <<"http/1.1">>]} | SocketOpts1],
+	TransOpts2 = TransOpts1#{socket_opts => SocketOpts},
 	{TransOpts, ConnectionType} = ensure_connection_type(TransOpts2),
 	ProtoOpts = ProtoOpts0#{connection_type => ConnectionType},
 	ranch:start_listener(Ref, ranch_ssl, TransOpts, cowboy_tls, ProtoOpts).

test/security_SUITE.erl

@@ -30,7 +30,7 @@ all() ->
 	cowboy_test:common_all().
 
 groups() ->
-	Tests = [nc_rand, nc_zero],
+	Tests = [nc_rand, nc_zero, tls1_3_only],
 	H1Tests = [slowloris, slowloris_chunks],
 	H2CTests = [
 		http2_data_dribble,
@@ -367,3 +367,13 @@ slowloris_chunks(Config) ->
 	{Headers, _} = cow_http:parse_headers(Rest),
 	{_, <<"close">>} = lists:keyfind(<<"connection">>, 1, Headers),
 	{error, closed} = raw_recv(Client, 0, 1000).
+
+tls1_3_only(Config) ->
+	doc("Confirm that we can start listening allowing TLS 1.3 only"),
+	TLSOpts0 = ct_helper:get_certs_from_ets(),
+	TLSOpts = lists:keystore(versions, 1, TLSOpts0, {versions, ['tlsv1.3']}),
+	ProtoOpts = #{
+		env => #{dispatch => init_dispatch(Config)}
+	},
+	{ok, _} = cowboy:start_tls(tls1_3_only, TLSOpts ++ [{port, 0}], ProtoOpts),
+	ok = cowboy:stop_listener(tls1_3_only).