From d92272abfcdd469346b2fa50a010ece9c6e3459e Mon Sep 17 00:00:00 2001
From: Norman Maurer <norman_maurer@apple.com>
Date: Tue, 20 Dec 2022 09:45:54 +0100
Subject: [PATCH] Explicit disable TLSv1.3 in the OpenSSL options if not
 supported

Motivation:

If TLSv1.3 is not supported we should set SSL_OP_NO_TLSv1_3 explicit to ensure we never "advertise" it.

Modifications:

Set SSL_OP_NO_TLSv1_3 if TLSv1.3 is not supported

Result:

Fixes https://github.com/netty/netty/issues/12968
---
 .../netty/handler/ssl/ReferenceCountedOpenSslContext.java   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java
index 5ba5662cd8e..1fd8025e8bb 100644
--- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslContext.java
@@ -345,6 +345,12 @@ public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListene
                         | SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_NO_TLSv1_2;
             }
 
+            if (!tlsv13Supported) {
+                // Explicit disable TLSv1.3
+                // See https://github.com/netty/netty/issues/12968
+                options |= SSL.SSL_OP_NO_TLSv1_3;
+            }
+
             SSLContext.setOptions(ctx, options);
 
             // We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between